Source: VirusShare Malware Family: RAM Scraper Static Analysis Tools: pestudio, CFF Explorer, PEID, BinText, IDA Pro Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, Comodo Reports: (1) Malwr: https://malwr.com/analysis/MjNhOWI2NDgwZjZiNDE0MzhhYWQ1NzU5ZDUwYmNhODc/ (2) VirusTotal: https://www.virustotal.com/en/file/d7a08338bcb30cc688a827b611fe9b26c54f3ba35c02355fa1d468da8cbbd903/analysis/ I . Static Analysis: Internal File name: Verifone32.exe File type: Win32 EXE Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2014-10-01 22:24:35 Entry Point: 0x00005140 Number of Sections: 5 Contains 3 embedded files:
MD5: bc7bf2584e3b039155265642268c94c7 SHA256: d7a08338bcb30cc688a827b611fe9b26c54f3ba35c02355fa1d468da8cbbd903 File size: 3.8 MB (4028416 bytes) Detection ratio: 43/ 53 PE imports: [+] ADVAPI32.dll [+] KERNEL32.dll [+] SHELL32.dll [+] SHLWAPI.dll [+] USER32.dll [+] WS2_32.dll [+] OLE32.dll [+] URLMON.dll [+] RPCRT4.dll Here is an interesting string present in the binary with build path of user"erinn": Detected 119 crypto signatures and wrote the following IDC Script for IDA Pro:
IDC Script: #include <idc.idc> static main(void) { auto slotidx; slotidx = 1; MarkPosition(0x0057B9E5, 0, 0, 0, slotidx + 0, "ADLER32"); MakeComm(PrevNotTail(0x0057B9E6), "ADLER32\nAdler32 checksum (unsigned 32-bit integer, BASE value); used by ZLIB compression library"); MarkPosition(0x004071D0, 0, 0, 0, slotidx + 1, "BASE64 table"); MakeComm(PrevNotTail(0x004071D1), "BASE64 table\nBASE64 encoding (used e.g. in e-mails - MIME)"); MarkPosition(0x00407230, 0, 0, 0, slotidx + 2, "BASE64 table"); MakeComm(PrevNotTail(0x00407231), "BASE64 table\nBASE64 encoding (used e.g. in e-mails - MIME)"); MarkPosition(0x00407280, 0, 0, 0, slotidx + 3, "BASE64 table"); MakeComm(PrevNotTail(0x00407281), "BASE64 table\nBASE64 encoding (used e.g. in e-mails - MIME)"); MarkPosition(0x004072C8, 0, 0, 0, slotidx + 4, "BASE64 table"); MakeComm(PrevNotTail(0x004072C9), "BASE64 table\nBASE64 encoding (used e.g. in e-mails - MIME)"); MarkPosition(0x004404A0, 0, 0, 0, slotidx + 5, "BASE64 table"); MakeComm(PrevNotTail(0x004404A1), "BASE64 table\nBASE64 encoding (used e.g. in e-mails - MIME)"); MarkPosition(0x00738D80, 0, 0, 0, slotidx + 6, "BASE64 table"); MakeComm(PrevNotTail(0x00738D81), "BASE64 table\nBASE64 encoding (used e.g. in e-mails - MIME)"); MarkPosition(0x00762208, 0, 0, 0, slotidx + 7, "BLOWFISH [sbox]"); MakeComm(PrevNotTail(0x00762209), "BLOWFISH [sbox]\nBLOWFISH: Sbox 1"); MarkPosition(0x00763260, 0, 0, 0, slotidx + 8, "CAST-128 [sbox 8]"); MakeComm(PrevNotTail(0x00763261), "CAST-128 [sbox 8]\nCAST: SBox 8"); MarkPosition(0x00729B60, 0, 0, 0, slotidx + 9, "CRC32"); MakeComm(PrevNotTail(0x00729B61), "CRC32\nCRC32 precomputed table for byte transform"); MarkPosition(0x007D3910, 0, 0, 0, slotidx + 10, "CRC32"); MakeComm(PrevNotTail(0x007D3911), "CRC32\nCRC32 precomputed table for byte transform"); MarkPosition(0x00738FF7, 0, 0, 0, slotidx + 11, "CryptGenRandom [Name]"); MakeComm(PrevNotTail(0x00738FF8), "CryptGenRandom [Name]\nMicrosoft CryptoAPI function name"); MarkPosition(0x007BECB6, 0, 0, 0, slotidx + 12, "CryptGenRandom [Name]"); MakeComm(PrevNotTail(0x007BECB7), "CryptGenRandom [Name]\nMicrosoft CryptoAPI function name"); MarkPosition(0x00657AD0, 0, 0, 0, slotidx + 13, "DES [long]"); MakeComm(PrevNotTail(0x00657AD1), "DES [long]\nDES: transformation nibbles"); MarkPosition(0x0074E2BA, 0, 0, 