Treasure Hunter Point-of-Sale Malware Analysis

Goal: Reverse Treasure Hunter Point-of-Sale (POS) malware
Source2dfddbc240cd6e320f69b172c1e3ce58
Config: GitHub

[*] MD5           : 2dfddbc240cd6e320f69b172c1e3ce58
[*] SHA-1        : e573a6fd61fd3928201d85dbffe5aefe21e49192
[*] SHA-256    : e70614382ad300bd8c1f2cedb3259212057c40433e22ffeee7292ae576c4eae2


[+] File Type: EXE
[+] Address of entry point      : 0x00005a82
[+] Image Base Address                     : 0x00400000
[+] Packer / Compiler: MS Visual C++ 8.0

————————————————————
Executable         \Windows\explorer.exe
Executable         \jucheck.exe
Web Page           logmeinrescue[.]us[.]com/system/oauth/gate[.]php
Library               ADVAPI32.dll
Library               KERNEL32.dll
Library               SHELL32.dll
Library               USER32.dll
Library               USERENV.dll
Library               WINHTTP.dll
Database            C:\work\treasureHunter\Release\treasureHunter.pdb

[+] Sections
            Name: .text     Virtual Address: 0x00001000 Size: 0x0000fcda        Entropy: 6.667572
            Name: .rdata  Virtual Address: 0x00011000 Size: 0x00005eb2        Entropy: 4.641277
            Name: .data    Virtual Address: 0x00017000 Size: 0x00002fe0        Entropy: 3.331543
            Name: .rsrc     Virtual Address: 0x0001a000 Size: 0x000001e0       Entropy: 4.710061
            Name: .reloc   Virtual Address: 0x0001b000 Size: 0x000012a4       Entropy: 6.678696

Treasure Hunter POS configuration

7200000._GATE_URL_PLACEHOLDER
3600000.SE_MINUTES_PLACEHOLDER
600000.USE_MINUTES_PLACEHOLDER
1SE_CLINGFISH_MODE_PLACEHOLDER
120000.SH_PAUSE_MINUTES_PLACEHOLDER
1800000.SE_AFTER_CLINGFISH_MINUTES_PLACEHOLDER
50.CKS_ARR_SIZE_PLACEHOLDER
fdsfsdfasfdasfad.CEHOLDER
[File stream]: ntuser.ini:..A78I88JP02S1..CJEPKS0CONN2..MKF82S32UFBS

Additional configuration data
\?.POST….Content-Type: 
application/x-www-formurlencoded..SOFTWARE\Microsoft\Windows NT\CurrentVersion..DigitalProductId..\\.\PhysicalDrive0..;.???ssuccessfully sent the dumps!..???SSeDebugPrivilege….Couldn’t get a snapshot of the memory processes!….couldn’t get a snapshot of the memory processes!..Clingfish mode activated!.SOFTWARE\Microsoft\Windows\CurrentVersion\Run…Error opening registry key for autostart in HKLM- not enough rights, trying to open in HKCU….Unknown error opening registry key for autostart..???k..Error creating registry key for autostart…Successfully created registry key for autostart.??????..Already running from the desired location…Successfully created the directory..Successfully copied the file..Failed to copy the file…Failed to create the directory, entering re-install (update) mode…Successfully deleted destination file…Failed to delete the destination file…Error – Treasure Hunter is already running on this computer! To re-install, close the jucheck[.]exe process and try again.An unknown error occured!.Cannot find %AppData%!..Failed to execute the file..Successfully executed thecfile….TreasureHunter version 0.1.1 Alpha, created by Jolly Roger (jollyroger@prv[.]name) for BearsInc. Greets to Xylitoland co…..Failed to delete original file, retrying..????????..Successfully deleted original file..Couldn’t get debug privileges.Successfully reached the gate.Failed to reach the gate…
Cryptographic functions:
offset   num  description [bits.endian.size] 
  000151e0 2415 Misty md5const [32.le.256]
  00015db2 2545 anti-debug: IsDebuggerPresent [..17]
  000172e8 2053 RIPEMD-128 InitState [32.le.16&]
API Logger
404ce2        CreateMutex(41ab9249dbb6472366a18be70e72cc72)   
4048ce        WaitForSingleObject(768,0)         
77f66aed     WaitForSingleObject(764,0)     
404a27        Copy(C:\Documents and Settings\Administrator\Desktop\treasure.exe->C:\Documents and Settings\Administrator\Application Data\41ab9249dbb6472366a18be70e72cc72\jucheck.exe) 
7c8283dc    WriteFile(h=75c)           
404824       RegSetValueExA (jucheck)
404b99       CreateProcessA(C:\Documents and Settings\Administrator\Application Data\41ab9249dbb6472366a18be70e72cc72\jucheck.exe,C:\Documents and Settings\Administrator\Application Data\41ab9249dbb6472366a18be70e72cc72\jucheck.exe 2fb216b58f88bebe8bec6e851f40904b373a574aa4d279d0a109a32efd84d3475b82b1e4fb1a37ac2250d1c1af226a677552901f268fa61bba0e4971,0,C:\Documents and Settings\Administrator\Application Data\41ab9249dbb6472366a18be70e72cc72)

