# What is Multigrain? Learn what makes this PoS malware different.

**[pandasecurity.com/mediacenter/malware/multigrain-malware-pos/](https://www.pandasecurity.com/mediacenter/malware/multigrain-malware-pos/)**

August 4, 2016

**Multigrain is a Point of Sale (PoS) malware that specializes in stealing credit and debit**
card information while using RAM-Scraping techniques (it directly accesses the RAM
memory from certain processes to obtain the information from the cards). This has become a
popular method as international laws prohibit this information from being stored on the disk
(not even temporarily).

Another characteristic of Multigrain is that it uses DNS petitions in order to communicate with
the outside (and so it can send the stolen information). In this article we will analyze the
malware itself as well as the way the malware communicates.

In April of this year, FireEye [published an analysis of this malware and it looks like this is the](https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html)
first time they found a variant of Multigrain. In this article, the analysis pertains to a sample
that we detected in November 2015 (MD5 A0973ADAF99975C1EB12CC1E333D302F), and
since then we have been able to detect new variants or updates of this malware, but
essentially they work in the same way.


-----

### Multigrain in detail: a technical analysis

We first started analyzing Multigrain because the analyzed code showed RAM-Scraping
characteristics that are typical in PoS malware. We can clearly assess this in the 00405A10
routine shown below.

Within this
routine we
find
ourselves
with the
typical calls
from a
process that
performs
RAMScraping on
the memory
of running
processes:

**CreateToolhelp32Snapshot to get a pointer of the process list**

**Process32FirstW and Process32NextW to get a snapshot of the process list after calling**
the previous API.

**OpenProcess is used afterwards to get a list of memory pages with VirtualQueryEx.**


-----

Finally, with ReadProcessMemory, you are able to read the content from the previous
pages.

Once the buffer is obtained using the content from each page, it will perform the
appropriately-named scraping. To do so it uses (in this same routine) the second
pseudocode:

If possible TRACKS1/2 sequences are detected, corresponding with the code from the credit
card magnetic strip in the buffers from the analyzed memory, it will proceed to call the
functions sub_406100 and sub_405D10. The malware is now ready to prepare the data so it
can be exfiltrated later.

This PoS malware is only interested in two processes, respectively named “spcwin.exe” and
“brain.exe”; if neither of them are detected, “scraping” will not be performed.


-----

### Data Exfiltration

The exfiltration performs during DNS petitions (UDP, port 53) from the routine 00402C40, as
shown in the following pseudocode:

Apparently, the information leaked by DNS is performed in three different points (two
routines) from the program:


-----

In the first
routine
(address
00401DA0),
it uses the
“install.”
subdomain
for the
exfiltrated
information.
In the
second
routine (address 00402580) it uses the “log.” subdomain for the exfiltrated information.

In these exfiltration routines, we find different references to the functions that code the
information using “base32”. This is due to the fact that in order to exfiltrate the bank card
information, it is first encoded using “base32” and it later performs DNS requests with the
format: install.<base32_CCs>.domain

### Network Information

Apparently, the domain for the sample is: dojfgj.com

Whois Information:

Domain Name: DOJFGJ.COM

Registry Domain ID: 1979271903_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.enom.com

Registrar URL: www.enom.com

Updated Date: 2015-11-13T07:16:58.00Z

Creation Date: 2015-11-13T15:16:00.00Z

Registrar Registration Expiration Date: 2016-11-13T15:16:00.00Z

Registrar: ENOM, INC.

Registrar IANA ID: 48

Reseller: NAMECHEAP.COM

Domain Status: ok https://www.icann.org/epp#ok


-----

Registry Registrant ID:

Registrant Name: WHOISGUARD PROTECTED

Registrant Organization: WHOISGUARD, INC.

Registrant Street: P.O. BOX 0823-03411

Registrant City: PANAMA

Registrant State/Province: PANAMA

Registrant Postal Code: 00000

Registrant Country: PA

Registrant Phone: +507.8365503

Registrant Phone Ext:

Registrant Fax: +51.17057182

Registrant Fax Ext:

Registrant Email:
CC7F8D40E4FA4188AE5EA89A35925E6B.PROTECT@WHOISGUARD.COM

Registry Admin ID:

Admin Name: WHOISGUARD PROTECTED

Admin Organization: WHOISGUARD, INC.

Admin Street: P.O. BOX 0823-03411

Admin City: PANAMA

Admin State/Province: PANAMA

Admin Postal Code: 00000

Admin Country: PA

Admin Phone: +507.8365503

Admin Phone Ext:

Admin Fax: +51.17057182


-----

Admin Fax Ext:

Admin Email:
CC7F8D40E4FA4188AE5EA89A35925E6B.PROTECT@WHOISGUARD.COM

Registry Tech ID:

Tech Name: WHOISGUARD PROTECTED

Tech Organization: WHOISGUARD, INC.