0, slotidx + 14, "ECC"); MakeComm(PrevNotTail(0x0074E2BB), "ECC\nNIST-recommended elliptic curve over binary field, hash output of B-163 curve (polynomial basis)"); MarkPosition(0x0074E590, 0, 0, 0, slotidx + 15, "ECC"); MakeComm(PrevNotTail(0x0074E591), "ECC\nNIST-recommended elliptic curve over binary field, hash input seed of B-233 curve (normal basis)"); MarkPosition(0x0074E850, 0, 0, 0, slotidx + 16, "ECC"); MakeComm(PrevNotTail(0x0074E851), "ECC\nNIST-recommended elliptic curve over binary field, hash input seed of B-283 curve (normal basis)"); MarkPosition(0x0074EAB0, 0, 0, 0, slotidx + 17, "ECC"); MakeComm(PrevNotTail(0x0074EAB1), "ECC\nNIST-recommended elliptic curve over binary field, hash input seed of B-409 curve (normal basis)"); MarkPosition(0x0074EDD0, 0, 0, 0, slotidx + 18, "ECC"); MakeComm(PrevNotTail(0x0074EDD1), "ECC\nNIST-recommended elliptic curve over binary field, hash input seed of B-571 curve (normal basis)"); MarkPosition(0x0074EFD9, 0, 0, 0, slotidx + 19, "ECC"); MakeComm(PrevNotTail(0x0074EFDA), "ECC\nX 9.62 EC-DSA elliptic curve over binary field, \"a\" coefficient of c2pnb163v1 curve"); MarkPosition(0x0074F099, 0, 0, 0, slotidx + 20, "ECC"); MakeComm(PrevNotTail(0x0074F09A), "ECC\nX 9.62 EC-DSA elliptic curve over binary field, \"a\" coefficient of c2pnb163v2 curve"); MarkPosition(0x0074F159, 0, 0, 0, slotidx + 21, "ECC"); MakeComm(PrevNotTail(0x0074F15A), "ECC\nX 9.62 EC-DSA elliptic curve over binary field, \"a\" coefficient of c2pnb163v3 curve"); MarkPosition(0x0074F505, 0, 0, 0, slotidx + 22, "ECC"); MakeComm(PrevNotTail(0x0074F506), "ECC\nX 9.62 EC-DSA elliptic curve over binary field, \"b\" coefficient of c2pnb208w1 curve"); MarkPosition(0x0074F854, 0, 0, 0, slotidx + 23, "ECC"); MakeComm(PrevNotTail(0x0074F855), "ECC\nX 9.62 EC-DSA elliptic curve over binary field, \"a\" coefficient of c2pnb272w1 curve"); MarkPosition(0x0074FBA0, 0, 0, 0, slotidx + 24, "ECC"); MakeComm(PrevNotTail(0x0074FBA1), "ECC\nX 9.62 EC-DSA elliptic curve over binary field, \"a\" coefficient of c2pnb368w1 curve"); MarkPosition(0x0074F2BC, 0, 0, 0, slotidx + 25, "ECC"); MakeComm(PrevNotTail(0x0074F2BD), "ECC\nX 9.62 EC-DSA elliptic curve over binary field, \"a\" coefficient of c2tnb191v1 curve"); MarkPosition(0x0074F37C, 0, 0, 0, slotidx + 26, "ECC"); MakeComm(PrevNotTail(0x0074F37D), "ECC\nX 9.62 EC-DSA elliptic curve over binary field, \"a\" coefficient of c2tnb191v2 curve"); MarkPosition(0x0074F43C, 0, 0, 0, slotidx + 27, "ECC"); MakeComm(PrevNotTail(0x0074F43D), "ECC\nX 9.62 EC-DSA elliptic curve over binary field, \"a\" coefficient of c2tnb191v3 curve"); MarkPosition(0x0074F5C2, 0, 0, 0, slotidx + 28, "ECC"); MakeComm(PrevNotTail(0x0074F5C3), "ECC\nX 9.62 EC-DSA elliptic curve over binary field, \"a\" coefficient of c2tnb239v1 curve"); MarkPosition(0x0074F6A2, 0, 0, 0, slotidx + 29, "ECC"); MakeComm(PrevNotTail(0x0074F6A3), "ECC\nX 9.62 EC-DSA elliptic curve over binary field, \"a\" coefficient of c2tnb239v2 curve"); MarkPosition(0x0074F782, 0, 0, 0, slotidx + 30, "ECC"); MakeComm(PrevNotTail(0x0074F783), "ECC\nX 9.62 EC-DSA elliptic curve over binary field, \"a\" coefficient of c2tnb239v3 curve"); MarkPosition(0x0074FA71, 0, 0, 0, slotidx + 31, "ECC"); MakeComm(PrevNotTail(0x0074FA72), "ECC\nX 9.62 EC-DSA elliptic curve over binary field, \"a\" coefficient of c2tnb359v1 curve"); MarkPosition(0x0074FCE6, 0, 0, 0, slotidx + 32, "ECC"); MakeComm(PrevNotTail(0x0074FCE7), "ECC\nX 9.62 EC-DSA elliptic curve over binary field, \"a\" coefficient of c2tnb431r1 curve"); MarkPosition(0x0074E18F, 0, 0, 0, slotidx + 33, "ECC"); MakeComm(PrevNotTail(0x0074E190), "ECC\nNIST-recommended elliptic curve over binary field, base point x-coordinate of K-163 curve (polynomial basis)"); MarkPosition(0x0074E50A, 0, 0, 0, slotidx + 34, "ECC"); MakeComm(PrevNotTail(0x0074E50B), "ECC\nNIST-recommended elliptic curve over binary field, base point x-coordinate of K-233 curve (polynomial basis)"); MarkPosition(0x0074E7BC, 0, 0, 0, slotidx + 35, "ECC"); MakeComm(PrevNotTail(0x0074E7BD), "ECC\nNIST-recommended elliptic curve over binary field, base point x-coordinate of K-283 curve (polynomial basis)"); MarkPosition(0x0074E9EC, 0, 0, 0, slotidx + 36, "ECC"); MakeComm(PrevNotTail(0x0074E9ED), "ECC\nNIST-recommended elliptic curve over binary field, base point x-coordinate of K-409 curve (polynomial basis)"); MarkPosition(0x0074ECE8, 0, 0, 0, slotidx + 37, "ECC"); MakeComm(PrevNotTail(0x0074ECE9), "ECC\nNIST-recommended elliptic curve over binary field, base point x-coordinate of K-571 curve (polynomial basis)"); MarkPosition(0x0074D930, 0, 0, 0, slotidx + 38, "ECC"); MakeComm(PrevNotTail(0x0074D931), "ECC\nNIST-recommended elliptic curve over prime field, hash input seed of P-192 curve"); MarkPosition(0x0074D9F0, 0, 0, 0, slotidx + 39, "ECC"); MakeComm(PrevNotTail(0x0074D9F1), "ECC\nX 9.62 EC-DSA elliptic curve over prime field, hash input seed of P-192 v2 curve"); MarkPosition(0x0074DAB0, 0, 0, 0, slotidx + 40, "ECC"); MakeComm(PrevNotTail(0x0074DAB1), "ECC\nX 9.62 EC-DSA elliptic curve over prime field, hash input seed of P-192 v3 curve"); MarkPosition(0x0074D450, 0, 0, 0, slotidx + 41, "ECC"); MakeComm(PrevNotTail(0x0074D451), "ECC\nNIST-recommended elliptic curve over prime field, hash input seed of P-224 curve"); MarkPosition(0x0074DB70, 0, 0, 0, slotidx + 42, "ECC"); MakeComm(PrevNotTail(0x0074DB71), "ECC\nX 9.62 EC-DSA elliptic curve over prime field, hash input seed of P-239 v1 curve"); MarkPosition(0x0074DC50, 0, 0, 0, slotidx + 43, "ECC"); MakeComm(PrevNotTail(0x0074DC51), "ECC\nX 9.62 EC-DSA elliptic curve over prime field, hash input seed of P-239 v2 curve"); MarkPosition(0x0074DD30, 0, 0, 0, slotidx + 44, "ECC"); MakeComm(PrevNotTail(0x0074DD31), "ECC\nX 9.62 EC-DSA elliptic curve over prime field, hash input seed of P-239 v3 curve"); MarkPosition(0x0074DE10, 0, 0, 0, slotidx + 45, "ECC"); MakeComm(PrevNotTail(0x0074DE11), "ECC\nNIST-recommended elliptic curve over prime field, hash input seed of P-256 curve"); MarkPosition(0x0074D610, 0, 0, 0, slotidx + 46, "ECC"); MakeComm(PrevNotTail(0x0074D611), "ECC\nNIST-recommended elliptic curve over prime field, hash input seed of P-384 curve"); MarkPosition(0x0074D770, 0, 0, 0, slotidx + 47, "ECC"); MakeComm(PrevNotTail(0x0074D771), "ECC\nNIST-recommended elliptic curve over prime field, hash input seed of P-521 curve"); MarkPosition(0x0074CEA4, 0, 0, 0, slotidx + 48, "ECC"); MakeComm(PrevNotTail(0x0074CEA5), "ECC\nCerticom SEC2 elliptic curve over prime field, prime modulus of secp112r1 curve"); MarkPosition(0x0074CF24, 0, 0, 0, slotidx + 49, "ECC"); MakeComm(PrevNotTail(0x0074CF25), "ECC\nCerticom SEC2 elliptic curve over prime field, prime modulus of secp112r1 curve"); MarkPosition(0x0074CF32, 0, 0, 0, slotidx + 50, "ECC"); MakeComm(PrevNotTail(0x0074CF33), "ECC\nCerticom SEC2 elliptic curve