POS interface (password protected)
The guys who hacked it first leaved alot of traces... gentlemen i present to you... rome0/Amnesia
For the story, rome0 is a French carder, you can read a repport about him here: http://trackingcybercrime.blogspot.fr/2012/05/inside-french-cybercriminel.html
scumware.org have an hash for x.exe
After searching the sample no surprise... rdasrv.
I will not explain you the life about how rdasrv work, Sophos guys already expalained it here:
ESET is broken on the compromised system:
"I got access to a teller machine"
"Still Looking URL from RDP website"
"need Hacker with good knowledge into Pos malware/Decrypting Pos"
You can also view mmon.exe, file is the same as my previous post about POS malware:
Some logs was saved.
dbgview log (at first i've not understand why DebugView was here):
mm1.exe is one of these ram scrappers found, first time i see this one.
Algo to detect track2:
Show the track2 in console:
I've found also a good ram scrapper named 'mm_bot.exe' probably a custom piece.
When run, it copy himself in %APPDATA%/Google/svchost.exe add registry persistance (HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load), run the copy and melt the original file then it read process for track2, get pc infos encode everything with a lame key and send that to a server.
(sad, server is dead)
Everything hidden but infos are show via OutputDebugStringW, at first i've not understand why i've found debugview but now it's clear for me.
Get username/pc name:
Encode grabbed data
Send dumps via POST req to 220.127.116.11/forum/post.php
AV seem don't know it, 3/45 all generic according to VirusTotal: https://www.virustotal.com/file/bea36957edeab025bdad5a04daa317f913212103a2bde608529ea18d978e7d45/analysis/1354666164/
RAM scrapers are used mainly to supply carding shops and costs from 100$ to 3000$ depending on features.
If you looks for samples: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1756