[bsteo]

Did a little quick work on Chewbacca. Very simple malware, tor proxy and a basic memory parser and keylogger. Gets public IP accessing http://ekiga.net/ip/ (service disabled now), scans memory then sends plain-text base64-encoded data to a PHP panel under a TOR .onion domain to two scripts:
1. sendlog.php <- keylogger data
2. recvdata.php <- track1 / track2 data parsed from processes' memory
data sent in this form:

User-Agent: ChewBacca//%COMPUTERNAME%/%Base64-encoded MAC Address%/18/ADMIN
POST data:
rawdata= base64-encoded track1/track2 found
tmpdata= some base64-encoded data couldn't trigger, maybe track1 then rawdata would be only track2?
procdata= processes running base64-encoded

more will come...

[Blaze]

Two samples attached.

Eset: Win32/Spy.POSCardStealer.R

Thanks to @botherder

[Xylitol]

JackPos, Alina based (at least a bit not fully).
https://www.virustotal.com/en/file/39c1 ... 391721062/
http://vxvault.siri-urz.net/ViriFiche.php?ID=25676
https://www.virustotal.com/en/file/f4b1 ... 391722804/
http://vxvault.siri-urz.net/ViriFiche.php?ID=25680
Domains are burned:
http://vxvault.siri-urz.net/ViriList.ph ... 39.216.155
http://vxvault.siri-urz.net/ViriList.ph ... 123.36.103
http://vxvault.siri-urz.net/ViriList.ph ... 109.68.219

Code: Select all

• dns: 1 ›› ip: 5.39.216.155 - adress: XLIGHTSHOP.COM
• dns: 1 ›› ip: 5.39.216.155 - adress: PRIV8DARKSHOP.COM
• dns: 1 ›› ip: 193.109.68.219 - adress: SOPVPS.HK
• dns: 1 ›› ip: 190.123.36.103 - adress: WWW.CL3AN45U.BIZ

Interesting also: DUMPSLOGS was running exactly the same 'card shop cms' as xlightshop.com
This one is not usual and dumpslog appeared at the time of Alina.

[Xylitol]

Josh Grunzweig did an analysis of this JackTrash and he pointed also numerous bugs, very fun read: http://blog.spiderlabs.com/2014/02/jack ... -wins.html
IntelCrawler have do an article also but it's more 'generic': http://intelcrawler.com/about/press10

[granit12]

Hi,

Dexter author create it?

This is author?

http://64.90.187.223/tstv2/Panel/


/* ===== Primary Styles ========================================================
Author: Boutsakis Vagelis (boutsak@gmail.com)
========================================================================== */
/***********Body *************************/

[bsteo]

I think that's the style of the panel author not Dexter's author.

[rkhunter]

Nemanja POS Botnet

http://intelcrawler.com/intel/nemanja.pdf
http://intelcrawler.com/news-18

[patriq]

Nemanja POS Botnet

http://intelcrawler.com/intel/nemanja.pdf
http://intelcrawler.com/news-18

http://www.kernelmode.info/forum/viewto ... =22&t=3301

oh c'mon..

anyway, does anyone have the sample?
DF0149EC909BE121CF30B61FF3324E81

[nielsgroeneveld]

The Best Of Both Worlds – Soraya
By: Matthew Bing - 06/02/2014
By Matt Bing & Dave Loftus

Arbor Networks’ ASERT has recently discovered a new malware family that
combines several techniques to steal payment card information. Dubbed
Soraya, meaning “rich,” this malware uses memory scraping techniques
similar to those found in Dexter to target point-of-sale terminals.
Soraya also intercepts form data sent from web browsers, similar to the
Zeus family of malware. Neither of these two techniques are new, but we
have not seen them used together in the same piece of malware.

http://www.arbornetworks.com/asert/2014 ... ds-soraya/

Available panel files (password infected) :
hxxp://mega.co.nz/#!d08GwD5J!QLszfsQ3YwkQM4GXbfpS8fS59XlhBl-jzsTXo4noy18

Below analysis of the samples (VirusTotal for samples I don't have, Malwr.com for available samples) -

a95dacba360e45fc03769ea55c546a7b (sample not available)
https://www.virustotal.com/en/file/c1a2 ... /analysis/

1483d0682f72dfefff522ac726d22256 (sample not available)
https://www.virustotal.com/en/file/a776 ... /analysis/

1661aab32a97e56bc46181009ebd80c9
https://malwr.com/analysis/MTRjY2QwYjE5 ... dlY2Q0ZjA/

The following MD5 hashes are associated with the panel files:

1df57b31a4bca7a1c93ecd50bd8fd8bf auth.php
https://malwr.com/analysis/ODIwNjlkYzc4 ... k5Mzc0NTA/

67a6bf5b9b23c6588c756c2f2a74635c bot.php
https://malwr.com/analysis/YmRhZDA2Yjc0 ... gyYjYzMjE/

c3e9d1dda7f1f71b4e1e2ead7c7406dd commands.php
https://malwr.com/analysis/YjQwMGYzNjQw ... MwMDY1M2U/

515232eb815b7bafab57c7cdca437a7a formgrab.php
https://malwr.com/analysis/ZjAxOWU1OTkw ... M3ZGY1NTY/

ff8cc2e792a59d068f35cb3eb2ea69bc funcs.php
https://malwr.com/analysis/OWMwMTBiOTIz ... FlMWJkMzM/

b64ea0c3e9617ccd2f22d8568676a325 /inc/GeoIP.dat
https://malwr.com/analysis/NzE3YTkwYWM5 ... IzMDBlNjc/

d2ba8b27dc886b36e0e8ec10e013d344 /inc/geoip.inc
https://malwr.com/analysis/NmJiODM3ODQ5 ... YyODAyNzI/

c94285b73f61204dcee5614f91aaf206 login.php
https://malwr.com/analysis/ZTcwOTRjYjkz ... dmZWQxOTE/

d9e7f69822821188eac36b82928de2a0 logout.php
https://malwr.com/analysis/MWFiNjdmMWUy ... Y4ZjllMTA/

e5dadfff0bc1f2113fedcf4eb3efd02f settings.php
https://malwr.com/analysis/YmIyZjk4Mjgw ... Q2OGQ1NmU/

22888a7b45adc60593e4fc2fe031be98 statistics.php
https://malwr.com/analysis/ZDkzNmJjNWNl ... YzZGEzMzk/

ecf98e76c99f926e09246b02e53f2533 style.css
https://malwr.com/analysis/Y2ViZGIwZTYw ... E2OGE1ZGY/

3f391740cbbd9623c4dfb19fb203f5bc trackgrab.php
https://malwr.com/analysis/NDkxNzAwM2Jh ... AyYTU1ZTI/

ea9a242932dfa03084db3895cf798be5 viewlog.php
https://malwr.com/analysis/NDA2ZWY3NGYx ... UxNTUzNjg/

[uCares]

Sample 1661aab32a97e56bc46181009ebd80c9 connects to : blog.wordpress-catalog.com/something/bot.php

After nunpacking we can see thet main binary contains two other binaries one x86 one x64

Persistence is very weak, deleting the Run Registry key was enough to get rid of