Yara Signature
rule crime_win_treasurehunter_pos {
    meta:
        description = “Detects a TreasureHunter PoS variant
        author = “Vitali Kremez”
        date = “2016-07-08”
        hash = “e70614382ad300bd8c1f2cedb3259212057c40433e22ffeee7292ae576c4eae2”

    strings:
        $s0 = “Error – Treasure Hunter is already running on this computer! To re-install, close the jucheck.exe process and try again” fullword wide
        $s1 = “logmeinrescue.us.com/system/oauth/gate.php” fullword ascii
        $s2 = “C:\\work\\treasureHunter\\Release\\treasureHunter.pdb” fullword ascii
        $s3 = “Couldn’t get a snapshot of the memory processes!” fullword wide
        $s4 = “Error opening registry key for autostart in HKLM – not enough rights, trying to open in HKCU” fullword wide
        $s5 = “TreasureHunter version 0.1.1 Alpha, created by Jolly Roger (jollyroger@prv.name) for BearsInc. Greets to Xylitol and co.” fullword wide
        $s6 = “\\Windows\\explorer.exe” fullword ascii
        $s7 = “Failed to execute the file” fullword wide
        $s8 = “ssuccessfully sent the dumps!” fullword wide
        $s9 = “\\jucheck.exe” fullword ascii
        $s10 = “Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.3072” ascii
        $s11 = “Successfully executed the file” fullword wide
        $s12 = “GETKEYS” fullword ascii
    condition:
          uint16(0) == 0x5a4d and filesize < 295KB and 2 of ($s*)

Snort Ruleset

alert any $HOME_NET any -> any any (msg:” TreasureHunter POS Alert”; content: “logmeinrescue.us.com”; “/system/oauth/gate.php”; “pcre: “/.*(request=|\&use=|\&id=).*/”;  classtype: Trojan-activity)

Yara Signature (7/8/2018):
rule crime_win32_treasurehunter_pos {
meta:
description = “Detects generic unpacked TreasureHunter POS”
author = “@VK_Intel”
reference = “TreasureHunter POS”
date = “2018-07-08”
hash = “f4ba09a65d5e0a72677580646c670d739c323c3bca9f4ff29aa88f58057557ba”
strings:

$magic = { 4d 5a }

$s0 = “Error – Treasure Hunter is already running on this computer! To re-install, close the jucheck.exe process and try again” fullword wide
$s1 = “C:\\Users\\user\\Desktop\\trhutt34C\\cSources\\treasureHunter\\Release\\treasureHunter.pdb” fullword ascii
$s2 = “Couldn’t get a snapshot of the memory processes!” fullword wide
$s3 = “TreasureHunter version 0.1 Alpha, created by Jolly Roger (jollyroger@prv.name) for BearsInc. Greets to Xylitol and co.” fullword wide
$s4 = “Couldn’t get debug privileges” fullword wide
$s5 = “Failed to execute the file” fullword wide
$s6 = “ssuccessfully sent the dumps!” fullword wide
$s7 = “Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .” ascii
$s8 = “Successfully executed the file” fullword wide
$s9 = “Cannot find %AppData%!” fullword wide
$s10 = “\\Windows\\explorer.exe” fullword ascii
$s11 = “\\jucheck.exe” fullword ascii

condition:
$magic at 0 and filesize < 235KB and 9 of ($s*)

}

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s