SYMBOLCOMMON_NAMEaka. SYNONYMS
win.grateful_pos (Back to overview)

Grateful POS

aka: FrameworkPOS, SCRAPMINT, trinity

Actor(s): Skeleton Spider, FIN6

VTCollection    

POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card’s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system’s memory unencrypted while the system determines where to send it for authorization.
Masked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.

References
2021-01-01SecureworksSecureWorks
Threat Profile: GOLD FRANKLIN
Grateful POS Meterpreter MimiKatz RemCom FIN6
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-02-19FireEyeFireEye
M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-12-23Norfolk
POS Malware Used at Fuel Pumps
Grateful POS
2019-12-01VISAVisa Security Alert
Cybercrime Groups (FIN8) Targeting Fuel Dispenser Merchants
Grateful POS
2019-05-01Red CanaryTony Lambert
FrameworkPOS and the adequate persistent threat
Grateful POS
2017-12-13Vitali Kremez BlogVitali Kremez
Update: Let's Learn: Reversing FIN6 "GratefulPOS" aka "FrameworkPOS" Point-of-Sale Malware in-Depth
Grateful POS
2017-12-08RSAKent Beckman
GratefulPOS credit card stealing malware - just in time for the shopping season
Grateful POS
2016-04-01FireEyeFireEye
Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6
Grateful POS FIN6
Yara Rules
[TLP:WHITE] win_grateful_pos_auto (20230808 | Detects win.grateful_pos.)
rule win_grateful_pos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.grateful_pos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb07 b8fcffffff eb02 33c0 }
            // n = 4, score = 600
            //   eb07                 | jmp                 9
            //   b8fcffffff           | mov                 eax, 0xfffffffc
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax

        $sequence_1 = { 7407 b8f6ffffff eb02 33c0 }
            // n = 4, score = 600
            //   7407                 | je                  9
            //   b8f6ffffff           | mov                 eax, 0xfffffff6
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax

        $sequence_2 = { e8???????? 99 b980ee3600 f7f9 }
            // n = 4, score = 600
            //   e8????????           |                     
            //   99                   | cdq                 
            //   b980ee3600           | mov                 ecx, 0x36ee80
            //   f7f9                 | idiv                ecx

        $sequence_3 = { 7411 e8???????? e8???????? 33c0 e9???????? }
            // n = 5, score = 600
            //   7411                 | je                  0x13
            //   e8????????           |                     
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     

        $sequence_4 = { e8???????? 83f801 7510 e8???????? e8???????? }
            // n = 5, score = 600
            //   e8????????           |                     
            //   83f801               | cmp                 eax, 1
            //   7510                 | jne                 0x12
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_5 = { eb1a b8fdffffff eb13 b8fcffffff }
            // n = 4, score = 600
            //   eb1a                 | jmp                 0x1c
            //   b8fdffffff           | mov                 eax, 0xfffffffd
            //   eb13                 | jmp                 0x15
            //   b8fcffffff           | mov                 eax, 0xfffffffc

        $sequence_6 = { 8bb5f4fffdff 03b5f8fffdff c1ee03 8b4508 8b7810 }
            // n = 5, score = 500
            //   8bb5f4fffdff         | mov                 esi, dword ptr [ebp - 0x2000c]
            //   03b5f8fffdff         | add                 esi, dword ptr [ebp - 0x20008]
            //   c1ee03               | shr                 esi, 3
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b7810               | mov                 edi, dword ptr [eax + 0x10]

        $sequence_7 = { 6810040000 ff15???????? 8985f4fbffff 83bdf4fbffff00 0f8488010000 8a0d???????? }
            // n = 6, score = 500
            //   6810040000           | push                0x410
            //   ff15????????         |                     
            //   8985f4fbffff         | mov                 dword ptr [ebp - 0x40c], eax
            //   83bdf4fbffff00       | cmp                 dword ptr [ebp - 0x40c], 0
            //   0f8488010000         | je                  0x18e
            //   8a0d????????         |                     

        $sequence_8 = { 83fa7b 750a 6a01 e8???????? }
            // n = 4, score = 500
            //   83fa7b               | cmp                 edx, 0x7b
            //   750a                 | jne                 0xc
            //   6a01                 | push                1
            //   e8????????           |                     

        $sequence_9 = { 8b4dfc 894110 8b550c 8b420c c1e803 50 }
            // n = 6, score = 500
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   894110               | mov                 dword ptr [ecx + 0x10], eax
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   8b420c               | mov                 eax, dword ptr [edx + 0xc]
            //   c1e803               | shr                 eax, 3
            //   50                   | push                eax

        $sequence_10 = { c745fcffffffff 8d45f4 64a300000000 c3 6a03 e8???????? 59 }
            // n = 7, score = 500
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   c3                   | ret                 
            //   6a03                 | push                3
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_11 = { 7c62 8b8df8fffdff 0fb6940dfefffdff 83fa3a 7d4f 8b85f8fffdff }
            // n = 6, score = 500
            //   7c62                 | jl                  0x64
            //   8b8df8fffdff         | mov                 ecx, dword ptr [ebp - 0x20008]
            //   0fb6940dfefffdff     | movzx               edx, byte ptr [ebp + ecx - 0x20002]
            //   83fa3a               | cmp                 edx, 0x3a
            //   7d4f                 | jge                 0x51
            //   8b85f8fffdff         | mov                 eax, dword ptr [ebp - 0x20008]

        $sequence_12 = { 6bc02a 05???????? 50 e8???????? 83c40c 85c0 7509 }
            // n = 7, score = 500
            //   6bc02a               | imul                eax, eax, 0x2a
            //   05????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   7509                 | jne                 0xb

        $sequence_13 = { 85c0 0f84b2000000 6a03 68???????? 8b8de0fbffff 83e90e }
            // n = 6, score = 500
            //   85c0                 | test                eax, eax
            //   0f84b2000000         | je                  0xb8
            //   6a03                 | push                3
            //   68????????           |                     
            //   8b8de0fbffff         | mov                 ecx, dword ptr [ebp - 0x420]
            //   83e90e               | sub                 ecx, 0xe

        $sequence_14 = { 8884248e010000 b801000000 486bc03f 488d0d79e50100 0fbe0401 83f04d 8884248f010000 }
            // n = 7, score = 200
            //   8884248e010000       | mov                 byte ptr [esp + 0x18e], al
            //   b801000000           | mov                 eax, 1
            //   486bc03f             | dec                 eax
            //   488d0d79e50100       | imul                eax, eax, 0x3f
            //   0fbe0401             | dec                 eax
            //   83f04d               | lea                 ecx, [0x1e579]
            //   8884248f010000       | movsx               eax, byte ptr [ecx + eax]

        $sequence_15 = { 488bcd 418bd7 e8???????? 33c9 85c0 0f85bb010000 4c8d35ee481900 }
            // n = 7, score = 200
            //   488bcd               | xor                 eax, 0x4d
            //   418bd7               | mov                 byte ptr [esp + 0x18f], al
            //   e8????????           |                     
            //   33c9                 | dec                 eax
            //   85c0                 | mov                 ecx, ebp
            //   0f85bb010000         | inc                 ecx
            //   4c8d35ee481900       | mov                 edx, edi

    condition:
        7 of them and filesize < 3964928
}
Download all Yara Rules