Carding
Professional
- Messages
- 2,871
- Reaction score
- 2,331
- Points
- 113
Having a look on another POS malware named by AV guys BlackPOS:
MD5: cbd268e260bf40c25f1bff8b85e04e01
The original exe is packed with UPX and have a size of (292 Kb)
After unpacking the exe size is 754 Kb and the Time/Date Stamp: 512A2914 (24-02-2013 - 14:52:04)
First seen in VirusTotal... right now
This malware retrieve the path of %USERPROFILE%:
At this step we can trick it like ProjectHook to display a leet GUI:
Just take the jump:
Now if we don't take it, it copy the actual file to %USERPROFILE% with the name svhst.exe
execute the original exe with argument '/silentinstall'
I've choose to NOP the line to continue without infecting my vm, and what's he do next ?
The same crap but this time with argument ''/firewall"
Re-NOPed the line and... yeah, you guessed it, still WinExec with "Netsh firewall set opmode disable"
Netsh = network shell, this command will disable the Windows firewall.
Then he delete the file dum.exe (???)
He create after a registry entry: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RegSetValueExA with 'svchît' as name and %USERPROFILE%/svhst.exe as key.
RegCloseKey:
[URL="https://4.bp.blogspot.com/-9uC0A8mj-x0/UaPnsb5sXjI/AAAAAAAAh3w/sXF1RMUXXLQ/s1600/28-05-2013+01-09-26.png"]
Now he will load a exe file from ressource:
And file 'dum.exe' is made (the exe file he tryed to delete earlier)
Write it:
And Close when everything is cool:
SetFileAttributesA:
Open it with SW_HIDE:
But what is it new file ?
Yo dawg i herd you like POS malware so we put a POS malware in yo POS malware so you can grab will u grab
MD5: 7f9cdc380eeed16eaab3e48d59f271aa
But if he ShellExecuteA mmon.exe, that mean it swiping time !
[/URL]
So, 'mmon.exe' generate us a file 'output.txt' with our track2. and this 'output.txt' is of course visible.
Meanwhile, BlackPos do a sleep of 400000 ms (6 minutes and 40 seconds) leaving the time for 'mmon.exe' to search track2:
After this sleep, it take output.txt of mmon and try to Create it to see if the file already exist:
Read the content:
Close it:
And create a new text file "03.05.25.txt":
Then he add the content of output.txt inside "03.05.25.txt" and set the file hidden:
Then he connect to FTP (what a good idea!)
[/URL]
.netai.net... maybe he grabbed not enough track2 to buy a decent hosting.
Compare if the domain is equal to localhost:
[/URL]
The he upload the TXT on reports folder and delete dum.exe and output.txt
Then i've stopped here, since i'm at the end of the procedure he surely loop the process of scanning with mmon.
If you want to see what's look like the panel for this sample:
• dns: 1 ›› ip: 31.170.161.116 - adresse: KROKODIL.NETAI.NET
[/URL]
Panel of another sample (d9cc74f36ff173343c6c7e9b4db228cd):
• dns: 1 ›› ip: 31.170.163.50 - adresse: SOBACHKA.COMZE.COM
[/URL]
Old panel of the coder (ree4):
• dns: 1 ›› ip: 109.234.159.254 - adresse: REE4.7CI.RU
[/URL]
[/URL]
[/URL]
The panel is primitive like the malware himself.
Conclusion: /facepalm
(c) https://www.xylibox.com/2013/05/dump-memory-grabber-blackpos.html
MD5: cbd268e260bf40c25f1bff8b85e04e01
The original exe is packed with UPX and have a size of (292 Kb)
After unpacking the exe size is 754 Kb and the Time/Date Stamp: 512A2914 (24-02-2013 - 14:52:04)
First seen in VirusTotal... right now
This malware retrieve the path of %USERPROFILE%:
At this step we can trick it like ProjectHook to display a leet GUI:
Just take the jump:
Now if we don't take it, it copy the actual file to %USERPROFILE% with the name svhst.exe
execute the original exe with argument '/silentinstall'
I've choose to NOP the line to continue without infecting my vm, and what's he do next ?
The same crap but this time with argument ''/firewall"
Re-NOPed the line and... yeah, you guessed it, still WinExec with "Netsh firewall set opmode disable"
Netsh = network shell, this command will disable the Windows firewall.
Then he delete the file dum.exe (???)
He create after a registry entry: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RegSetValueExA with 'svchît' as name and %USERPROFILE%/svhst.exe as key.
RegCloseKey:
[URL="https://4.bp.blogspot.com/-9uC0A8mj-x0/UaPnsb5sXjI/AAAAAAAAh3w/sXF1RMUXXLQ/s1600/28-05-2013+01-09-26.png"]
Now he will load a exe file from ressource:
And file 'dum.exe' is made (the exe file he tryed to delete earlier)
Write it:
And Close when everything is cool:
SetFileAttributesA:
Open it with SW_HIDE:
But what is it new file ?
Yo dawg i herd you like POS malware so we put a POS malware in yo POS malware so you can grab will u grab
MD5: 7f9cdc380eeed16eaab3e48d59f271aa
But if he ShellExecuteA mmon.exe, that mean it swiping time !
So, 'mmon.exe' generate us a file 'output.txt' with our track2. and this 'output.txt' is of course visible.
Meanwhile, BlackPos do a sleep of 400000 ms (6 minutes and 40 seconds) leaving the time for 'mmon.exe' to search track2:
After this sleep, it take output.txt of mmon and try to Create it to see if the file already exist:
Read the content:
Close it:
And create a new text file "03.05.25.txt":
Then he add the content of output.txt inside "03.05.25.txt" and set the file hidden:
Then he connect to FTP (what a good idea!)
.netai.net... maybe he grabbed not enough track2 to buy a decent hosting.
Compare if the domain is equal to localhost:
The he upload the TXT on reports folder and delete dum.exe and output.txt
Then i've stopped here, since i'm at the end of the procedure he surely loop the process of scanning with mmon.
If you want to see what's look like the panel for this sample:
• dns: 1 ›› ip: 31.170.161.116 - adresse: KROKODIL.NETAI.NET
Panel of another sample (d9cc74f36ff173343c6c7e9b4db228cd):
• dns: 1 ›› ip: 31.170.163.50 - adresse: SOBACHKA.COMZE.COM
Old panel of the coder (ree4):
• dns: 1 ›› ip: 109.234.159.254 - adresse: REE4.7CI.RU
The panel is primitive like the malware himself.
Conclusion: /facepalm
(c) https://www.xylibox.com/2013/05/dump-memory-grabber-blackpos.html
Last edited:
