Collection of ATM Malware, GreenDispenser Samples

Here you can download the latest ATM Malware called GreenDispenser and other related to ATM malware. I will keep update on it. If you have more samples and and hash feel free to leave a comment. Thank you.

Full SHA-256 hash list

GreenDispenser

• 20a1490b666f8c75c47b682cf10a48b7b0278068cb260b14d8d0584ee6c006a5
• 50db1f5e9692f217f356a592e413e6c9cb31105a94efc70a5ca1c2c73d95d572
• 7544e7a798b791cb36caaa1860974f33d30bc4659ceab3063d1ab4fd71c8c7e0
• 77850f738ba42fd9da299b2282314709ad8dc93623b318b116bfc25c5280c541
• b7e61f65e147885ec1fe6a787b62d9ee82d1f34f1c9ba8068d3570adca87c54f

Ploutos

• 0106757fac9d10a8e2a22dce5337f404bfa1c44d3cc0c53af3c7539888bc4025
• 0df8ac0440a151fac1f6957f7d181640590e1eb3e4c4cbd9968892e59f34f941
• 34acc4c0b61b5ce0b37c3589f97d1f23e6d84011a241e6f85683ee517ce786f1
• d99339d3dc6891cdd832754c5739640c62cd229c84e04e9e3cad743c6f66b1b9

Suceful

• c7cb44e0b075cbc90a7c280ef8f1c69e8fe06e7dabce054b61b10c3105eda1c4
• d33d69b454efba519bffd3ba63c99ffce058e3105745f8a7ae699f72db1e70eb

Tyupkin

• b670fe2d803705f811b5a0c9e69ccfec3a6c3a31cfd42a30d9e8902af7b9ed80
• 16166533c69f2f04110e8b8e9cc45ed2aeaf7850fa68845c64d92ff907dd44f0
• 6c59cd1e12bc1037031af48b934e9398fc85efb2a067d03b6a100dd8423e5d9b
• 8bb5c766de0a73dc0eff7c9fce086565b6220465185e258c21c5b9dfb0bef51d
• 639d2d926325275cb023014d0b446d03f1dcc8526bff1aa72373e27d78a6a674
• 853fb4e85d8b0ad7c156ad6d3fc4b0340c8b29fa0548a3df758e7845ba8b23ae
• 3639e8cc463922b427ea20dce8f237c0c0e82aa51d2502c48662e60fb405f677

NeoPocket

• 85652bbd0379d73395102edc299c892f21a4bba3378aa3b0aaea9b1130022bdd

Download From Google Drive:

• Click Here to Download (Password Protected Zip)
• Feel free to ask for the password (prefer email at alternator99 |at| gmail.com).

References:

• https://www.fireeye.com/blog/threat-research/2015/09/suceful_next_genera.html
• https://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenser
• https://securelist.com/blog/research/66988/tyupkin-manipulating-atm-machines-with-malware/

 

Update:

• Add another 5 Tyupkin and 4 Ploutos samples. Thanks to n3r0 for the samples. 

Tweetdeck XSS Vulnerability Cause User Auto-Retweet

As I'm one of the Tweetdeck user, somebody has post new XSS on twitter causing thousand of user automatically retweet the XSS script message. This is only affected on TweetDeck on browser so far.

An example of post has been retweet.

An example of XSS message poping up. Once user click OK, it will retweet the post.

By the time this is happened, Tweetdeck server temporarily down for awhile for fixing and 40k of retweeted post has been done.

~ alternat0r

HeartBleed May 'Broken Your Heart' as Data Leaks

Recent OpenSSL bug called Heartbleed (CVE-2014-0160) causing million of website in trouble. Heartbleed test developed by Filippo Valsorda has been release as open source. I just give some play around with Heartbleed.

BTW, What is Heartbleed bug? Heartbleed bug is actually vulnerability on OpenSSL cryptography library that cause any user to read system memory (Affected on vulnerable version only).

Dalam bahasa Malaysianya, ia adalah kelemahan yang terdapat pada library kriptografi perisian OpenSSL yang membolehkan pengguna luar membaca sistem memori (terjejas pada versi tertentu sahaja).

As I giving test to several Malaysia website, most critical organisation website exposed to this vulnerability including government.

Filippo also provide a website for you to test your webserver and if it is vulnerable you will get message like image below:

Alternatively you can access to Malaysia honeynet heartbleed website to test your webserver:
http://heartbleed.honeynet.org.my/

Here some good advice how to protect yourself from heartbleed bug:
http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug/

References:
http://heartbleed.com/
https://github.com/FiloSottile/Heartbleed
http://filippo.io/Heartbleed
http://heartbleed.honeynet.org.my/
https://gist.github.com/harlo/10199638

~ alternat0r

Dendroidbot Quick Analysis

As I get the sample of Dendroid APK malware I decided to make quick analysis on it. Thanks to +Mila Parkour for the sample.

DB01F96D5E66D82F7EB61B85EB96EF6E
52A30B58257D338617A39643E2216D0C

The original sample is protected with Dexguard to give extra protection on its code as its will appeared to be obfuscated when decompiling.

The following permission can be used once it has been installed:

• directly call phone numbers
• read phone status and identity
• reroute outgoing calls
• edit your text messages (SMS or MMS)
• read your text messages (SMS or MMS)
• receive text messages (SMS)
• send SMS messages
• take pictures and videos
• record audio
• precise location (GPS and network-based)
• read call log
• read your contacts
• read your Web bookmarks and history
• modify or delete the contents of your SD card
• find accounts on the device
• full network access
• view network connections
• retrieve running apps
• prevent phone from sleeping
• modify system settings
• test access to protected storage

As we analyzed the java class, its also can determine if its running on emulator or not. There are many functionality that would be able to completely spy your phone as we going through its java classes.

initiate() load pre-defined configuration with base64 encoded.

Here from VirusTotal detection list:
https://www.virustotal.com/en/file/099a57328de9335c524f44514e225d50731c808145221affdd684d8b4dad5a1d/analysis/

Although, this sample is an earlier version of Dendroid. Some user might already found recent version of it bind with other application to make it seem legitimate apps.


~ alternat0r

Countdown to Windows XP End of Support

The end of Windows XP support will be on Saturday, 8 April 2014.

Countdown Clocks

http://windows.microsoft.com/en-US/windows/products/lifecycle

ApacheBench behind the Encoded VBE file

Recently I received a VBE file from a friend that looks suspicious with its encoded content and request to do quick analysis on it. So, I manage to play around with it and see what's inside.

The file name that I got is s64.vbe (0B826D9869B139B2C5BB139234C08D43) which is an encoded script file content. The size of this file is around 608,904 bytes. The content of the encoded file is shown below:

To decode this file I use scriptDecode.vbs from Jean-Luc Antoine. The output of the decoded file is a VBScript as shown in the picture below:

If we scroll to the bottom of the file we can see this is some kind of Windows binary file that is converted into ASCII format within VBS. The file svchost.exe is the file name use to save into the disk and run it.

Most of antivirus product is already detect this file as malicious:

https://malwr.com/analysis/YzkzNDUxOTlmOTQxNDAxYmEwNjdmNGI4MTk5YjBmYzI/share/1a8cbf4acb5944d1856d04d4e72b8ed7

https://www.virustotal.com/en/file/6b01071c7936d4a1ba1f53b5651db5f604dfe7f5aa3e4ed38d48f6ba66eebd5e/analysis/

The svchost.exe (333ABC2F9864B70F7EF48B049CBA9286) file is a program called ApacheBench command line utility. At first place, this program use to measure performance test of HTTP web servers. Although, the binary file that I got is not correctly run as it not responsive sometimes. It is possible to use this tool as DDOS attack.

~ alternat0r

Python - Basic VirusTotal Uploader

Just my little/quick note about submitting malware sample to VirusTotal.com. Be reminded that this python code is not handling an error properly. Just for quick reference.

import postfile
import sys, getopt

def main(argv):
 inputfile = sys.argv[1]
 host = "www.virustotal.com"
 mfile = inputfile
 selector = "https://www.virustotal.com/vtapi/v2/file/scan"
 fields = [("apikey", "YOUR PUBLIC API KEY")]
 file_to_send = open(mfile, "rb").read()
 files = [("file", mfile, file_to_send)]
 json = postfile.post_multipart(host, selector, fields, files)
 print json
 
if __name__ == "__main__":
 main(sys.argv[1:])

You can replace the 'YOUR PUBLIC API KEY' with your own key. Get it at VirusTotal.com.

~ alternat0r