over prime field, \"a\" coefficient of secp112r2 curve"); MarkPosition(0x0074CFC4, 0, 0, 0, slotidx + 51, "ECC"); MakeComm(PrevNotTail(0x0074CFC5), "ECC\nCerticom SEC2 elliptic curve over prime field, \"b\" coefficient of secp128r1 curve"); MarkPosition(0x0074D054, 0, 0, 0, slotidx + 52, "ECC"); MakeComm(PrevNotTail(0x0074D055), "ECC\nCerticom SEC2 elliptic curve over prime field, \"a\" coefficient of secp128r2 curve"); MarkPosition(0x0074D110, 0, 0, 0, slotidx + 53, "ECC"); MakeComm(PrevNotTail(0x0074D111), "ECC\nCerticom SEC2 elliptic curve over prime field, base point x-coordinate of secp160k1 curve"); MarkPosition(0x0074D1AF, 0, 0, 0, slotidx + 54, "ECC"); MakeComm(PrevNotTail(0x0074D1B0), "ECC\nCerticom SEC2 elliptic curve over prime field, \"b\" coefficient of secp160r1 curve"); MarkPosition(0x0074D26F, 0, 0, 0, slotidx + 55, "ECC"); MakeComm(PrevNotTail(0x0074D270), "ECC\nCerticom SEC2 elliptic curve over prime field, \"b\" coefficient of secp160r2 curve"); MarkPosition(0x0074D338, 0, 0, 0, slotidx + 56, "ECC"); MakeComm(PrevNotTail(0x0074D339), "ECC\nCerticom SEC2 elliptic curve over prime field, base point x-coordinate of secp192k1 curve"); MarkPosition(0x0074D3E8, 0, 0, 0, slotidx + 57, "ECC"); MakeComm(PrevNotTail(0x0074D3E9), "ECC\nCerticom SEC2 elliptic curve over prime field, base point x-coordinate of secp224k1 curve"); MarkPosition(0x0074D590, 0, 0, 0, slotidx + 58, "ECC"); MakeComm(PrevNotTail(0x0074D591), "ECC\nCerticom SEC2 elliptic curve over prime field, base point x-coordinate of secp256k1 curve"); MarkPosition(0x0074DF34, 0, 0, 0, slotidx + 59, "ECC"); MakeComm(PrevNotTail(0x0074DF35), "ECC\nCerticom SEC2 elliptic curve over binary field, \"a\" coefficient of sect113r1 curve"); MarkPosition(0x0074DFB4, 0, 0, 0, slotidx + 60, "ECC"); MakeComm(PrevNotTail(0x0074DFB5), "ECC\nCerticom SEC2 elliptic curve over binary field, \"a\" coefficient of sect113r2 curve"); MarkPosition(0x0074E035, 0, 0, 0, slotidx + 61, "ECC"); MakeComm(PrevNotTail(0x0074E036), "ECC\nCerticom SEC2 elliptic curve over binary field, \"a\" coefficient of sect131r1 curve"); MarkPosition(0x0074E0D5, 0, 0, 0, slotidx + 62, "ECC"); MakeComm(PrevNotTail(0x0074E0D6), "ECC\nCerticom SEC2 elliptic curve over binary field, \"a\" coefficient of sect131r2 curve"); MarkPosition(0x0074E205, 0, 0, 0, slotidx + 63, "ECC"); MakeComm(PrevNotTail(0x0074E206), "ECC\nCerticom SEC2 elliptic curve over binary field, \"a\" coefficient of sect163r1 curve"); MarkPosition(0x0074E35E, 0, 0, 0, slotidx + 64, "ECC"); MakeComm(PrevNotTail(0x0074E35F), "ECC\nCerticom SEC2 elliptic curve over binary field, \"a\" coefficient of sect193r1 curve"); MarkPosition(0x0074E41D, 0, 0, 0, slotidx + 65, "ECC"); MakeComm(PrevNotTail(0x0074E41E), "ECC\nCerticom SEC2 elliptic curve over binary field, \"a\" coefficient of sect193r2 curve"); MarkPosition(0x0074E6CA, 0, 0, 0, slotidx + 66, "ECC"); MakeComm(PrevNotTail(0x0074E6CB), "ECC\nCerticom SEC2 elliptic curve over binary field, base point x-coordinate of sect239k1 curve"); MarkPosition(0x0065D1D3, 0, 0, 0, slotidx + 67, "Golden ratio (TEA/N, RC 5/6, ...)"); MakeComm(PrevNotTail(0x0065D1D4), "Golden ratio (TEA/N, RC 5/6, ...)