{ "id": "e64588ba-47ff-4c7f-a80e-f879ac8fb694", "created_at": "2026-04-06T00:08:23.639646Z", "updated_at": "2026-04-10T03:36:36.84308Z", "deleted_at": null, "sha1_hash": "190037019c3f05807381f8e85f0f24b2ad02fc5d", "title": "An Odd Relationship – One Night in Norfolk", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 182295, "plain_text": "An Odd Relationship – One Night in Norfolk\r\nPublished: 2020-11-02 · Archived: 2026-04-05 16:29:20 UTC\r\nRecently, I came across a VISA bulletin regarding point-of-sale malware being used against merchant targets. In\r\nIncident #1 in this VISA report, VISA described a deployment technique for TinyPOS that seemed oddly similar\r\nto the ProLocker ransomware installation workflow described by Group-IB, although I initially dismissed this as a\r\ncoincidence.\r\nAfter spending time mapping out code-level relationships and VirusTotal submitter relationships (initially with the\r\nintent of identifying an entry vector), there is evidence to suggest that this is not pure chance. In short, one of the\r\nfollowing is likely true:\r\n1. ProLocker and TinyPOS are written by the same author, who also provides a deployment mechanism; or,\r\n2. ProLocker and TinyPOS are written, deployed, and used by the same threat actor\r\n3. The ProLocker adversary obtained or modified the TinyPOS source code and also operates in the carding space\r\nOf these, the second seems the most likely. In addition to distinct code-level relationships shared across several\r\ntools from both threat actors (and no apparent other threat actors) and the very similar delivery mechanisms, both\r\nProLocker attacks and TinyPOS attacks appear to be low-volume enough that it is plausible a single small to\r\nmedium-sized group is operating them, rather than two distinct entities. This would parallel assessments that other\r\nthreat groups who traditionally operated in the carding and banking spaces have also switched to ransomware\r\nattacks, including FIN6 and TA505.\r\nThis remainder of this post primarily walks through the analytic workflow that led to these assessments (as\r\nopposed to a traditional intelligence-style condensed publication of the key facts) so that others may properly\r\nevaluate the methodology and findings.\r\n———————————————————————————–\r\nI. Identifying More Files\r\nTinyPOS Installation Workflow\r\nIncident #1 in the VISA report contains two sets of indicators of compromise (IOC) including filenames and\r\nhashes, which describe the following installation workflow:\r\n1. A .bat file executes a PowerShell script\r\n2. This PowerShell script reads data “hidden” inside an image file\r\n3. This data is loaded and run in memory as shellcode\r\n4. The shellcode decodes itself into the TinyPOS malware\r\nThere are a few items worth noting here. First, VISA provided two examples of such image files from two\r\nobserved installation workflows, one of which is located at “c:\\temp\\” and the other at the “c:\\journal\\” directory.\r\nhttps://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/\r\nPage 1 of 7\n\nThe second item worth noting is that while the shellcode is simply “appended” to the image file and not obscured\r\nthrough a more complex steganography method. These characteristics will be important for the ProLocker\r\ncomparisons.\r\nThe files for the hashes provided are not on VirusTotal and VISA offers limited additional details regarding these\r\nfiles; however, a report from Carbon Black describes the exact same files and provides more information,\r\nincluding code snippets for a decoded version of the PowerShell loader and the shellcode.\r\nObtaining a Copy of The Shellcode\r\nAt this point, there is actually enough information to identify a copy of the shellcode on VirusTotal. Figure 4 in\r\nCarbon Black’s report highlights the start of the shellcode – by taking some of these bytes and running a\r\nVirusTotal content search (e.g. content:”{48 31 Db 48 C7 C0 A3 A1 A8}”), a single result for a file named “t.bin”\r\nappears:\r\nMD5: f1efe5959ac5f730e08fb629143a78f9\r\nSHA1: 6544e7506163782ccb2e06348d3c9467d0513be9\r\nSHA256: 0be35b73262e67569e02950f5de9b94b7e0915dcd8ef4d8de66a6db600e41a18\r\nDebugged, this file contains a decoding routine at the start that unpacks the rest of the shellcode, resulting in the\r\nTinyPOS sample identical to the one described by