[bsteo]

POSCardStealer.F in attach (Alina 3.1)
https://www.virustotal.com/file/8f53c8c ... 360243742/

Still no idea about its POST variable "ldata" encryption? First layer looks like HEX, second could be RC4, XOR...

[bsteo]

This is the encrypted string part that always repeat itself in the "ldata" POST variable or POSCardSrealer (aka Alina) "f0c2c5d8dfcac7c7c8c3cec8c0919a" is in the header of the data, could be the decryption key? Any ideas?

[Xylitol]

like i've says on my blog post, i've not searched but that start at 401c10 on alina 3.4

[Buster_BSA]

An analysis of alina here:

http://myexperimentswithmalware.blogspo ... chive.html

[Xylitol]

Win32/Spy.POSCardStealer.I in attach (Alina)
https://www.virustotal.com/file/4605eb3 ... 360331633/

[Xylitol]

Win32/Spy.POSCardStealer.J (Alina 0.1)
https://www.virustotal.com/file/2907c88 ... 360332488/

[bsteo]

Simple PHP "ldata" POST variable decoder for Alina malware. Credits to Buster_BSA and Xylitol :)

Code: Select all

<?php

$key = 'ab';
$encoded = 'f0c2c5d8dfcac7c7c8c3cec8c0919a9a9c8b979b95f68befcec7cedfcecf8be891f7efc4c8dec6cec5dfd88bcac5cf8bf8cedfdfc2c5ccd8f7eacfc6c2c5c2d8dfd9cadfceded9f7eadbdbc7c2c8cadfc2c4c58befcadfcaf7dcc2c586cdc2d9cedccac7c785ced3ce8bcdd9c4c68bc4c7cf8bd8cedfdedb858bcfcec7cedfc2c5cc8bcadedfc4d8dfcad9df85a1f0c2c5d8dfcac7c7c8c3cec8c0919a9c928b979b95f68be2c5d8dfcac7c7cecf8bdfc48be891f7efc4c8dec6cec5dfd88bcac5cf8bf8cedfdfc2c5ccd8f7eacfc6c2c5c2d8dfd9cadfceded9f7eadbdbc7c2c8cadfc2c4c58befcadfcaf7c1ded8c8c3cecf85ced3ce878bd8dfcad9dfcecf8bc5cedc8bdbd9c4c8ced8d88bdcc2dfc38bcac7c2c5ca96e891f798f49f85ced3cea1';

$binarykey = pack('H*', $key);
$binaryencoded = pack('H*', $encoded);

function xor_decode($binaryencoded, $binarykey) {
  $key_length = strlen($binarykey);
  $result = '';
  $length = strlen($binaryencoded);
  for ($i = 0; $i < $length; $i++) {
    $tmp = $binaryencoded[$i];

    for ($j = 0; $j < $key_length; $j++) {
        $tmp = chr(ord($tmp) ^ ord($binarykey[$j]));
    }

    $result .= $tmp;
  }
  return $result;
}

echo xor_decode($binaryencoded, $binarykey) . "\n";
?>

[Xylitol]

I've found a POS application on a bad guys server, in java and seem from hong-kong but i'm not sure if it's legit or infected there is really alot of code.
https://www.virustotal.com/file/f019eb5 ... 360397589/

[bsteo]

I've found a POS application on a bad guys server, in java and seem from hong-kong but i'm not sure if it's legit or infected there is really alot of code.
https://www.virustotal.com/file/f019eb5 ... 360397589/

Looks like legit POS software. Need to find another and compare if backdoored.

[bsteo]

Found this on a customer's POS. Didn't yet analyse it just looked at the strings. Copies self to other locations, creates autorun record, seems to send mails.
Comodo analysis: http://camas.comodo.com/cgi-bin/submit? ... 327ab79c9e

koaie007@yahoo.com
mail9@l4k3.com
ZbP$(fH4
smtp.l4k3.com
pop.l4k3.com
mail10@l4k3.com
Hw%kidO7
smtp.l4k3.com
pop.l4k3.com

Seems to send mail to "koaie007@yahoo.com" via SMTP "server smtp.l4k3.com" with two credentials. The author/bad guy seems to be Romanian (again!) "koaie" -> "coaie" means "balls" in Romanian.