\nA single DWORD, used in multiple crypto algorithms (TEA/N, RC 5/6, SERPENT, ISAAC, etc)."); MarkPosition(0x00751922, 0, 0, 0, slotidx + 68, "List of primes [word]"); MakeComm(PrevNotTail(0x00751923), "List of primes [word]\nAll prime numbers up to 251"); MarkPosition(0x0069EA94, 0, 0, 0, slotidx + 69, "MD4"); MakeComm(PrevNotTail(0x0069EA95), "MD4\nMD4 transform & init constants (also used in SHA, RIPEMD, partly in CAST)"); MarkPosition(0x00429616, 0, 0, 0, slotidx + 70, "MD5"); MakeComm(PrevNotTail(0x00429617), "MD5\nMD5 transform (\"compress\") constants"); MarkPosition(0x00669978, 0, 0, 0, slotidx + 71, "MD5"); MakeComm(PrevNotTail(0x00669979), "MD5\nMD5 transform (\"compress\") constants"); MarkPosition(0x007621C0, 0, 0, 0, slotidx + 72, "PI fraction (NIMBUS / BLOWFISH)"); MakeComm(PrevNotTail(0x007621C1), "PI fraction (NIMBUS / BLOWFISH)\nFractional part of PI number - 640 bits. Used e.g. in BLOWFISH (pbox & sbox) or NIMBUS (fixed key)."); MarkPosition(0x007242D8, 0, 0, 0, slotidx + 73, "Prime"); MakeComm(PrevNotTail(0x007242D9), "Prime\nPrime number, used e.g. in Diffie-Hellman algorithm (discrete logarithm modulus) (prime modulus)"); MarkPosition(0x006C9640, 0, 0, 0, slotidx + 74, "Prime"); MakeComm(PrevNotTail(0x006C9641), "Prime\nPrime number, used e.g. in Diffie-Hellman algorithm (discrete logarithm modulus) (prime modulus)"); MarkPosition(0x006C9440, 0, 0, 0, slotidx + 75, "Prime"); MakeComm(PrevNotTail(0x006C9441), "Prime\nPrime number, used e.g. in Diffie-Hellman algorithm (discrete logarithm modulus) (prime modulus)"); MarkPosition(0x006C9140, 0, 0, 0, slotidx + 76, "Prime"); MakeComm(PrevNotTail(0x006C9141), "Prime\nPrime number, used e.g. in Diffie-Hellman algorithm (discrete logarithm modulus) (prime modulus)"); MarkPosition(0x006C8D20, 0, 0, 0, slotidx + 77, "Prime"); MakeComm(PrevNotTail(0x006C8D21), "Prime\nPrime number, used e.g. in Diffie-Hellman algorithm (discrete logarithm modulus) (prime modulus)"); MarkPosition(0x0075E360, 0, 0, 0, slotidx + 78, "RC2 [char]"); MakeComm(PrevNotTail(0x0075E361), "RC2 [char]\nRC2 Sbox"); MarkPosition(0x00637680, 0, 0, 0, slotidx + 79, "RIJNDAEL [S] [char]"); MakeComm(PrevNotTail(0x00637681), "RIJNDAEL [S] [char]\nRIJNDAEL (AES): SBOX (also used in other ciphers)."); MarkPosition(0x00637780, 0, 0, 0, slotidx + 80, "RIJNDAEL [S] [char]"); MakeComm(PrevNotTail(0x00637781), "RIJNDAEL [S] [char]\nRIJNDAEL (AES): SBOX (also used in other ciphers)."); MarkPosition(0x00637880, 0, 0, 0, slotidx + 81, "RIJNDAEL [S] [char]"); MakeComm(PrevNotTail(0x00637881), "RIJNDAEL [S] [char]\nRIJNDAEL (AES): SBOX (also used in other ciphers)."); MarkPosition(0x00637980, 0, 0, 0, slotidx + 82, "RIJNDAEL [S] [char]"); MakeComm(PrevNotTail(0x00637981), "RIJNDAEL [S] [char]\nRIJNDAEL (AES): SBOX (also used in other ciphers)."); MarkPosition(0x00638D00, 0, 0, 0, slotidx + 83, "RIJNDAEL [S-inv] [char]"); MakeComm(PrevNotTail(0x00638D01), "RIJNDAEL [S-inv] [char]\nRIJNDAEL (AES): inverse SBOX (for decryption)"); MarkPosition(0x00638E00, 0, 0, 0, slotidx + 84, "RIJNDAEL [S-inv] [char]"); MakeComm(PrevNotTail(0x00638E01), "RIJNDAEL [S-inv] [char]\nRIJNDAEL (AES): inverse SBOX (for decryption)"); MarkPosition(0x00638F00, 0, 0, 0, slotidx + 85, "RIJNDAEL [S-inv] [char]"); MakeComm(PrevNotTail(0x00638F01), "RIJNDAEL [S-inv] [char]\nRIJNDAEL (AES): inverse SBOX (for decryption)"); MarkPosition(0x00639000, 0, 0, 0, slotidx + 86, "RIJNDAEL [S-inv] [char]"); MakeComm(PrevNotTail(0x00639001), "RIJNDAEL [S-inv] [char]\nRIJNDAEL (AES): inverse SBOX (for decryption)"); MarkPosition(0x006B2614, 0, 0, 0, slotidx + 87, "RIPEMD-160"); MakeComm(PrevNotTail(0x006B2615), "RIPEMD-160\nRIPEMD-160/320 