Source: VirusShare Malware Family: RAM Scraper Static Analysis Tools: pestudio, CFF Explorer, PEID, BinText, IDA Pro Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, Comodo Reports: (1) TotalHash: https://totalhash.cymru.com/analysis/?a6eb86b55148a7a491093f1f6af6a15c4b44b96c (2) VirusTotal: https://www.virustotal.com/en/file/11591204155db5eb5e9c5a3adbb23e99a75c3b25207d07d7e52a6407c7ad0165/analysis/1451210102/ I . Static Analysis: File type: Win32 EXE Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2014-05-08 17:41:10 Entry Point: 0x000011D8 Number of Sections: 3 MD5: 12c9c0bc18fdf98189457a9d112eebfc SHA256: 11591204155db5eb5e9c5a3adbb23e99a75c3b25207d07d7e52a6407c7ad0165
0 Comments
Source: VirusShare Malware Family: RAM Scraper Static Analysis Tools: pestudio, CFF Explorer, PEID, BinText, IDA Pro Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, Comodo Reports: (1) Malwr: https://malwr.com/analysis/YTNkZDNmNmRkZjExNDU0NDg2OGZlMmZmOWYzODI0YmU/ (2) VirusTotal: https://www.virustotal.com/en/file/b579c8866f7850110a8d2c7cc10110fa82f86a8395b93562f36e9f500a226929/analysis/1451185979/ I . Static Analysis: Internal Filename: FrameworkServiceLog.exe File type: Win32 EXE Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2014-06-22 15:29:34 Entry Point: 0x00007B22 Number of Sections: 5 MD5: b57c5b49dab6bbd9f4c464d396414685 SHA256: b579c8866f7850110a8d2c7cc10110fa82f86a8395b93562f36e9f500a226929 File size: 131.5 KB (134656 bytes) Detection ratio: 46 / 55 PE imports: [+] ADVAPI32.dll [+] KERNEL32.dll [+] PSAPI.DLL [+] WS2_32.dll Source: VirusShare
Malware Family: RAM Scraper Static Analysis Tools: pestudio, CFF Explorer, PEID, BinText, IDA Pro Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, Comodo Reports: (1) Comodo: http://camas.comodo.com/cgi-bin/submit?file=982c4ea6ca4e613aaa48adf8375e312d2b029c2beba174071c4b5668cf0a8649 (2) VirusTotal: https://www.virustotal.com/en/file/982c4ea6ca4e613aaa48adf8375e312d2b029c2beba174071c4b5668cf0a8649/analysis/1451169207/ I . Static Analysis: File type: Win32 EXE Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2014-09-01 15:39:26 Entry Point: 0x0000CC65 Number of Sections: 5 MD5: 033aac4079addea23bc4e00833cfa8d4 SHA256: 982c4ea6ca4e613aaa48adf8375e312d2b029c2beba174071c4b5668cf0a8649 File size: 161.5 KB (165376 bytes) PDB: "C:\Users\Adminstrator\Desktop\New Alina\alina\Release\alina.pdb" Source: VirusShare
Malware Family: RAM Scraper Static Analysis Tools: pestudio, CFF Explorer, PEID, BinText, IDA Pro Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, Comodo Reports: (1) Comodo: http://camas.comodo.com/cgi-bin/submit?file=e8bd8aba01ebbe2b9afa5b8c3d56a27363687b5b6963ce593b94a6fd2d831e2a (2) VirusTotal: https://www.virustotal.com/en/file/e8bd8aba01ebbe2b9afa5b8c3d56a27363687b5b6963ce593b94a6fd2d831e2a/analysis/1451089742/ I . Static Analysis: Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2012-12-21 23:30:50 Entry Point: 0x00009D12 File type: Win32 EXE Number of Sections: 5 MD5: 53950faf49ccb19b83b786eadedfe591 SHA256: e8bd8aba01ebbe2b9afa5b8c3d56a27363687b5b6963ce593b94a6fd2d831e2a File size: 224.5 KB (229888 bytes ) Detection ratio: 47 / 54 PE imports: [+] ADVAPI32.dll [+] KERNEL32.DLL [+] SHELL32.dll [+] USER32.dll [+] WS2_32.dll [+] Urlmon.dll Source: VirusShare Malware Family: RAM Scraper Static Analysis Tools: pestudio, CFF Explorer, PEID, BinText, IDA