{
	"id": "b09fdd13-9829-4c2f-ae1f-32d3efc03215",
	"created_at": "2026-04-10T03:20:39.229284Z",
	"updated_at": "2026-04-10T03:22:18.127051Z",
	"deleted_at": null,
	"sha1_hash": "dd0e542bbe25d1d96a7c289d8221924b5735cc0e",
	"title": "securitykitten.github.io/_posts/2015-01-08-getmypass-point-of-sale-malware-update.md at master · malware-kitten/securitykitten.github.io",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 169971,
	"plain_text": "securitykitten.github.io/_posts/2015-01-08-getmypass-point-of-sale-malware-update.md at master · malware-kitten/securitykitten.github.io\r\nBy Nick Hoffman\r\nArchived: 2026-04-10 02:43:03 UTC\r\nlayout category-post\r\ntitle Getmypass Point of Sale Malware Update\r\nexcerpt Now featuring small improvements!\r\ndate 2015-01-08 11:38:48 -0500\r\nIntroduction\r\nI previously wrote about a new piece of malware called \"getmypass\" that was scoring 0/55 on Virustotal. The\r\nmalware had an active digital signature and was able to successfully dump track data from a given process.\r\nAt CBTS, one thing that I frequently do is track malware families and try to trace them back to their infancy. It\r\nwas interesting to me that another copy of this malware has now been uncovered and it has seen a small update.\r\nNot only is the author still writing code for getmypass, but it's now getting updated to enforce better opsec. Let's\r\ntake a look.\r\nEncryption by Default\r\nThe first change in the malware is evident in the start function. In the older version of getmypass, it would look\r\nfor the 1.ini file and check for the following options:\r\ntime\r\nproc\r\ncryp\r\nA screenshot of the old function:\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-01-08-getmypass-point-of-sale-malware-update.md\r\nPage 1 of 5\n\nIn the new function, there is no longer an option for cryp, and the malware is programmed to encrypt the results\r\nby default.\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-01-08-getmypass-point-of-sale-malware-update.md\r\nPage 2 of 5\n\nThe RC4 password is still unchanged and remains \"getmypass\". The function passing the trackdata is seen below.\r\nThe resulting encrypted data is written to a file rep.bin.\r\nWith a simple ruby script we can validate this RC4 routine and decrypt the contents.\r\n{% highlight ruby %} {% raw %}\r\n#!/usr/bin/ruby1.9.1 require 'rc4' require \"base64\"\r\nf = File.new(\"rep.bin\",'rb') decode = f.read() f.close key = \"getmypass\" dec = RC4.new(key) puts\r\ndec.decrypt(decode)\r\n{% endraw %} {% endhighlight %}\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-01-08-getmypass-point-of-sale-malware-update.md\r\nPage 3 of 5\n\nAnd the decode:\r\n{% highlight bash %} {% raw %}\r\n$ ./rc4_decode.rb %B4888603170607238^Head/Potato^050510100000000001203191805191000000?\r\n;4888603170607238=05051011203191805191?\r\n{% endraw %} {% endhighlight %}\r\nSupport for Multiple Exfil Files\r\nOlder copies of getmypass would write to rep.bin file. This was the only output file and if there were multiple\r\nruns, the file would be overwritten.\r\nThe newer version now will move the file rep.bin to a backup file marked by the resulting value of GetTickCount.\r\nThe backed up file:\r\nConclusion\r\nEncryption by default will now also help this malware evade tools that scour hard drives looking for structures\r\nthat resemble track data. The support for multiple backup files will also enable the operators to move quickly.\r\nWith the older copy, the malware authors used to have to dump processes and then backup the results file. Now\r\nthey can edit the configuration file on the fly and the results get stored into a secondary file. Less clicks, less\r\nmovement.\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-01-08-getmypass-point-of-sale-malware-update.md\r\nPage 4 of 5\n\nWhile these aren't groundbreaking changes, it's small changes like these that add up to make the malware\r\noperators more efficient and successful.\r\nSource: https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-01-08-getmypass-point-of-sale-malware-update.m\r\nd\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-01-08-getmypass-point-of-sale-malware-update.md\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-01-08-getmypass-point-of-sale-malware-update.md"
	],
	"report_names": [
		"2015-01-08-getmypass-point-of-sale-malware-update.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775791239,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dd0e542bbe25d1d96a7c289d8221924b5735cc0e.pdf",
		"text": "https://archive.orkl.eu/dd0e542bbe25d1d96a7c289d8221924b5735cc0e.txt",
		"img": "https://archive.orkl.eu/dd0e542bbe25d1d96a7c289d8221924b5735cc0e.jpg"
	}
}