additive constants (partly also used by other RIPEMD variants, SHA, MD4, SEAL, ...)"); MarkPosition(0x0075E4A0, 0, 0, 0, slotidx + 88, "SEED"); MakeComm(PrevNotTail(0x0075E4A1), "SEED\nSEED: SBOX 0"); MarkPosition(0x0062E02C, 0, 0, 0, slotidx + 89, "SHA1 [Compress]"); MakeComm(PrevNotTail(0x0062E02D), "SHA1 [Compress]\nSHA1 additive constants (also used in SHA, SEAL, partly in RIPEMD)"); MarkPosition(0x006301B0, 0, 0, 0, slotidx + 90, "SHA1 [Compress]"); MakeComm(PrevNotTail(0x006301B1), "SHA1 [Compress]\nSHA1 additive constants (also used in SHA, SEAL, partly in RIPEMD)"); MarkPosition(0x0069FE63, 0, 0, 0, slotidx + 91, "SHA1 [Compress]"); MakeComm(PrevNotTail(0x0069FE64), "SHA1 [Compress]\nSHA1 additive constants (also used in SHA, SEAL, partly in RIPEMD)"); MarkPosition(0x005DC94A, 0, 0, 0, slotidx + 92, "SHA-224 [Init]"); MakeComm(PrevNotTail(0x005DC94B), "SHA-224 [Init]\nSHA-224 init constants (also used in SHA-384)"); MarkPosition(0x005DCEAF, 0, 0, 0, slotidx + 93, "SHA-224 [Init]"); MakeComm(PrevNotTail(0x005DCEB0), "SHA-224 [Init]\nSHA-224 init constants (also used in SHA-384)"); MarkPosition(0x0062D300, 0, 0, 0, slotidx + 94, "SHA-256 [mixing]"); MakeComm(PrevNotTail(0x0062D301), "SHA-256 [mixing]\nSHA-256 mixing constants (also used in SHA-512)"); MarkPosition(0x00614896, 0, 0, 0, slotidx + 95, "SHA-384 [Init]"); MakeComm(PrevNotTail(0x00614897), "SHA-384 [Init]\nSHA-384 init constants (partly used also in SHA-224)"); MarkPosition(0x0061537B, 0, 0, 0, slotidx + 96, "SHA-384 [Init]"); MakeComm(PrevNotTail(0x0061537C), "SHA-384 [Init]\nSHA-384 init constants (partly used also in SHA-224)"); MarkPosition(0x00614946, 0, 0, 0, slotidx + 97, "SHA-512 [init]"); MakeComm(PrevNotTail(0x00614947), "SHA-512 [init]\nSHA-512 init constants (partly used also in SHA-256)"); MarkPosition(0x006154AB, 0, 0, 0, slotidx + 98, "SHA-512 [init]"); MakeComm(PrevNotTail(0x006154AC), "SHA-512 [init]\nSHA-512 init constants (partly used also in SHA-256)"); MarkPosition(0x006B6F00, 0, 0, 0, slotidx + 99, "WHIRLPOOL [sbox] [char]"); MakeComm(PrevNotTail(0x006B6F01), "WHIRLPOOL [sbox] [char]\nWHIRLPOOL by P. Baretto and V. Rijmen: SBOX"); MarkPosition(0x00768A80, 0, 0, 0, slotidx + 100, "WHIRLPOOL [sbox] [char]"); MakeComm(PrevNotTail(0x00768A81), "WHIRLPOOL [sbox] [char]\nWHIRLPOOL by P. Baretto and V. Rijmen: SBOX"); MarkPosition(0x0072BBA0, 0, 0, 0, slotidx + 101, "ZLIB deflate [word]"); MakeComm(PrevNotTail(0x0072BBA1), "ZLIB deflate [word]\nZLIB compression algorithm - literal codes base values, used to build the trees"); MarkPosition(0x007D72D0, 0, 0, 0, slotidx + 102, "ZLIB deflate [word]"); MakeComm(PrevNotTail(0x007D72D1), "ZLIB deflate [word]\nZLIB compression algorithm - literal codes base values, used to build the trees"); MarkPosition(0x006DFA84, 0, 0, 0, slotidx + 103, "{Big number}"); MakeComm(PrevNotTail(0x006DFA85), "{Big number}\nPossible big number constant - it may indicate various asymmetric crypto: hexadecimal, 160 bits"); MarkPosition(0x006E3860, 0, 0, 0, slotidx + 104, "{Big number}"); MakeComm(PrevNotTail(0x006E3861), "{Big number}\nPossible big number constant - it may indicate various asymmetric crypto: hexadecimal, 168 bits"); MarkPosition(0x006E38F0, 0, 0, 0, slotidx + 105, "{Big number}"); MakeComm(PrevNotTail(0x006E38F1), "{Big number}\nPossible big number constant - it may indicate various asymmetric crypto: hexadecimal, 176 bits"); MarkPosition(0x006E3A14, 