Stats

  • Total des pages vues: 2314
  • Pages vues aujourd'hui: 240
  • Visiteurs connectés: 1
  • Nombre de visiteurs: 945

POS Malware / RAM Scrapper

Written by aaSSfxxx - 27 january 2013

For this first english article, I'll talk about a RAM scrapper I found in the wild (and because Xylitol asked me to write an article about POS malware :þ).

First the malware tries to start the service dispatcher (to launch a service of course), and then install it if service dispatcher failed to start (below, the service installation function):

Screenshot

The main service function is located at 00404150, so we set EIP here and we get this:

Screenshot

Then we have to nop the first conditional jump to continue (because malware detected process is not executed as a service). Then we see a call to EnumProcesses :

Screenshot

We notice a function called on each process enumerated shown below, and we step into it.

Screenshot

The function calls GetProcessName, deletes the path and compares name with a specific name. When matching process is found (its name is "posw32.exe") we get this :

Screenshot

Then function queries memory information of the process, and tries to read the process memory, and calls some crappy function which seems to look for a certain pattern (but I couldn't identify it):

Screenshot

And the most epic stuff, I found a weird string used by another crappy function after nopping to see what happened if the malware found something in RAM:

Screenshot

which decodes in:
Screenshot

Finally I got credentials to connect to the database (inside the connstr) and for the lulz:

Screenshot

Samples can be found at http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1756&p=17881#p17881

Classified in : Malwares - Tags : none

sunday 27 january 2013 @ 20:36 Xylitol said : #1

Avatar GravatarTa pas parlé de ce qu'il scrappais et comment avec quoi
btw vu que ta les cred sql, upload un shell si ça marche.

friday 01 february 2013 @ 21:18 unixfreaxjp said : #2

Avatar Gravatar1. What was the "weird string" you talk about?
2. With "what" you decoded that "weird string" to that sql inject command?
*) We spent more than 24hrs figuring your sample, so please explain the answers of 1) and 2) it in kernelmode thread. And next time please be a bit more details in releasing analysis post...

saturday 02 february 2013 @ 13:04 aaSSfxxx said : #3

Avatar Gravatar@unixfreaxjp : I answered to the questions in kernelmode thread ;)
And I didn't really explained because there is nothing to "explain", just following what happens with ollydbg (and IDA to have a global view).

tuesday 01 october 2013 @ 08:08 x4r0r said : #4

Avatar Gravatarplease source download thanks

Comments are closed.