2019.03.13.DMSniff_POS_Malware

2024-06-24 07:49:57 +00:00 · 2019-03-14 16:19:34 +08:00 · 2019-03-14 16:19:34 +08:00 · e765355b6f
commit e765355b6f
parent f6bb8f0eaf
4 changed files with 222 additions and 0 deletions
--- a/2019/2019.03.13.DMSniff_POS_Malware/DMSniff_POS_Malware.pdf
+++ b/2019/2019.03.13.DMSniff_POS_Malware/DMSniff_POS_Malware.pdf
--- a/2019/2019.03.13.DMSniff_POS_Malware/DMSniff_decoded_strings_March2019.txt
+++ b/2019/2019.03.13.DMSniff_POS_Malware/DMSniff_decoded_strings_March2019.txt
@ -0,0 +1,167 @@
+0x40143cL %u.%u.%u
+0x401474L c:\
+0x4014abL -%X.
+0x4014feL .
+0x40154bL SOFTWARE\Microsoft\Windows\CurrentVersion
+0x40155bL ProductId
+0x4015b8L SOFTWARE\Microsoft\Windows NT\CurrentVersion
+0x4015c8L ProductId
+0x401678L _%X%X
+0x401870L wsock32.dll
+0x40188bL wsock32.dll
+0x4018a2L __WSAFDIsSet
+0x4018b7L WSAStartup
+0x4018ccL send
+0x4018e1L socket
+0x4018f6L gethostbyname
+0x40190bL connect
+0x401920L closesocket
+0x401935L select
+0x40194aL recv
+0x401ae0L SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+0x401af7L csrss
+0x401b48L %s "%s"
+0x401cbcL .com
+0x401ce9L .org
+0x401d13L .net
+0x401d39L .ru
+0x401d53L .in
+0x40208bL %X%X
+0x402184L Name
+0x402194L Description
+0x402204L Model
+0x402214L Size
+0x402259L SKU
+0x402269L Model
+0x40229bL %s-%s-%s-%s
+0x4022f0L \csrss.exe
+0x402360L \csrss.exe
+0x4023abL \csrss.exe
+0x402a23L \dmsnf.cfg
+0x402c2fL GET /index.php HTTP/1.1
+User-Agent: Mozilla/4.0 (compatible; MSIE 10.0; DSNF_%u=%s=)
+Connection: Keep-Alive
+Host: %s
+
+
+
+0x402cb9L <!-
+0x402df7L +++++++++++++++++++++++++++7ac103214023
+0x402e0eL --%s
+Content-Disposition: form-data; name="userfile[]"; filename="dmp"
+Content-Type: application/octet-stream
+
+
+
+0x402e2cL POST /indexu.php HTTP/1.1
+Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
+Accept-Language: en-US
+User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; DSNF_%u=%s=)
+Content-Type: multipart/form-data; boundary=%s
+Host: %s
+Content-Length: %u
+Connection: Keep-Alive
+Cache-Control: no-cache
+
+
+
+0x402f7bL 
+--%s--
+
+
+0x403018L <!-OK->
+0x40309cL LocalFree
+0x4030b1L GetCurrentProcessId
+0x4030c6L Module32First
+0x4030dbL GetTickCount
+0x4030f0L GetFileSize
+0x403105L WriteFile
+0x40311aL Process32First
+0x40312fL LoadLibraryA
+0x403144L DeleteFileA
+0x403159L GetWindowsDirectoryA
+0x40316eL OpenProcess
+0x403183L ReadProcessMemory
+0x403198L CreateProcessA
+0x4031adL CreateFileA
+0x4031c2L LocalAlloc
+0x4031d7L Process32Next
+0x4031ecL CloseHandle
+0x403201L CopyFileA
+0x403216L CreateToolhelp32Snapshot
+0x40322bL GetModuleHandleA
+0x403240L SetFilePointer
+0x403255L ReadFile
+0x40326aL VirtualQueryEx
+0x403292L #KHALMNPR.EXE#LBTWiz.exe#ati2evxx.exe#atiesrxx.exe#atieclxx.exe#TrueSuiteService.exe#TrueService.exe#ibmpmsvc.exe#RtHDVCpl.exe#tpfnf6r.exe#LVOSDSVC.exe#TPOSDSVC.exe#TPONSCR.exe#TpScrex.exe#TPHKSVC.exe#tpnumlkd.exe#tpnumlk.exe#ctfmon.exe#msiexec.exe#wdfmgr.exe#wscntfy.exe#SynTPHelper.exe#SynTPEnh.exe#smss.exe#csrss.exe#winlogon.exe#spoolsv.exe#taskmgr.exe#wininit.exe#nvvsvc.exe#btwdins.exe#GoogleUpdate.exe#lsass.exe#LogonUI.exe#hkcmd.exe#wuauclt.exe#igfxpers.exe#igfxsrvc.exe#igfxext.exe#jusched.exe#patch.exe#rthdcpl.exe#mobsync.exe#MsMpEng.exe#msseces.exe#sidebar.exe#internat.exe#WmiPrvSE.exe#SLsvc.exe#kadxmain.exe#SkyTel.exe#realsched.exe#reader_sl.exe#nvxdsync.exe#nvsvc32.exe#ntrtscan.exe#ETDService.exe#HeciServer.exe#ETDCtrl.exe#ETDCtrlHelper.exe#
+0x40330bL VMware
+0x403332L audio
+0x403359L Apple
+0x403380L License
+0x4033a7L FontCache
+0x4033ceL Touch
+0x4033f5L icon
+0x40341cL torrent
+0x403443L Phone
+0x40346aL Tray
+0x403491L Icon
+0x4034b8L FlashPlayer
+0x4034dfL movie
+0x403506L vmware
+0x40352dL tray
+0x403554L video
+0x40357bL Torrent
+0x4035a2L sound
+0x4035c9L Skype
+0x403611L #
+0x403683L 32\Dwm.exe
+0x4036aaL 32\TpShocks.exe
+0x4036d1L \pwrmgrv\
+0x4036f8L \Audio
+0x40371fL \Video
+0x403746L \Movie
+0x40376dL Audio\
+0x403794L Video\
+0x4037bbL Movie\
+0x4037e2L \Apple
+0x403809L \iPod\
+0x403830L \DVD
+0x403857L \QuickTime\
+0x40387eL \Foxit Software\
+0x4038a5L \K-Lite C
+0x4038ccL Games\
+0x4038f3L Player\
+0x40391aL \Windows Defender\
+0x403941L \DAEMON Tools
+0x403968L \Synaptics\
+0x40398fL \Roxio\
+0x4039b6L \Adobe\
+0x4039ddL \Lenovo\
+0x403a00L \ThinkPad\
+0x403bbeL 
+
+=====[ 
+0x403be4L  ]=( 
+0x403c0eL  )=====
+
+
+
+0x403d1dL advapi32.dll
+0x403d38L advapi32.dll
+0x403d4fL RegCloseKey
+0x403d64L RegSetValueExA
+0x403d79L LookupPrivilegeValueA
+0x403d8eL RegCreateKeyExA
+0x403da3L OpenProcessToken
+0x403db8L AdjustTokenPrivileges
+0x403dfcL kernel32.dll
+0x403e11L GetProcAddress
+0x403e2cL CreateThread
+0x403e87L \dmp.tmp
+0x403ea7L SeDebugPrivilege
+0x401db7L ROOT\CIMV2
+0x401e47L WQL
+0x402174L SELECT * FROM Win32_Processor
+0x4021c9L SELECT * FROM Win32_ComputerSystemProduct
+0x4021f4L SELECT * FROM Win32_DiskDrive
+0x402249L SELECT * FROM Win32_BaseBoard
--- a/2019/2019.03.13.DMSniff_POS_Malware/DMSniff_iocs_March2019.txt
+++ b/2019/2019.03.13.DMSniff_POS_Malware/DMSniff_iocs_March2019.txt
@ -0,0 +1,54 @@
+#Domains
+albdfhln.com
+snbhdfln.com
+enbdfhln.com
+ksbfdlch.com
+kobdflnh.com
+alcgkown.com
+encgkown.com
+ksckgweo.com
+sndvjpqt.com
+sneomuwn.com
+rxemuown.com
+alfpmrnq.org
+algspvqt.org
+alhvrytw.org
+aliyuown.org
+koiyuwno.org
+aljnwpyo.org
+alkpmrnq.net
+snkrpmnq.net
+enkpmrnq.net
+allqntpr.net
+kolqnprt.net
+almspvqt.net
+alntqwrv.net
+alovrytw.net
+alvpnsor.in
+alwqntpr.in
+almspvru.net
+enmspvru.net
+alovsmtx.net
+
+#IPs
+169.239.128.110
+95.213.246.242
+190.115.18.241
+185.144.83.85
+209.99.40.222
+5.45.86.234
+208.91.197.91
+37.1.202.157
+208.100.26.251
+185.82.203.225
+54.37.205.28
+146.185.239.17
+
+#Samples:
+b8ec727d4f97edaaa8ddeeac3673a1aed94ee95aacde5f93e66fc0db30c3dec8
+770113543f9c189d306ea2984482ee445c9c4723a6e415cf7614b0a448f38b66
+f33aaa2360e89fc9015cb14d9441b87f169a5ca0451aa9d9adfd440946212668
+
+#Rules:
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"FlashPoint DMSniff UserAgent"; flow:established,to_server; content:"DSNF_"; http_user_agent; classtype:trojan-activity; sid:9000030; rev:1; metadata:author Jason Reaves;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"FlashPoint DMSniff Checkin Response"; flow:established,to_client; content:"200"; http_stat_code; content:"<title>Error</title>"; content:"<!-"; within: 20; content:"->This Account Has Been Suspended"; http_server_body; classtype:trojan-activity; sid:9000031; rev:1; metadata:author Jason Reaves;)
--- a/README.md
+++ b/README.md
@ -24,6 +24,7 @@ Please fire issue to me if any lost APT/Malware events/campaigns.
 * [MITRE Att&CK: Group](https://attack.mitre.org/groups/)

 ## 2019
+* Mar 13 - [[FlashPoint] ‘DMSniff’ POS Malware Actively Leveraged to Target Small-, Medium-Sized Businesses](https://www.flashpoint-intel.com/blog/dmsniff-pos-malware-actively-leveraged-target-medium-sized-businesses/) | [Local](../../blob/master/2019/2019.03.13.DMSniff_POS_Malware)
 * Mar 13 - [[CheckPoint] Operation Sheep: Pilfer-Analytics SDK in Action](https://research.checkpoint.com/operation-sheep-pilfer-analytics-sdk-in-action/) | [Local](../../blob/master/2019/2019.03.13.Operation_Sheep)
 * Mar 12 - [[Pala Alto Network] Operation Comando: How to Run a Cheap and Effective Credit Card Business](https://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/) | [Local](../../blob/master/2019/2019.03.12.Operation_Comando)
 * Mar 11 - [[ESET] Gaming industry still in the scope of attackers in Asia](https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/) | [Local](../../blob/master/2019/2019.03.11.Gaming-Industry.Asia)