• Total des pages vues: 24052
  • Pages vues aujourd'hui: 114
  • Visiteurs connectés: 2
  • Nombre de visiteurs: 13749

POS Malware / RAM Scrapper

Written by aaSSfxxx - 27 january 2013

For this first english article, I'll talk about a RAM scrapper I found in the wild (and because Xylitol asked me to write an article about POS malware :þ).

First the malware tries to start the service dispatcher (to launch a service of course), and then install it if service dispatcher failed to start (below, the service installation function):


The main service function is located at 00404150, so we set EIP here and we get this:


Then we have to nop the first conditional jump to continue (because malware detected process is not executed as a service). Then we see a call to EnumProcesses :


We notice a function called on each process enumerated shown below, and we step into it.


The function calls GetProcessName, deletes the path and compares name with a specific name. When matching process is found (its name is "posw32.exe") we get this :


Then function queries memory information of the process, and tries to read the process memory, and calls some crappy function which seems to look for a certain pattern (but I couldn't identify it):


And the most epic stuff, I found a weird string used by another crappy function after nopping to see what happened if the malware found something in RAM:


which decodes in:

Finally I got credentials to connect to the database (inside the connstr) and for the lulz:


Samples can be found at

Classified in : Malwares - Tags : none

sunday 27 january 2013 @ 20:36 Xylitol said : #1

Avatar GravatarTa pas parlé de ce qu'il scrappais et comment avec quoi
btw vu que ta les cred sql, upload un shell si ça marche.

friday 01 february 2013 @ 21:18 unixfreaxjp said : #2

Avatar Gravatar1. What was the "weird string" you talk about?
2. With "what" you decoded that "weird string" to that sql inject command?
*) We spent more than 24hrs figuring your sample, so please explain the answers of 1) and 2) it in kernelmode thread. And next time please be a bit more details in releasing analysis post...

saturday 02 february 2013 @ 13:04 aaSSfxxx said : #3

Avatar Gravatar@unixfreaxjp : I answered to the questions in kernelmode thread ;)
And I didn't really explained because there is nothing to "explain", just following what happens with ollydbg (and IDA to have a global view).

tuesday 01 october 2013 @ 08:08 x4r0r said : #4

Avatar Gravatarplease source download thanks

Comments are closed.