POS Malware / RAM Scrapper

Written by aaSSfxxx -

For this first english article, I'll talk about a RAM scrapper I found in the wild (and because Xylitol asked me to write an article about POS malware :þ).

First the malware tries to start the service dispatcher (to launch a service of course), and then install it if service dispatcher failed to start (below, the service installation function):

The main service function is located at 00404150, so we set EIP here and we get this:

Then we have to nop the first conditional jump to continue (because malware detected process is not executed as a service). Then we see a call to EnumProcesses :

We notice a function called on each process enumerated shown below, and we step into it.

The function calls GetProcessName, deletes the path and compares name with a specific name. When matching process is found (its name is "posw32.exe") we get this :

Then function queries memory information of the process, and tries to read the process memory, and calls some crappy function which seems to look for a certain pattern (but I couldn't identify it):

And the most epic stuff, I found a weird string used by another crappy function after nopping to see what happened if the malware found something in RAM:

which decodes in:

Finally I got credentials to connect to the database (inside the connstr) and for the lulz:

Samples can be found at KernelMode thread