A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18090  by bsteo
 Thu Feb 07, 2013 7:52 pm
This is the encrypted string part that always repeat itself in the "ldata" POST variable or POSCardSrealer (aka Alina) "f0c2c5d8dfcac7c7c8c3cec8c0919a" is in the header of the data, could be the decryption key? Any ideas?
 #18105  by bsteo
 Fri Feb 08, 2013 3:26 pm
Simple PHP "ldata" POST variable decoder for Alina malware. Credits to Buster_BSA and Xylitol :)
Code: Select all
<?php

$key = 'ab';
$encoded = 'f0c2c5d8dfcac7c7c8c3cec8c0919a9a9c8b979b95f68befcec7cedfcecf8be891f7efc4c8dec6cec5dfd88bcac5cf8bf8cedfdfc2c5ccd8f7eacfc6c2c5c2d8dfd9cadfceded9f7eadbdbc7c2c8cadfc2c4c58befcadfcaf7dcc2c586cdc2d9cedccac7c785ced3ce8bcdd9c4c68bc4c7cf8bd8cedfdedb858bcfcec7cedfc2c5cc8bcadedfc4d8dfcad9df85a1f0c2c5d8dfcac7c7c8c3cec8c0919a9c928b979b95f68be2c5d8dfcac7c7cecf8bdfc48be891f7efc4c8dec6cec5dfd88bcac5cf8bf8cedfdfc2c5ccd8f7eacfc6c2c5c2d8dfd9cadfceded9f7eadbdbc7c2c8cadfc2c4c58befcadfcaf7c1ded8c8c3cecf85ced3ce878bd8dfcad9dfcecf8bc5cedc8bdbd9c4c8ced8d88bdcc2dfc38bcac7c2c5ca96e891f798f49f85ced3cea1';

$binarykey = pack('H*', $key);
$binaryencoded = pack('H*', $encoded);

function xor_decode($binaryencoded, $binarykey) {
  $key_length = strlen($binarykey);
  $result = '';
  $length = strlen($binaryencoded);
  for ($i = 0; $i < $length; $i++) {
    $tmp = $binaryencoded[$i];

    for ($j = 0; $j < $key_length; $j++) {
        $tmp = chr(ord($tmp) ^ ord($binarykey[$j]));
    }

    $result .= $tmp;
  }
  return $result;
}

echo xor_decode($binaryencoded, $binarykey) . "\n";
?>
 #18109  by Xylitol
 Sat Feb 09, 2013 8:07 am
I've found a POS application on a bad guys server, in java and seem from hong-kong but i'm not sure if it's legit or infected there is really alot of code.
https://www.virustotal.com/file/f019eb5 ... 360397589/
Image
Attachments
infected
(2 MiB) Downloaded 117 times
infected
(2 MiB) Downloaded 115 times
infected
(2 MiB) Downloaded 113 times
infected
(81.11 KiB) Downloaded 104 times
 #18114  by bsteo
 Sat Feb 09, 2013 12:43 pm
Found this on a customer's POS. Didn't yet analyse it just looked at the strings. Copies self to other locations, creates autorun record, seems to send mails.
Comodo analysis: http://camas.comodo.com/cgi-bin/submit? ... 327ab79c9e
koaie007@yahoo.com
mail9@l4k3.com
ZbP$(fH4
smtp.l4k3.com
pop.l4k3.com
mail10@l4k3.com
Hw%kidO7
smtp.l4k3.com
pop.l4k3.com
Seems to send mail to "koaie007@yahoo.com" via SMTP "server smtp.l4k3.com" with two credentials. The author/bad guy seems to be Romanian (again!) "koaie" -> "coaie" means "balls" in Romanian.
Attachments
Password: "infected"
(52.17 KiB) Downloaded 118 times
  • 1
  • 6
  • 7
  • 8
  • 9
  • 10
  • 25