Tech Street: P.O. BOX 0823-03411

Tech City: PANAMA

Tech State/Province: PANAMA

Tech Postal Code: 00000

Tech Country: PA

Tech Phone: +507.8365503

Tech Phone Ext:

Tech Fax: +51.17057182

Tech Fax Ext:

Tech Email: CC7F8D40E4FA4188AE5EA89A35925E6B.PROTECT@WHOISGUARD.COM

Name Server: NS1.DOJFGJ.COM

Name Server: NS2.DOJFGJ.COM

If we sort out this domain, we can see that it moves to the internal IP address “192.168.0.3”.
The domain is associated with two DNS servers, that in principle resolve eachother. To
obtain their actual addresses we should do a “whois”:

$ whois ns2.dojfgj.com

Server Name: NS1.DOJFGJ.COM

IP Address: 104.156.246.159

**A “traceroute” of this IP shows us its origin:**

$ traceroute 104.156.246.159


-----

traceroute to 104.156.246.159 (104.156.246.159), 30 hops max, 60 byte packets

1 104.131.0.253 (104.131.0.253) 0.423 ms 104.131.0.254 (104.131.0.254) 0.404 ms 0.437
ms

2 162.243.188.229 (162.243.188.229) 0.422 ms 0.394 ms 162.243.188.241
(162.243.188.241) 0.293 ms

3 xe-0-9-0-17.r08.nycmny01.us.bb.gin.ntt.net (129.250.204.113) 3.503 ms 4.078 ms 4.102
ms

4 ae-2.r25.nycmny01.us.bb.gin.ntt.net (129.250.3.97) 1.160 ms ae3.r25.nycmny01.us.bb.gin.ntt.net (129.250.6.208) 1.226 ms 1.171 ms

5 ae-9.r22.asbnva02.us.bb.gin.ntt.net (129.250.2.149) 6.985 ms 6.926 ms 7.013 ms

6 ae-0.r23.asbnva02.us.bb.gin.ntt.net (129.250.3.85) 6.952 ms 7.091 ms 7.057 ms

7 ae-1.r20.miamfl02.us.bb.gin.ntt.net (129.250.2.87) 42.672 ms 33.314 ms 33.257 ms

8 ae-1.r05.miamfl02.us.bb.gin.ntt.net (129.250.2.185) 35.530 ms 35.327 ms 38.280 ms

9 xe-0-6-0-0.r05.miamfl02.us.ce.gin.ntt.net (129.250.207.174) 32.063 ms 31.912 ms 31.755
ms

10 * * *

**11 104.156.246.159.vultr.com (104.156.246.159) 33.398 ms 31.757 ms 32.283 ms**

**As we can see, it corresponds to an ISP in Miami that manages a multitude of IP**
**addresses:**

NetRange:    104.156.244.0 – 104.156.247.255

CIDR:        104.156.244.0/22

NetName:    NET-104-156-244-0-22

NetHandle:   NET-104-156-244-0-1

Parent:       CHOOPA (NET-104-156-224-0-1)

NetType:     Reassigned

OriginAS:

Organization:  Vultr Holdings, LLC (VHL-57)


-----

### Persistence

To stay persistent in the system (Windows PoS) the analyzed malware installs itself
automatically as a service and chooses the name “Windows Module Extension”, as can be
seen in the following screenshot (routine 00406C20):

The attacker can perform exclusions at the time it registers itself as a service, now that it
already consulted the current region using “ipinfo.io” and depending on the response, the
system may or may not register as a service. This is especially useful if the attacker wants to
avoid attacking PoS systems in certain countries, for example.

The malware accepts “i” as parameter (from “install”), and in that case it will install the
“scraping” process and send the stolen information.

If this parameter is not specified (“i”), in the case it doesn’t find the “spcwin.exe” or
“brain.exe” processes running, it will not install the service, and additionally the malware will
be automatically eliminated. Both processes pertain to PoS software.


-----

**[Panda Security](https://www.pandasecurity.com/en/mediacenter/author/panda-security/)**

Panda Security specializes in the development of endpoint security products and is part of
the WatchGuard portfolio of IT security solutions. Initially focused on the development of
antivirus software, the company has since expanded its line of business to advanced cybersecurity services with technology for preventing cyber-crime.

### You May also Like


-----

[View Post](https://www.pandasecurity.com/en/mediacenter/panda-security/panda-security-rewards-beta-tester-year-e600/)

2

**[Panda Security rewards Beta Tester of the Year with up to €600](https://www.pandasecurity.com/en/mediacenter/panda-security/panda-security-rewards-beta-tester-year-e600/)**

**[Spamta/Stration/Warezov strike back](https://www.pandasecurity.com/en/mediacenter/malware/spamtastrationwarezov-strike-back/)**

**[…more and more Rogue Antivirus](https://www.pandasecurity.com/en/mediacenter/malware/more-and-more-rogue-antivirus/)**

**[Distributing malware through Facebook](https://www.pandasecurity.com/en/mediacenter/malware/distributing-malware-through-facebook/)**

## Leave a Reply

Your email address will not be published. Required fields are marked *





-----