A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #25933  by robemtnez
 Tue May 26, 2015 2:08 pm
JackPOS (jack.exe) was hosted yesterday on the same place as NitlovePOS.

Panel located at 81.4.106[.]241/jack/admin.php?login=true

It has an interesting string :)

0x426000 (17): /jack/loading.php
0x426100 (12): 81.4.106.241
0x4261c0 (12): 81.4.106.241
0x426610 (114): if malicious use contact me xylitol@malwareint.com, don't hesitat! you can also use this string as flag signature.
Attachments
infected
(191.02 KiB) Downloaded 104 times
 #26103  by Xylitol
 Wed Jun 17, 2015 9:21 pm
backoff/FindPOS/PoSeidon
call it whatever you want, it's in attach.

https://www.virustotal.com/en/file/7fc3 ... 434566712/
Code: Select all
ASCII "http://xoftunhbyirf.tk/pes18/viewtopic.php|http://dinghareun.ru/pes18/viewtopic.php|http://dingdownmahedt.ru/pes18/viewtopic.php|http://ferepritdi.ru/pes18/viewtopic.php|http://terethaundv.ru/pes18/viewtopic.php"
Version 7.5L
Attachments
infected
(61.87 KiB) Downloaded 106 times
 #26310  by Blaze
 Fri Jul 17, 2015 8:59 am
GamaPOS

http://documents.trendmicro.com/assets/ ... _Brief.pdf

Attached:
Code: Select all
00a5f8ed90743350880d90499d516de7fd108630321adac760b5b372349c5a2c
070f3be09acce16282e3f12cb3ff40efb2774a4cd3a7fee49ebfadff5f67a2f6
0f9295f0fc3180c848362fe48ac42013fef74d9a8b2e0af1420a59aa44df87dd
131491ad40048597da19b7644f5da2b1eb012ef03231cbe35fc728cf11b67278
198561befe1dc650d2ff7bb9503023ee7f5b121627036ead2c7591ef4b18d4ca
2804f1ca78a4181d68068a29da6d5d31835abed4dac66bf921c1a91e637276fd
3f3eab6e4b7c561e9d27daab2b63b9461b53bd0295ca669d2600e25ccb2cd5f1
403752d0ef25b7a69fff74d315c58acf9a291ff776cd12f8b8d81cbeb5a88fc8
4608928f5b3d52fa4c62d4438cb6285826d605b35e8282884c426cb8666074e9
6075a1a712a12f7fc10919c831810174c420f5c3d4fd0e4b40e5ee14e0d3ad78
6fbdeb6b24d05da0dab9f0ddfe99e03d93654c46eace49fcc2edc98e6157d5b4
7584c96c6220b7009c0bbaf84fce883f852bbd276a9fe1e5f7e6f00e7a4f9e80
863d0dda5c5ef3477ec73b559f2c915625823eaea26c1961b355ced008e26875
8e216e3e1d95141c1953048bcdd3a5d854b4a1ec979ea2e514abde5133609f15
94c5698d2ff0dfd0b9f2a78ad8ec6af72cf266dce205b7e52a58797ea2df93ee
97e5a1fa623810a2cfdc024a7a6ab402c4ea32e2d5f101367b0c5768107ddd90
98d90c39017840e05714e9f0486a59298c27e8aae7140b2b238f7f571c6400bc
990ac79cdb24ec1e626f39073d1ad1578a4a289b637585dda13d6afdbdac1075
9ce14adf9a31da6c94b8085d12d1eba626aa458d28504e08bf54e558dd7a357f
9fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c
aea99dcf190a86fd6b031c242c5b4ecd9f8ba976bce08da5195deb56de4cd7f6
c2697a9309dd0733f68c43894b0a19f1d72e41edd0a7c6eb2463d25a260b3811
c72565a3473ecfe2dee7ff9f090b814e4253fb7e39db1aa824d23aab603a0010
cc439972d66cff70a86d9ec14d0c8b0125bfed1aad981271479f4bdd522dc2ff
cca3d715b082759048b7eaa753ad89e4e7c9c361b45d979ee76d416175a6337a
ee5f8fe5114376289730d9ff9e8117b82ac1cd313be5521194799615ad9c7cf2
Attachments
(910.91 KiB) Downloaded 85 times
 #26825  by Xylitol
 Mon Sep 28, 2015 8:28 am
TrendMicro just woke-up about Katrina, an alina spin-off, nothing special overall. and maximum security entrance. :mrgreen:
http://blog.trendmicro.com/trendlabs-se ... g-us-smbs/

e14dccd4d3be7380561f049bef1b5ed0
9a7f5086784c104642976c38ccf1ea77
Attachments
infected
(247.04 KiB) Downloaded 97 times
 #26883  by patriq
 Sun Oct 04, 2015 2:55 pm
Xylitol wrote:... Katrina, an alina spin-off, nothing special overall. and maximum security entrance. :mrgreen: ...
Indeed.
katrina.png
katrina.png (95.94 KiB) Viewed 645 times
(** Edit: Panel URL from cybercrime-tracker)
 #26886  by malwarelabs
 Tue Oct 06, 2015 9:04 am
ProjectHook sample:
https://www.virustotal.com/en/file/943b ... 444119062/
Try to contact:
hXXp://inf0nix.com/notify.php (404)
hXXp://inf0nix.com/rxcx.php (404)
attached
EDIT:
nothing new, it's just the same sample as http://www.xylibox.com/2013/05/projecth ... apper.html repacked
Attachments
infected
(429.38 KiB) Downloaded 72 times
  • 1
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25