0, 0, 0, slotidx + 106, "{Big number}"); MakeComm(PrevNotTail(0x006E3A15), "{Big number}\nPossible big number constant - it may indicate various asymmetric crypto: hexadecimal, 168 bits"); MarkPosition(0x006E3BC0, 0, 0, 0, slotidx + 107, "{Big number}"); MakeComm(PrevNotTail(0x006E3BC1), "{Big number}\nPossible big number constant - it may indicate various asymmetric crypto: hexadecimal, 168 bits"); MarkPosition(0x007047B8, 0, 0, 0, slotidx + 108, "{Big number}"); MakeComm(PrevNotTail(0x007047B9), "{Big number}\nPossible big number constant - it may indicate various asymmetric crypto: hexadecimal, 156 bits"); MarkPosition(0x007062E8, 0, 0, 0, slotidx + 109, "{Big number}"); MakeComm(PrevNotTail(0x007062E9), "{Big number}\nPossible big number constant - it may indicate various asymmetric crypto: hexadecimal, 156 bits"); MarkPosition(0x00706314, 0, 0, 0, slotidx + 110, "{Big number}"); MakeComm(PrevNotTail(0x00706315), "{Big number}\nPossible big number constant - it may indicate various asymmetric crypto: hexadecimal, 159 bits"); MarkPosition(0x00706340, 0, 0, 0, slotidx + 111, "{Big number}"); MakeComm(PrevNotTail(0x00706341), "{Big number}\nPossible big number constant - it may indicate various asymmetric crypto: hexadecimal, 160 bits"); MarkPosition(0x0070636C, 0, 0, 0, slotidx + 112, "{Big number}"); MakeComm(PrevNotTail(0x0070636D), "{Big number}\nPossible big number constant - it may indicate various asymmetric crypto: hexadecimal, 160 bits"); MarkPosition(0x00706398, 0, 0, 0, slotidx + 113, "{Big number}"); MakeComm(PrevNotTail(0x00706399), "{Big number}\nPossible big number constant - it may indicate various asymmetric crypto: hexadecimal, 160 bits"); MarkPosition(0x007063C4, 0, 0, 0, slotidx + 114, "{Big number}"); MakeComm(PrevNotTail(0x007063C5), "{Big number}\nPossible big number constant - it may indicate various asymmetric crypto: hexadecimal, 160 bits"); MarkPosition(0x007063F0, 0, 0, 0, slotidx + 115, "{Big number}"); MakeComm(PrevNotTail(0x007063F1), "{Big number}\nPossible big number constant - it may indicate various asymmetric crypto: hexadecimal, 160 bits"); MarkPosition(0x0070641C, 0, 0, 0, slotidx + 116, "{Big number}"); MakeComm(PrevNotTail(0x0070641D), "{Big number}\nPossible big number constant - it may indicate various asymmetric crypto: hexadecimal, 160 bits"); MarkPosition(0x00706448, 0, 0, 0, slotidx + 117, "{Big number}"); MakeComm(PrevNotTail(0x00706449), "{Big number}\nPossible big number constant - it may indicate various asymmetric crypto: hexadecimal, 160 bits"); MarkPosition(0x007240A4, 0, 0, 0, slotidx + 118, "{Big number}"); MakeComm(PrevNotTail(0x007240A5), "{Big number}\nPossible big number constant - it may indicate various asymmetric crypto: hexadecimal, 1024 bits"); } Using the following decoder written by Jeremy Humble [https://github.com/securitykitten/malware_config_parsers/blob/master/lusypos_decode.py/, we successfully decode the strings: http://kcdjqxk4jjwzjopq.onion/d/gw.php http://ydoapqgxeqmvsugz.onion/d/gw.php VeriFone32 VeriFone32 verifone32 prowin32Mutex b00n v1.1 \\Internet Explorer\\iexplore.exe mbambservice.exe tor.exe zlib1.dll libcurl.dll Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0 LowRiskFileTypes Content-Type: application/x-www-form-urlencoded 127.0.0.1:9050 Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) g00n curl_easy_init curl_easy_setopt curl_easy_cleanup curl_easy_perform curl_easy_strerror