Pro Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, Comodo Reports: (1) Comodo: http://camas.comodo.com/cgi-bin/submit?file=cae3cdaaa1ec224843e1c3efb78505b2e0781d70502bedff5715dc0e9b561785 (2) VirusTotal: https://www.virustotal.com/en/file/cae3cdaaa1ec224843e1c3efb78505b2e0781d70502bedff5715dc0e9b561785/analysis/1451004732/ I . Static Analysis: Internal name: HelpPane.exe Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2011-03-26 07:06:26 Entry Point: 0x000016AF File type: Win32 EXE Number of Sections: 11 MD5: 70feec581cd97454a74a0d7c1d3183d1 SHA256: cae3cdaaa1ec224843e1c3efb78505b2e0781d70502bedff5715dc0e9b561785 File size: 52.0 KB (53248 bytes) Detection ratio: 51 / 54 PE imports: [+] KERNEL32.dll [+] USER32.dll Source: VirusShare
Malware Family: Backdoor, Ram Scraper Static Analysis Tools: pestudio, Immunity Debugger, CFF Explorer, PEID, BinText, IDA Pro Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, VMWare Reports: (1) TotalHash: https://totalhash.cymru.com/analysis/?5274255aa6032528360fc222b8aeb911caa35e40 (2) VirusTotal: https://www.virustotal.com/en/file/66112976832889918464be71e7fa134dd5e838717607c7470db9750f1e2bad75/analysis/1450644392/ I . Static Analysis: File Type: Win32 EXE Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2015-01-27 20:58:05 Entry Point: 0x00004A66 Number of Sections: 5 File Info: Microsoft Visual C++ 8 MD5: 0c7631f791c60f79faa1d879056c2e18 SHA256: 66112976832889918464be71e7fa134dd5e838717607c7470db9750f1e2bad75 File size: 117.5 KB (120320 bytes) PDB: (a) H:\WorkNew\FindStr\Release\FindStr.pdb (b) GUID: b5beed83-5225-46bf-8db9-4ff8f6a1bbf9 Source: VirusShare
Malware Family: RAM Scraper Static Analysis Tools: pestudio, CFF Explorer, PEID, BinText, IDA Pro Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, VMWare, Comodo Reports: (1) Comodo: http://camas.comodo.com/cgi-bin/submit?file=7d58756a3b1469ca4243383c5f31e21841836ebc70b84a53d2eaa66754fdbe3b (2) VirusTotal: https://www.virustotal.com/en/file/7d58756a3b1469ca4243383c5f31e21841836ebc70b84a53d2eaa66754fdbe3b/analysis/1450836933/ I . Static Analysis: Source: VirusShare
Malware Family: RAM Scraper Static Analysis Tools: pestudio, Immunity Debugger, CFF Explorer, PEID, BinText, IDA Pro Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, VMWare Reports: (1) Malwr: https://malwr.com/analysis/NzAwOWJjNWJmMzc0NDViYTlhYjQ0OGMxYWI2MGM4ODU/ (2) VirusTotal: https://www.virustotal.com/en/file/74fe8c68d878cc9699a2781be515bb003931ffa2ad21dc0c2c48eb91caba4b44/analysis/1450745229/ I . Static Analysis: File Type: Win32 EXE Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2013-11-28 23:08:01 Entry Point: 0x0001CF20 Number of Sections: 3 File Info: Microsoft Visual C++ 5.0 Reference: OWASP discussion on point-of-sale (POS) malware
Lesson on "Anatomy of memory scraping credit card stealing POS malware" RE: Important Windows calls used by POS malware Step 1: Find POS process with credit card data EnumProcesses OpenProcess EnumProcessModules GetModuleBaseName Step 2: Elevate privilege to SE_DEBUG_NAME OpenProcessToken LookupPrivilegeValue AdjustTokenPrivilege Step 3: Open POS process OpenProcess Step 4: RAM Scraping VirtualQueryEx ReadProcessMemory Source: http://resources.infosecinstitute.com/windows-functions-in-malware-analysis-cheat-sheet-part-1/
Windows Functions
|
AuthorVitali Kremez Archives
September 2016
Categories |