The malware cost 1k according to him, i'm not sure if it's this guys:
The original exe is packed with UPX and have a size of (447 Kb)
After unpacking the exe size is 1,36 Mb and the time date stamp is 5061B8CA (13:59:38 - 25 Sept 2012)
First seen in VirusTotal in December 2012:
Let's dissas it !
On the main procedure, at first it create a mutex 'MTXCTRL':
It call GetModuleFileNameW to get the malware path and compare the end of the path with mmon32.exe
if this don't match we will enter in a procedure:
After it will take the string 'APPDATA' and use the API GetEnvironmentVariableW to get the path and compute it with the string 'Memory Resource' then he create the directory
Then take another string '\Memory Resource\mmon32.exe' and copy our exe to %APPDATA% with the name mmon32.exe and the API CopyFileW:
Get the file attribute via GetFileAttributesW, then he retake %APPDATA% and compute it with '\Memory Resource\ntfd.dat' and try to get the attribute via the same API and do an error because the file don't exist.
Then it call the C&C with an hardcore Delphi classe who can be identified by 'C:\Builds\TP\indysockets\lib\Protocols\IdHTTP.pas'
After calling the C&C the malware create ntfd.dat in %APPDATA%/Memory Ressource/
And show a dialog box 'Installed successfully!'
But the installation is not yet finished, it will create a registry key 'WinMen' at 'Software\Microsoft\Windows\CurrentVersion\Run'
And edit '1806' at 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3'
The value can be zero, one, or three, typically, a setting of zero sets a specific action as permitted, a setting of one causes a prompt to appear and a setting of three prohibits the specific action.
Set a zero value:
Then it create a Timer of 40 seconds (40000 ms):
Determine if IsWow64Process function exists in the OS we're running under:
Just after it will go on this jump:
If you don't take it like normaly it do it will load the GUI:
What's normaly he do:
Well now everything is deployed for the infection, the malware will look specific APIs:
Retrieves information about the first process encountered in a system snapshot:
Don't take the jump to verify for x64
I've passed on process till he go on something i also want to be scanned (look EDX at 0x5208E5)
I've took magstrip.exe a custom exe file who receive my credit card swipe
At first it take the exe path and check the process name like he have do earlier but this time to be sure he don't scan he's own process:
So after this verification do, he will retrieves information about a range of pages within the virtual address space of my magstrip.exe process:
And a classic ReadProcessMemory:
Once done the indentification start:
And will look for the first part of a track2, if found, he will verify the luhn algorithm and if correct he will not take the jump at 0x520C14:
When a correct track2 is finaly identified he will check the second part of a track2 (service code):
You can refer to the ISO/IEC 7813 on Wikipedia about credit card magnetic tracks.
Ok cool, but what is a service code for ?
You can get the answer just by browsing carding forums.
201 can be Europe, Canada... and have pin and chip
And about the luhn algorithm you can get valid test numbers via paypal. (http://www.paypalobjects.com/en_US/vhelp/paypalmanager_help/credit_card_numbers.htm)
For example, if you want to trigg ProjectHook you can try these track2:
on my physical blank card, this is what i use to trigger these malwares.
Now that he think the credit card is good, the program will check if the C&C dns is equal to LOCALHOST:
Retreive some specific APIs of Ws2_32 like he did it earlier for scan running processes:
The track2 is sent to the C&C:
For the panel, it's very weak:
Also not related but these stupid carding shops become more and more boring.