[robemtnez]

JackPOS (jack.exe) was hosted yesterday on the same place as NitlovePOS.

Panel located at 81.4.106[.]241/jack/admin.php?login=true

It has an interesting string :)

0x426000 (17): /jack/loading.php
0x426100 (12): 81.4.106.241
0x4261c0 (12): 81.4.106.241
0x426610 (114): if malicious use contact me xylitol@malwareint.com, don't hesitat! you can also use this string as flag signature.

[Xylitol]

backoff/FindPOS/PoSeidon
call it whatever you want, it's in attach.

https://www.virustotal.com/en/file/7fc3 ... 434566712/

Code: Select all

ASCII "http://xoftunhbyirf.tk/pes18/viewtopic.php|http://dinghareun.ru/pes18/viewtopic.php|http://dingdownmahedt.ru/pes18/viewtopic.php|http://ferepritdi.ru/pes18/viewtopic.php|http://terethaundv.ru/pes18/viewtopic.php"

Version 7.5L

[robemtnez]

One more, BernhardPOS.

http://morphick.com/blog/2015/7/14/bern ... y-morphick
https://www.virustotal.com/fr/file/cdcd ... 436989039/

[Blaze]

GamaPOS

http://documents.trendmicro.com/assets/ ... _Brief.pdf

Attached:

Code: Select all

00a5f8ed90743350880d90499d516de7fd108630321adac760b5b372349c5a2c
070f3be09acce16282e3f12cb3ff40efb2774a4cd3a7fee49ebfadff5f67a2f6
0f9295f0fc3180c848362fe48ac42013fef74d9a8b2e0af1420a59aa44df87dd
131491ad40048597da19b7644f5da2b1eb012ef03231cbe35fc728cf11b67278
198561befe1dc650d2ff7bb9503023ee7f5b121627036ead2c7591ef4b18d4ca
2804f1ca78a4181d68068a29da6d5d31835abed4dac66bf921c1a91e637276fd
3f3eab6e4b7c561e9d27daab2b63b9461b53bd0295ca669d2600e25ccb2cd5f1
403752d0ef25b7a69fff74d315c58acf9a291ff776cd12f8b8d81cbeb5a88fc8
4608928f5b3d52fa4c62d4438cb6285826d605b35e8282884c426cb8666074e9
6075a1a712a12f7fc10919c831810174c420f5c3d4fd0e4b40e5ee14e0d3ad78
6fbdeb6b24d05da0dab9f0ddfe99e03d93654c46eace49fcc2edc98e6157d5b4
7584c96c6220b7009c0bbaf84fce883f852bbd276a9fe1e5f7e6f00e7a4f9e80
863d0dda5c5ef3477ec73b559f2c915625823eaea26c1961b355ced008e26875
8e216e3e1d95141c1953048bcdd3a5d854b4a1ec979ea2e514abde5133609f15
94c5698d2ff0dfd0b9f2a78ad8ec6af72cf266dce205b7e52a58797ea2df93ee
97e5a1fa623810a2cfdc024a7a6ab402c4ea32e2d5f101367b0c5768107ddd90
98d90c39017840e05714e9f0486a59298c27e8aae7140b2b238f7f571c6400bc
990ac79cdb24ec1e626f39073d1ad1578a4a289b637585dda13d6afdbdac1075
9ce14adf9a31da6c94b8085d12d1eba626aa458d28504e08bf54e558dd7a357f
9fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c
aea99dcf190a86fd6b031c242c5b4ecd9f8ba976bce08da5195deb56de4cd7f6
c2697a9309dd0733f68c43894b0a19f1d72e41edd0a7c6eb2463d25a260b3811
c72565a3473ecfe2dee7ff9f090b814e4253fb7e39db1aa824d23aab603a0010
cc439972d66cff70a86d9ec14d0c8b0125bfed1aad981271479f4bdd522dc2ff
cca3d715b082759048b7eaa753ad89e4e7c9c361b45d979ee76d416175a6337a
ee5f8fe5114376289730d9ff9e8117b82ac1cd313be5521194799615ad9c7cf2

[forgottencipher]

MalumPOS

1 file from here:
http://documents.trendmicro.com/images/ ... 0Brief.pdf
757ae5eed0c5e229ad9bae586f1281b5de053767

[benkow_]

NewPosThings
C&C corner-update.net
https://www.virustotal.com/fr/file/99ac ... /analysis/
https://www.virustotal.com/fr/file/afe3 ... /analysis/

[Xylitol]

TrendMicro just woke-up about Katrina, an alina spin-off, nothing special overall. and maximum security entrance. :mrgreen:
http://blog.trendmicro.com/trendlabs-se ... g-us-smbs/

e14dccd4d3be7380561f049bef1b5ed0
9a7f5086784c104642976c38ccf1ea77

[patriq]

... Katrina, an alina spin-off, nothing special overall. and maximum security entrance. :mrgreen: ...

Indeed.

katrina.png (95.94 KiB) Viewed 637 times

(** Edit: Panel URL from cybercrime-tracker)

[malwarelabs]

ProjectHook sample:
https://www.virustotal.com/en/file/943b ... 444119062/
Try to contact:
hXXp://inf0nix.com/notify.php (404)
hXXp://inf0nix.com/rxcx.php (404)
attached
EDIT:
nothing new, it's just the same sample as http://www.xylibox.com/2013/05/projecth ... apper.html repacked

[malwarelabs]

katrina sample.
C&C hXXp://halilyavuz.net/A/trinapanel/login.php
attached