Written by aaSSfxxx -
For this first english article, I'll talk about a RAM scrapper I found in the wild (and because Xylitol asked me to write an article about POS malware :þ).
First the malware tries to start the service dispatcher (to launch a service of course), and then install it if service dispatcher failed to start (below, the service installation function):
The main service function is located at 00404150, so we set EIP here and we get this:
Then we have to nop the first conditional jump to continue (because malware detected process is not executed as a service). Then we see a call to EnumProcesses :
We notice a function called on each process enumerated shown below, and we step into it.
The function calls GetProcessName, deletes the path and compares name with a specific name. When matching process is found (its name is "posw32.exe") we get this :
Then function queries memory information of the process, and tries to read the process memory, and calls some crappy function which seems to look for a certain pattern (but I couldn't identify it):
And the most epic stuff, I found a weird string used by another crappy function after nopping to see what happened if the malware found something in RAM:
which decodes in:Finally I got credentials to connect to the database (inside the connstr) and for the lulz:
Samples can be found at KernelMode thread