VISA and Carbon Black:\r\nDecoded/Unpacked shellcode matching Carbon Black report\r\nWith a confirmed copy of this shellcode in hand, there are two additional pivoting vectors. First, there is a\r\npivoting opportunity using the decoded segments of TinyPOS. Taking a set of opcode, a content search\r\nhttps://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/\r\nPage 2 of 7\n\n(content:”{41 ff 57 38 48 83 C4 20 49 89 87 00 02}”) yielded two additional hashes:\r\nMD5: a88107d4723ee6e6b33eca655c68a562 (sql.exe)\r\nMD5: 57acabff815119ac5c391adbf8133c4a (sqlsrv.exe)\r\nEach of these is an additional TinyPOS sample, but in executable form. Further pivoting from one of these\r\nsubmitters led to a TinyLoader sample uploaded alongside the TinyPOS sample communicating with known\r\ninfrastructure from this threat actor, but this became a dead end for further meaningful research.\r\nOn the other hand, pivoting using a different part of the initial decoding function yielded far more interesting\r\nresults: 24 hashes, all of which (with the exception of a single unclassified file) are ProLocker ransomware\r\ncomponents or appear to be TinyPOS-related files.\r\nThe next section examines these files.\r\nII. ProLocker and TinyPOS Relationship\r\nThe following hashes were identified and classified by pivoting with a VirusTotal content search using opcode\r\nfrom the decoding algorithm:\r\nHash Filename Description\r\nF1EFE5959AC5F730E08FB629143A78F9 t.bin\r\nTinyPOS\r\n(Previously\r\nidentified)\r\nhttps://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/\r\nPage 3 of 7\n\nHash Filename Description\r\n5FC14B914B9A7DC2D546BC33E4B80584 ccv_server.txt\r\nTinyPOS\r\npayload\r\n417F35F30BCB474340CDB3F50491C1B0 readme_shellcode.exe\r\nTinyPOS\r\nbehavior\r\n74D5D09F513FD5EBEE1EFF50495AC2D8 SQLSRV.EXE\r\nTinyPOS\r\nbehavior\r\nE9C27A9F2A221527E03C36917DC36CB9 SQLSRV.EXE\r\nTinyPOS\r\nbehavior\r\n2A673709121D05BC57863002F8C62C51 PPD8535CAAEC677E9FAF.exe ProLocker\r\n16A29314E8563135B18668036A6F63C8 – ProLocker\r\nF3634A3B184B68A10C7A4849D378171A 7ZSfxMod ProLocker\r\n404EF54232F1817BA4258392815E1D22 NAS.exe ProLocker\r\nC182610DD437F90D0CC6CB0AC19CFDB7 loytrohens.exe ProLocker\r\nFE659D877AED2178EF084E3BF1E40254 MCC1D3C303AEA0018852.exe ProLocker\r\n02C01B59D0621815FC6A367FB1C7474E LOCK.exe ProLocker\r\nAE3AAB90F69A05B131BD76ABE8A5A988 MCC1D3C303AEA0018852.exe ProLocker\r\n3355ACE345E98406BDB331CCAD568386 NAS_0.exe ProLocker\r\n90CD7B4A952A6C929BD006F74125FB8C – ProLocker\r\nB0EEEC6DCA9F208C3E2B43EBF26D80BA lock.exe ProLocker\r\n7AD4AFD690A1C69356BB3D0C8AD0947B WRFF965C1.jpeg\r\nProLocker\r\ncode\r\nC579341F86F7E962719C7113943BB6E4 Winmgr.bmp\r\nProLocker\r\ncode\r\nB77EAE27DB59E660F972FAB37708807F ___8A67B05B.dib_\r\nProLocker\r\ncode\r\n34525178FB98B59E9BD98DF1ABE58C28\r\nMCC1-D3C3-03AE-A001-\r\n8852.db\r\nProLocker\r\ncode\r\nBC469BF7946B9153D6270551F554B839 2B9E5820.db\r\nProLocker\r\ncode\r\nhttps://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/\r\nPage 4 of 7\n\nHash Filename Description\r\n34F8DC1C8A0B49627B118C21E7C3B047 readme\r\nProLocker\r\ncode\r\nEA6E664A4EADE0428E6CD10028C9F3A7 readme\r\nFile\r\ncontaining\r\ncode with\r\nTinyPOS\r\nbehavior\r\nD28AD0CC48005A09A04BA1D95275EE9A – Unknown\r\nThese file paint an important picture: the only files on VirusTotal with these opcode patterns belong to one of these\r\ntwo families. There are slight differences, including a different decoding key across files and an added instruction,\r\nbut the core decoding mechanism and the “noop” buffer are identical.\r\nhttps://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/\r\nPage 5 of 7\n\nThese files also share another interesting property: when using a list to check processes, both malware families\r\nuse a list consisting of partial process names that are six characters long. For example, the t.bin TinyPOS sample\r\nhas a target list for “ccs.ex”, “ops.ex”, and “zioskp”. The first two may be related to Oracle point-of-sale\r\ncomponents, and the latter a Ziosk product. ProLocker uses the exact same type of process list, albeit with a\r\ndifferent purpose (closing processes that might interfere with document and database information).