POS RAM Scraping malware samples

Here you have a set of POS RAM scraping malware, grouped by malware family. This set of malware was used for experiments in “Evolution and Characterization of Point-of-Sale RAM Scraping Malware”, Journal in Computer Virology and Hacking Techniques (paper available here).

I would like also to give a special thanks to Xylitol for maintaining the Point-of-Sale malware / RAM scrapers subforum at KernelMode.info.

If you are interested in citing this set, please use the following (BiBTeX format):

@article{R-CVHT-16,
author = {Ricardo J. Rodr\'{i}guez},
title = {{Evolution and Characterization of Point-of-Sale RAM Scraping Malware}},
journal = {Journal in Computer Virology and Hacking Techniques},
year = {2016},
pages = {1--26},
note = {Accepted for publication. To appear.},
abstract = {Credit and debit cards are becoming the primary payment method for purchases. These payments are normally performed in merchant's in-store systems as known as Point-of-Sale (POS) systems. Since these systems handle payment card data while processing the customer transactions, they are becoming a primary target for cybercriminals. These data, when remain at memory, are scraped and exfiltrated by specially crafted malicious software named POS RAM scraping malware. In recent years, large data breaches occurred in well-known US retail companies were caused by this kind of malware. In this paper, we study the features of these malware based on their behavior on different stages: infection and persistence, process and data of interest search, and exfiltration. Then, we classify samples of 22 known POS RAM scraping malware families from 2009 to 2015 according to these features. Our findings show these malware are still immature and use well-defined behavioral patterns for data acquirement and exfiltration, which may make their malicious activity easily detectable by process and network monitoring tools.},
url = {http://webdiis.unizar.es/~ricardo/files/papers/R-CVHT-16.pdf}
}

Use the common password for malware sharing to decompress the file. Namely, the MD5s of the samples included in this set are the following:

  • abbaddonPOS
    • 421dfc4856262445d12fe110bf4f2c56
    • 46810f106dbaaff5c3c701c71aa16ee9
    • 4a85feef07d4aed664624331cdbcdd66
    • 6ac78bc0bd16273c654cec105567c73e
    • 6b02efef0580dce8e49d27196cff6825
    • 6f1d8ca36190668163f005c7f2c9007f
    • 9646e0a87be71c225f2aa8639354bd4f
    • e9aeb88d393e6259b5fb520bc7a49ac0
  • alina
    • 0de9765c9c40c2c2f372bf92e0ce7b68
    • 1efeb85c8ec2c07dc0517ccca7e8d743
    • 2139e613dc20df19daa6d90a0ff05591
    • 2c2cfa4a685bb56a1cbb5979f13e6ab2
    • 2fd2073dcc197e0b5da425d663a6c5cd
    • 37493eb319d126d0ab8f5a55da85563d
    • 8b82d07d41bec878fb10f7ae616226f4
    • 8e9e0a0fcd8df9da2980a260cd309a1e
    • 99a307128daa407147d1c69d2824d703
    • b53dd2c72ee143bc2f710eff9de1e915
    • e7e13912af192abe2f6ec90f6d429c6c
  • backoff
    • 05f2c7675ff5cda1bee6a168bdbecac0
    • 0607ce9793eea0a42819957528d92b02
    • 12c9c0bc18fdf98189457a9d112eebfc
    • 17e1173f6fc7e920405f8dbde8c9ecac
    • 657151a09c4c7de7df5b646f82458359
    • 6a0e49c5e332df3af78823ca4a655ae8
    • 84f001ad1d9d54b4c4a841ea325fb709
    • f5b4786c28ccf43e569cb21a6122a97e
  • bernhardpos
    • e49820ef02ba5308ff84e4c8c12e7c3d
  • blackpos
    • 02137a937f6fbc66dbc59ab73f7b1d3e
    • 0ca4f93a848cf01348336a8c6ff22daf
    • 322e136cb50db03e0d63eb2071da1ba7
    • 3f00dd56b1dc9d9910a554023e868dac
    • 4b9b36800db395d8a95f331c4608e947
    • 4d445b11f9cc3334a4925a7ae5ebb2b7
    • 54d814cfa4e3bf1f1045017931bc0752
    • 6597df782cbd7dc270bb12cdf95d21b4
    • 65dd8d2d9604d43a0ebd105024f09264
    • 6c1bcf0b1297689c8c4c12cc70996a75
    • 762ddb31c0a10a54f38c82efa0d0a014
    • 793860864d74ee6ed719d57b0a3f3294
    • 7f1e4548790e7d93611769439a8b39f2
    • a109c617ecc92c27e9dab972c8964cb4
    • aeee996fd3484f28e5cd85fe26b6bdcd
    • c0c9c5e1f5a9c7a3a5043ad9c0afa5fd
    • cbd268e260bf40c25f1bff8b85e04e01
    • ce0296e2d77ec3bb112e270fc260f274
    • d975fc6cda111c9eb560254d5eedbe0a
    • d9cc74f36ff173343c6c7e9b4db228cd
    • df5dbcbcac6e6d12329f1bc8a5c4c0e9
    • f45dcb05203909c6093f8dee0f223069
    • f45f8df2f476910ee8502851f84d1a6e
    • f4bdc5e507d887d5d2cd2c4c61cfcfe1
  • brutpos
    • 08863d484b1ebe6359144c9a8d8027c0
    • 4aed6a5897e9030f09f13f3c51668e92
    • 60c16d8596063f6ee0eae579f201ae04
    • 95b13cd79621931288bd8a8614c8483f
    • f36889f30b62a7524bafc766ed78b329
    • faddbf92ab35e7c3194af4e7a689897c
  • decebal
    • 46185a6ec6d527576248ef65a82b891d
    • 91100e23e59d5744a5720a6f84b68d99
    • d870d85e89f3596a016fdd393f5a8b39
  • dexter
    • 2d48e927cdf97413523e315ed00c90ab
    • 70feec581cd97454a74a0d7c1d3183d1
    • 98faca3ad9d3cd668bb39e06d6e53707
    • aab22d3b625ce47256fc47587e1a7cb6
    • db1d9f27de2cb9360bc323e00bbe8811
    • ed783ccea631bde958ac64185ca6e6b6
    • f84599376e35dbe1b33945b64e1ec6ab
    • fb9353ae0542439cd3dd1c260d215833
  • fighterPOS
    • 6cb50f7f2fe6f69ee8613d531e816089
    • 7b011dea4cc53c1099365e0b5dc23558
    • b0416d389b0b59776fe4c4ddeb407239
  • frameworkPOS
    • a5dc57aea5f397c2313e127a6e01aa00
    • b57c5b49dab6bbd9f4c464d396414685
  • fysna
    • 21f8b9d9a6fa3a0cd3a3f0644636bf09
    • 5fe190b1b3903524d0d72c5c3eaaa346
  • gamapos
    • 0db12b3f77c6314c4084b08ef27d15f2
    • 0f7cc7f6a88c3481a925230837192e47
    • 1247d90bf107322da0797588cfc7e64e
    • 208bd7c01257b6f3b2db148d662ed73d
    • 3fca8aed8f942f8a379f96f0372ea293
    • 41c98be68055a2e8da1cb5430997a6e7
    • 510ab1cccd84bc486ae51878d33e0a3f
    • 52ed7a86500ef930d75105917a7dc656
    • 58e5dd98015164b40de533e379ed6ac8
    • 6776bdbe103afe7dae94005eb37994f0
    • 6f69a2c35dce403ad3efcb746f462793
    • 84fbf0b6ad4a8e090f0c46fb7014314a
    • 8630febc603f3f6eb2562cdfa8f320cb
    • 8be17a6cddf7d25458523d30d0ad3baa
    • a2d9807c94270bda2c0279ab6b61d97c
    • ad80cd47d1aeaaa246048f67efcce0bd
    • b1149b0cad8d0e0b7d078a8bfd413d7a
    • b9e6d87522d193a1d6cd90286210198d
    • bbd9c24414a263108b19e44f99ed310c
    • bfd2ddb5d28a9fde3ddadac0f785d64c
    • cae3bf52b1b3a52a9fc950264db9eae8
    • d1bee9ff4e00b45d9f9e470964863dcb
    • ddb984582faedca82eb46ecaaf7d2c11
    • eb75e4c1162d03a691dc6a2ad528eeea
    • f21febc1c966715f57048598de150c1f
    • f7775bee8d097004c4b45fd4e1c7f150
  • getmypassPOS
    • 1d8fd13c890060464019c0f07b928b1a
  • jackpos
    • 00b09796519c60c7369290f19f89cd10
    • 1c289ca67dc7e867372c76352fcf33bf
    • 23696433f8af26b80ddc6ef0c46df582
    • 75990dde85fa2722771bac1784447f39
    • 77cc0a12cf23b2718fa467d6c1c9eb20
    • 88e721f62470f8bd267810fbaa29104f
    • c6fa0f54134bd841b8e6b2182cd0a6b0
    • d19773cc2c5d74e4eaa80014471b084f
  • logpos
    • af13e7583ed1b27c4ae219e344a37e2b
  • lusypos
    • 40d7141372a1125c7bcd6294dd400a78
    • bc7bf2584e3b039155265642268c94c7
  • malumPOS
    • 1ba17497994ef84c7853c59ae089fcaa
    • 3efea0afa146936d7c019107f3866b39
    • 45699cb86d10cf8ac5bd88276ec65eda
    • acdd2cffc40d73fdc11eb38954348612
    • c4bc89d98fd4df783dcbeb514cd041bb
  • nitlovePOS
    • 6cdd93dcb1c54a4e2b036d2e13b51216
    • b3962f61a4819593233aa5893421c4d1
  • punkey
    • 327dd038203369e6f855fd53e633dde8
    • b1fe4120e3b38784f9fe57f6bb154517
  • rdasvr
    • 100b5329e32dc033eb5e0523dedf4009
    • 47d03fd75007f91af4efc39573164023
    • 516cef2625a822a253b89b9ef523ba37
    • 5b0c18c76dfc6e5fd67d32fac1910053
    • 8166a7ba03cb28b47bafb9e76e1f488d
    • aef00dcd16d6aad056a345ac320a8d99
    • b29fb5b7832db028b2e4f73710f1b9ef
    • d8a5f875cba9fc3d1e156b3f64d1ca53
    • d9a3fb2bfac89fea2772c7a73a8422f2
  • soraya
    • 1483d0682f72dfefff522ac726d22256
    • 1661aab32a97e56bc46181009ebd80c9
    • a95dacba360e45fc03769ea55c546a7b
  • vSkimmer
    • 03fe4ec93b5ea4f00ac693cbec92c0dc
    • 239e8c61d21dc658e23d33ffa2fecbe1
    • 65577db601ca9be40ad91fc25fa08937
    • 920158b557e7ed2af305aa4c5aacc399
    • b93001b162f63902d0c42e2494dfcd25
    • c42f45197ace43beed3e2d21faa4f3cc
    • d9280420941f10c0817700aab3aeb6ff
    • dae375687c520e06cb159887a37141bf
    • e1b507b26e5af381ff1b9db9d4e1b5b9
    Comments are closed.