Having a look on another POS malware named by AV guys BlackPOS:
The original exe is packed with UPX and have a size of (292 Kb)
After unpacking the exe size is 754 Kb and the Time/Date Stamp: 512A2914 (24-02-2013 - 14:52:04)
First seen in VirusTotal... right now
This malware retrieve the path of %USERPROFILE%:
At this step we can trick it like ProjectHook to display a leet GUI:
Now if we don't take it, it copy the actual file to %USERPROFILE% with the name svhst.exe
execute the original exe with argument '/silentinstall'
I've choose to NOP the line to continue without infecting my vm, and what's he do next ?
The same crap but this time with argument ''/firewall"
Re-NOPed the line and... yeah, you guessed it, still WinExec with "Netsh firewall set opmode disable"
Then he delete the file dum.exe (???)
He create after a registry entry: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RegSetValueExA with 'svchît' as name and %USERPROFILE%/svhst.exe as key.
Now he will load a exe file from ressource:
And file 'dum.exe' is made (the exe file he tryed to delete earlier)
Open it with SW_HIDE:
But what is it new file ?
But if he ShellExecuteA mmon.exe, that mean it swiping time !
So, 'mmon.exe' generate us a file 'output.txt' with our track2. and this 'output.txt' is of course visible.
Meanwhile, BlackPos do a sleep of 400000 ms (6 minutes and 40 seconds) leaving the time for 'mmon.exe' to search track2:
After this sleep, it take output.txt of mmon and try to Create it to see if the file already exist:
Then he add the content of output.txt inside "03.05.25.txt" and set the file hidden:
Then he connect to FTP (what a good idea!)
Compare if the domain is equal to localhost:
The he upload the TXT on reports folder and delete dum.exe and output.txt
If you want to see what's look like the panel for this sample:
• dns: 1 ›› ip: 18.104.22.168 - adresse: KROKODIL.NETAI.NET
Panel of another sample (d9cc74f36ff173343c6c7e9b4db228cd):
• dns: 1 ›› ip: 22.214.171.124 - adresse: SOBACHKA.COMZE.COM
Old panel of the coder (ree4):
• dns: 1 ›› ip: 126.96.36.199 - adresse: REE4.7CI.RU
The panel is primitive like the malware himself.