\r\nWhile compelling, these characteristics alone would be insufficient information to strongly assess a common\r\noperator (rather than simply a common author). However, there are additional factors to consider. The staging\r\nlocations appear to be relatively consistent across these files. The TinyPOS shellcode files appear to be staged in\r\nsubdirectories of the C:\\ root drive, such as “c:\\journal\\”, “c:\\temp\\”, and (per a reddit post) “c:\\Windows\\”. For\r\nthe ProLocker files, the observed files were all in “c:\\ProgramData”.\r\nThe table above provides one small piece of additional evidence that the same operating group is responsible: the\r\npresence of files uploaded named “readme” each leading to a different malware payload. This, along with the fact\r\nhttps://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/\r\nPage 6 of 7\n\nthat these deployment techniques emerged in close temporal proximity, lends more evidence to the “common\r\noperator” theory, although there are still limitations regarding how far this assessment can go.\r\nThis blog also notes that not every TinyPOS sample is identical in code and configuration. Specifically, the t.bin\r\nsample analyzed that matches the Carbon Black/VISA reports and the ccv_server.txt file described in a reddit post\r\nappear to target specific processes, with evidence from the latter source suggesting these may be specific to the\r\ntarget environments. Other samples analyzed in the “pivoting” section tagged as “TinyPOS behavior” contain a\r\nprocess blacklist rather than a process target list. This is noted primarily for the sake of technical accuracy and\r\ncompleteness, although these characteristics may be explored in a future post.\r\nIII. Conclusion\r\nBased on the observed commonalities surrounding these two malware families and how they are used, it seems\r\nlikely that there is some relationship between them. Originally, this research began as an effort to identify threat\r\nactor C2 infrastructure related to the incidents described by VISA’s report; unfortunately, that type of\r\ninfrastructure is precisely what is still needed to more definitively solve this puzzle.\r\nIf evidence emerged that a ProLocker attack and a TinyPOS attack each relied on the same infrastructure, this\r\nwould suggest a workflow in which a threat actor group gains access to a network, triages it, and then chooses the\r\ntype of attack it wishes to launch. This, in turn, would be consistent with other threat actor groups that operate in\r\nthis space.\r\nPost navigation\r\nSource: https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/\r\nhttps://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/\r\nPage 7 of 7\n\nhttps://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/ \nHash Filename Description\n TinyPOS\n5FC14B914B9A7DC2D546BC33E4B80584 ccv_server.txt \n payload\n TinyPOS\n417F35F30BCB474340CDB3F50491C1B0 readme_shellcode.exe \n behavior\n TinyPOS\n74D5D09F513FD5EBEE1EFF50495AC2D8 SQLSRV.EXE \n behavior\n TinyPOS\nE9C27A9F2A221527E03C36917DC36CB9 SQLSRV.EXE \n behavior\n2A673709121D05BC57863002F8C62C51 PPD8535CAAEC677E9FAF.exe ProLocker\n16A29314E8563135B18668036A6F63C8 ProLocker\nF3634A3B184B68A10C7A4849D378171A 7ZSfxMod ProLocker\n404EF54232F1817BA4258392815E1D22 NAS.exe ProLocker\nC182610DD437F90D0CC6CB0AC19CFDB7 loytrohens.exe ProLocker\nFE659D877AED2178EF084E3BF1E40254 MCC1D3C303AEA0018852.exe ProLocker\n02C01B59D0621815FC6A367FB1C7474E LOCK.exe ProLocker\nAE3AAB90F69A05B131BD76ABE8A5A988 MCC1D3C303AEA0018852.exe ProLocker\n3355ACE345E98406BDB331CCAD568386 NAS_0.exe ProLocker\n90CD7B4A952A6C929BD006F74125FB8C ProLocker\nB0EEEC6DCA9F208C3E2B43EBF26D80BA lock.exe ProLocker\n ProLocker\n7AD4AFD690A1C69356BB3D0C8AD0947B WRFF965C1.jpeg \n code\n ProLocker\nC579341F86F7E962719C7113943BB6E4 Winmgr.bmp \n code\n ProLocker\nB77EAE27DB59E660F972FAB37708807F ___8A67B05B.dib_ \n code\n MCC1-D3C3-03Ae-A001- ProLocker\n34525178FB98B59E9BD98DF1ABE58C28 \n 8852.db code\n ProLocker\nBC469BF7946B9153D6270551F554B839 2B9E5820.db \n code\n Page 4 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/" ], "report_names": [ "tinypos-and-prolocker-an-odd-relationship" ], "threat_actors": [ { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434103, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/190037019c3f05807381f8e85f0f24b2ad02fc5d.pdf", "text": "https://archive.orkl.eu/190037019c3f05807381f8e85f0f24b2ad02fc5d.txt", "img": "https://archive.orkl.eu/190037019c3f05807381f8e85f0f24b2ad02fc5d.jpg" } }