curl_slist_append curl_easy_getinfo curl_slist_free_all page= &ump= &ks= &opt= &unm= &cnm= &view= &spec= &query= &val= &var= DetectShutdownClass download- update- checkin: scanin: uninstall response= UpdateMutex: Software\\Verifone32 Software\\Microsoft\\Windows\\CurrentVersion\\Run .DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run mbambservice.exe wmiprvse.exe LogonUI.exe svchost.exe iexplore.exe explorer.exe System smss.exe csrss.exe winlogon.exe lsass.exe spoolsv.exe alg.exe wuauclt.exe firefox.exe chrome.exe devenv.exe II. Dynamic Analysis: (1) Creates a directory c:\Documents and Settings\<User>\\Application Data\VeriFone32 (3) Copies itself to c:\Documents and Settings\<User>\\Application Data\VeriFone32\verifone32.exe (3) Drops 3 files c:\Documents and Settings\<User>\Application Data\VeriFone32\libcurl.dll c:\Documents and Settings\<User>\Application Data\VeriFone32\mbambservice.exe [= tor.exe] c:\Documents and Settings\\<User>\Application Data\VeriFone32\zlib1.dll (5) Creates mutex prowin32Mutex (6) Created Registry Keys HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0 HKCU\Software\Verifone32\Digitb00 HKLM\SOFTWARE\Microsoft\ESENT\Process\mbambservice\DEBUG\Trace Level (7) Creates processes c:\Documents and Settings\<User>\\application data\verifone32\mbambservice.exe (5) IP Connections 193.23.244.244 171.25.193.9 195.154.127.246 188.40.37.200 (6) HTTP Requests http://-\x16\x03\x01 (7) Contains 2 C2 servers available through Tor: http://kcdjqxk4jjwzjopq.onion/d/gw.php http://ydoapqgxeqmvsugz.onion/d/gw.php Ram Scraping function: CreateToolhelp32Snapshot-> Process32First -> Sleep 1000 -> OpenProcess -> VirtualQueryEx -> ReadProcessMemory -> CloseHandle -> Sleep 5000 -> Process32Next Whitelists the following processes during the RAM scraping function: LogonUI.exe svchost.exe iexplore.exe explorer.exe System smss.exe csrss.exe winlogon.exe lsass.exe spoolsv.exe alg.exe wuauclt.exe firefox.exe chrome.exe devenv.exe III. Yara Signature: rule Backdoor_Win32_LucyPOS : BDR/SCRP { meta: author = "Vitali Kremez" date = "2015-12-29" description = "Detected LucyPOS Scraper" hash0 = "bc7bf2584e3b039155265642268c94c7" sample_filetype = "exe" $service1 = “Verifone32.exe” $service2 = “mbambservice.exe” strings: $string0 = " rec->input" $string1 = "Tried for %d seconds to get a connection to %s:%d. Giving up." $string2 = " CONN_TYPE_OR" $string3 = " (int)" $string4 = "boolean is wrong length" $string5 = "mp->conf_state " $string6 = "EXTENDED_EVENTS" $string7 = "unsupported content type" $string8 = "weight as exit" $string9 = "lock->locktype " $string10 = "cp->package_window >" $string11 = "opendir" $string12 = "SSLv3 read server key exchange A" $string13 = "Error tokenizing client keys file." $string14 = "OCSP helper" $string15 = "req->socks_version" $string16 = "C;\\$ u" $string17 = "Closing no-longer-configured %s on %s:%d" $string18 = "pb_extremepct" condition: 18 of them and filesize<4.1MB or any of ($service*) } Sourcefire Rule: alert any $HOME_NET any -> any any (msg:" LucyPOS Alert”; content: “http://kcdjqxk4jjwzjopq.onion/d/gw.php”; “http://ydoapqgxeqmvsugz.onion/d/gw.php”; “193.23.244.24”; “171.25.193.9”; “195.154.127.246”; “188.40.37.200”; “\x16\x03\x0”; “pcre: “/.*(page=|\&ump=|\&ks=|\&opt=|\&unm=|\&cnm=|\&view=|\&spec=|\&query=|\&val=|\&var=|\&response=).*/”; classtype: Trojan-activity)
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |