ScanPOS malware delivered by Kronos Banking Trojan – Quick Code Analysis
iSpeech.org
Here I show you the disassembly of point-of-sale malware knowng as ScanPOS. According to ProofPoint this was delivered by the Kronos Banking Trojan back in 2016.
The malware iterates the running processes on the machine, skips over some hardcoded processes that it's not interested in, but then scans the contents of memory of the other processes to sniff out and exfiltrate credit card data back to a hard-coded C2. Pretty neat.
This video should serve as a usual demo on how to quickly approach code analysis, looking at the Import Address Table for clues on where to start and how to use IDA to navigate through a binary.
Link to the article: https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware
MD5 of the ScanPOS sample: 6fcc13563aad936c7d0f3165351cb453
2017-08-06 10:17:23
source
Gloss