A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23064  by Xylitol
 Sun Jun 08, 2014 8:25 am
Image Image
Bunch of POS Malwares in attach (JackPos/Soraya/rdasrv/mmon)...
for SetupX.exe the password of the installer is 'Rome0' and drop mmon and rdasrv into /system32/
http://vxvault.siri-urz.net/ViriList.ph ... .91.198.91
Code: Select all
Uname: Linux rome0.com 2.6.32-29-pve #1 SMP Thu Apr 24 10:03:02 CEST 2014 i686
$ last -f /var/log/wtmp
reboot   system boot  2.6.32-29-pve    Fri May 16 14:28 - 05:57 (22+15:29)
reboot   system boot  2.6.32-19-pve    Fri May 16 10:26 - 05:57 (22+19:31)
accounts pts/0        37.48.81.44      Thu Apr 24 18:55 - 13:54  (18:59)
reboot   system boot  2.6.32-19-pve    Sat Mar 15 11:08 - 10:07 (61+22:59)
root     pts/0        37.48.81.52      Sat Mar 15 10:56 - down   (00:11)
reboot   system boot  2.6.32-19-pve    Sat Feb 22 09:00 - 11:07 (21+01:07)
root     pts/0        37.48.81.48      Sat Feb 22 07:28 - down   (01:32)
reboot   system boot  2.6.32-19-pve    Sat Feb 22 07:27 - 09:00  (01:32)

wtmp begins Sat Feb 22 07:27:23 2014
Soraya:
https://www.virustotal.com/en/file/a776 ... 402224931/
https://www.virustotal.com/en/file/04b5 ... 402224932/
https://www.virustotal.com/en/file/c1a2 ... 402224934/
https://www.virustotal.com/en/file/33f0 ... 402225093/
https://www.virustotal.com/en/file/0866 ... 402225092/
JackPos:
https://www.virustotal.com/en/file/6347 ... 402225135/
mmon:
https://www.virustotal.com/en/file/7b31 ... 402225162/
bundled installer:
https://www.virustotal.com/en/file/6050 ... 402225205/
Attachments
infected (some additional files)
(902.29 KiB) Downloaded 167 times
infected
(159.13 KiB) Downloaded 173 times
no password
(556 Bytes) Downloaded 134 times
infected
(1.37 MiB) Downloaded 209 times
 #23108  by nielsgroeneveld
 Fri Jun 13, 2014 7:50 am
It seems a new kind of POS malware is being used at the moment, which is labelled as ''POSCLOUD.Backdoor/Agent'' by IntelCrawler -

Small businesses running cloud-based POS software hit with unique 'POSCLOUD' malware
http://www.scmagazine.com/small-busines ... le/355301/

Title: Cloud-Based POS Software – “New Target for Hackers?”
Published Date: June 11, 2014
Reference Number: IC-INT-753
http://intelcrawler.com/intel/webpos.pdf

Has anyone seen samples of other relevant information such as MD5 hashes relating to ''POSCLOUD'' ?
 #23323  by EP_X0FF
 Thu Jul 10, 2014 2:51 am
dwsfra wrote:uCare, can you upload the unpacked bins of Soraya?
Thanks
Soyara not Soraya.
Attachments
pass: malware
(37.13 KiB) Downloaded 157 times
 #23695  by cr33k
 Wed Aug 27, 2014 10:56 am
uCares wrote:Unpacked Backoff 1.55 AERO3
I have been analyzing this bin and have gotten it to connect to my test server and successfully execute 'Uninstall' and 'Terminate' commands but 'Download and Run' and 'Update' commands seem to fail even with ':' delimiter between command and parameter.

Anyways, I also did a test to see if it could grab track1/2 data and it did however I am still working on decrypting the sent data. I know its something along the lines of: RC4_decrypt(base64_decode("encrypteddata")"rc4key")

but I still cant figure it out.

Anyone?

I have written this script to test communication:
Code: Select all
<?php 

	$in_op 		= $_POST['op'];
	$in_id 		= $_POST['id'];
	$in_ui 		= $_POST['ui'];
	$in_wv 		= $_POST['wv'];
	$in_gr 		= $_POST['gr'];
	$in_bv 		= $_POST['bv'];
	$in_data 	= $_POST['data'];
	
	
	
	$File = "log.html"; 
	$Handle = fopen($File, 'a+');
	
	$Data = "</br><b>New Log:</b> </br>".$in_op."</br>".$in_id."</br>".$in_ui."</br>".$in_wv."</br>".$in_gr."</br>".$in_bv."</br>".$in_data."</br>";
	
	fwrite($Handle, $Data); 
	
//      Download and Run:http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe (Not working?why)
//      Uninstall

 	print "Thanks!"; 
	
	fclose($Handle); 
?>
 #23698  by cr33k
 Wed Aug 27, 2014 4:23 pm
New piece of Malware thats been making news lately for attacking pos terminals over RDP protocol.

Very detailed analysis here:
Code: Select all
http://www.fireeye.com/blog/technical/botnet-activities-research/2014/07/brutpos-rdp-bruteforcing-botnet-targeting-pos-systems.html
https://www.virustotal.com/en/file/c984 ... 425435172/
Attachments
unpacked
Password : infected

(11.56 KiB) Downloaded 155 times
  • 1
  • 16
  • 17
  • 18
  • 19
  • 20
  • 25