Monday, 27 May 2013

ProjectHook RAM Scrapper

ProjectHook is a RAM scrapper malware that someone sent me on ICQ.
The malware cost 1k according to him, i'm not sure if it's this guys:

MD5: a599836a7bbc68a5e712d48bb6319951
The original exe is packed with UPX and have a size of (447 Kb)
After unpacking the exe size is 1,36 Mb and the time date stamp is 5061B8CA (13:59:38 - 25 Sept 2012)
First seen in VirusTotal in December 2012:

Let's dissas it !
FastMM is a lightning fast replacement memory manager for Borland Delphi Win32 applications.

On the main procedure, at first it create a mutex 'MTXCTRL':
If the mutex can't be created then close the process.

It call GetModuleFileNameW to get the malware path and compare the end of the path with mmon32.exe
if this don't match we will enter in a procedure:

After it will take the string 'APPDATA' and use the API GetEnvironmentVariableW to get the path and compute it with the string 'Memory Resource' then he create the directory

Then take another string '\Memory Resource\mmon32.exe' and copy our exe to %APPDATA% with the name mmon32.exe and the API CopyFileW:

Get the file attribute via GetFileAttributesW, then he retake %APPDATA% and compute it with '\Memory Resource\ntfd.dat' and try to get the attribute via the same API and do an error because the file don't exist.

Then it call the C&C with an hardcore Delphi classe who can be identified by 'C:\Builds\TP\indysockets\lib\Protocols\IdHTTP.pas'

After calling the C&C the malware create ntfd.dat in %APPDATA%/Memory Ressource/

And show a dialog box 'Installed successfully!'

But the installation is not yet finished, it will create a registry key 'WinMen' at 'Software\Microsoft\Windows\CurrentVersion\Run'

And edit '1806' at 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3'
'1806' is the key about launching applications and unsafe files in internet explorer.
The value can be zero, one, or three, typically, a setting of zero sets a specific action as permitted, a setting of one causes a prompt to appear and a setting of three prohibits the specific action.

Set a zero value:

Then it create a Timer of 40 seconds (40000 ms):

Determine if IsWow64Process function exists in the OS we're running under:

Just after it will go on this jump:

If you don't take it like normaly it do it will load the GUI:

What's normaly he do:

Well now everything is deployed for the infection, the malware will look specific APIs:

Retrieves information about the first process encountered in a system snapshot:

Open process:

Don't take the jump to verify for x64
I've not checked why but it's surely a flag earlier when he have checked if the system was x64.
I've passed on process till he go on something i also want to be scanned (look EDX at 0x5208E5)
I've took magstrip.exe a custom exe file who receive my credit card swipe

At first it take the exe path and check the process name like he have do earlier but this time to be sure he don't scan he's own process:
If he scan he detect his own process it will take a conditional jump later avoiding others procedures and do directly a CloseHandle.
So after this verification do, he will retrieves information about a range of pages within the virtual address space of  my magstrip.exe process:

And a classic ReadProcessMemory:

Once done the indentification start:

And will look for the first part of a track2, if found, he will verify the luhn algorithm and if correct he will not take the jump at 0x520C14:

When a correct track2 is finaly identified he will check the second part of a track2 (service code):

You can refer to the ISO/IEC 7813 on Wikipedia about credit card magnetic tracks.

Ok cool, but what is a service code for ?
You can get the answer just by browsing carding forums.
101 service code are USA and is without chip
201 can be Europe, Canada... and have pin and chip

And about the luhn algorithm you can get valid test numbers via paypal. (
For example, if you want to trigg ProjectHook you can try these track2:
MasterCard: 5431111111111111=13071010000000000666
Visa: 4111111111111111=13071010000000000666
on my physical blank card, this is what i use to trigger these malwares.

Now that he think the credit card is good, the program will check if the C&C dns is equal to LOCALHOST:
Anti analysis maybe.

Retreive some specific APIs of Ws2_32 like he did it earlier for scan running processes:

The track2 is sent to the C&C:
After i've not checked what's he do but he will probably search others track2 in the memory and do that in loop for each process.

For the panel, it's very weak:
And about the huge size of this malware, it's due to a lot of useless features in the HTTP classe and hash classe, for example the ntlm calls of 0x405FBD, 0x4B4D33, 0x5201CF, still dont get it why it's here.

Also not related but these stupid carding shops become more and more boring.
Some sweet stats:


  1. Enjoyed reading. Them stats pages look professional as fuck.

  2. Very nice analysis. Thanks a lot.