Tuesday, 28 May 2013

Dump Memory Grabber / BlackPOS (Win32/Pocardler.A)

Having a look on another POS malware named by AV guys BlackPOS:

MD5: cbd268e260bf40c25f1bff8b85e04e01
The original exe is packed with UPX and have a size of (292 Kb)
After unpacking the exe size is 754 Kb and the Time/Date Stamp: 512A2914 (24-02-2013 - 14:52:04)
 First seen in VirusTotal... right now


This malware retrieve the path of %USERPROFILE%:

At this step we can trick it like ProjectHook to display a leet GUI:
 Just take the jump:

Now if we don't take it, it copy the actual file to %USERPROFILE% with the name svhst.exe

execute the original exe with argument '/silentinstall'

I've choose to NOP the line to continue without infecting my vm, and what's he do next ?
The same crap but this time with argument ''/firewall"

Re-NOPed the line and... yeah, you guessed it, still WinExec with "Netsh firewall set opmode disable"
Netsh = network shell, this command will disable the Windows firewall.

Then he delete the file dum.exe (???)

He create after a registry entry: SOFTWARE\Microsoft\Windows\CurrentVersion\Run

RegSetValueExA with 'svchît' as name and %USERPROFILE%/svhst.exe as key.
RegCloseKey:

Now he will load a exe file from ressource:

And file 'dum.exe' is made (the exe file he tryed to delete earlier)
 Write it:
And Close when everything is cool:

SetFileAttributesA:

Open it with SW_HIDE:

But what is it new file ?
Yo dawg i herd you like POS malware so we put a POS malware in yo POS malware so you can grab will u grab
MD5: 7f9cdc380eeed16eaab3e48d59f271aa

But if he ShellExecuteA mmon.exe, that mean it swiping time !

So, 'mmon.exe' generate us a file 'output.txt' with our track2. and this 'output.txt' is of course visible.

Meanwhile, BlackPos do a sleep of 400000 ms (6 minutes and 40 seconds) leaving the time for 'mmon.exe' to search track2:

After this sleep, it take output.txt of mmon and try to Create it to see if the file already exist:
 Read the content:
 Close it:
And create a new text file "03.05.25.txt":

Then he add the content of output.txt inside "03.05.25.txt" and set the file hidden:

Then he connect to FTP (what a good idea!)

.netai.net... maybe he grabbed not enough track2 to buy a decent hosting.

Compare if the domain is equal to localhost:


The he upload the TXT on reports folder and delete dum.exe and output.txt
Then i've stopped here, since i'm at the end of the procedure he surely loop the process of scanning with mmon.

If you want to see what's look like the panel for this sample:
• dns: 1 ›› ip: 31.170.161.116 - adresse: KROKODIL.NETAI.NET


Panel of another sample (d9cc74f36ff173343c6c7e9b4db228cd):
• dns: 1 ›› ip: 31.170.163.50 - adresse: SOBACHKA.COMZE.COM

Old panel of the coder (ree4):
• dns: 1 ›› ip: 109.234.159.254 - adresse: REE4.7CI.RU

The panel is primitive like the malware himself.

Conclusion: /facepalm




11 comments:

  1. I can't understand russian but it seems this guy is trying to sell his pos malware for 1800 for the less expensive period


    Does he really sell this malware for that price or nobody buy it?

    beacause it's really expensive and it seems the guy hasn't got too much money(the domain name)

    ReplyDelete
  2. good job stevem
    without dowoad, sad
    keep your job, everyone applauds

    ReplyDelete
  3. Good Job E967!

    ReplyDelete
  4. Dude needs to steal CCs for that Krokodil habit :p

    ReplyDelete
  5. ^LOL

    sums up most of the Russians who are into stealing credit cards.

    ReplyDelete
  6. Group-IB has found it in Match and you report it only now:

    http://www.group-ib.com/index.php/o-kompanii/176-news/?view=article&id=716

    http://securityaffairs.co/wordpress/13213/cyber-crime/exclusive-details-on-investigation-of-group-ib-on-new-age-of-pos-malware.html

    ReplyDelete
  7. haaha the owner of this blackPOS is ree4 i have all the source code of this BlackPOS :P

    ReplyDelete
  8. who have this source code and panel can you post somewhere please, or can you send me to email : poppers@limso.net ! Thanks !

    ReplyDelete