Kawpfuni Backdoor: Malware Analysis

Source: Xylitol’s great analysis
Goal: Reverse this modular backdoor with the FindResource binary storage, process injection & military operation keywords.
=== IMPORTS ===

MODULE_NAME      HINT   ORD  FUNCTION_NAME
kernel32.dll        0        GetProcAddress
kernel32.dll        0        GetModuleHandleA
kernel32.dll        0        LoadLibraryA
user32.dll           0        wsprintfW
advapi32.dll        0        RegEnumValueA
shlwapi.dll         0        PathFileExistsA
oleaut32.dll        0        VariantChangeTypeEx
kernel32.dll        0        RaiseException

# StringTable 041204b0:

  FileDescription     :  “HncUpdate MFC 응용 프로그램”
  FileVersion         :  “1.0.0.1”
  InternalName        :  “HncUpdate.exe”
  LegalCopyright      :  “Copyright (C) 2003”
  OriginalFilename    :  “HncUpdate.exe”
  ProductName         :  “HncUpdate 응용 프로그램”
  ProductVersion      :  “1.0.0.1”

  VarFileInfo         :  [ 0x412, 0x4b0 ]

=== Packer / Compiler ===

  ASProtect 1.33 – 2.1 Registered (Alexey Solodovnikov)


Imported libraries and Windows API calls: 


Kernel32, LoadLibraryW, LoadLibraryA, SchedServiceMain kernel32.dll

Imported DLLs:  p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px}

\samsvc.dll,\dllcache\schedsvc.dll, \schedsvc.dll, mfc80u.dll, c_0605.nls

 Registry: 

SOFTWARE\Microsoft\IE Config\PackageSoftware\Microsoft\Windows\CurrentVersion\Internet Settings.Software\Microsoft\Internet Settings

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}
Instruction Debug strings: 

AdjustTokenPrivileges fAiled: %dOpenProcessToken fAiled: %dLookupPrivilegeVAlue fAiled: %dSeDebugPrivilege

Injected targeted process: 

spoolsv.exe via mfc80u.dll

Self-delete cmd script via ud[.]bat:
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}

echo off.:start.if not exist “%s” goto done.del “%s”.del /AH “%s”.goto start.:done.del c:\windows\system32\hncupdate.exe.del %%

Filesystem process:
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}

FAT32, NTFS, FILE, $EFS, $I30, INDX


p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}
Extracted payload aka “BsDll[.]pdb” as DLL from Resource.

MD5:

636501DB299D5F63772205755D4AA10F


=== Packer / Compiler ===

  MS Visual C++ 7.0

===================

Name       VirtAddr     VirtSize     RawSize    MD5                              Entropy
——————————————————————————————
.text         0x1000       0x21e52    0x22000    c3930593c3c8ef81a07a4360d48e50a1 6.687287 
.rdata       0x23000     0x41e4      0x5000     ad617b413e70f1e37ac6c6e5e39c7e73 5.054147 
.data        0x28000     0x4b4c      0x3000     8059c57e286035979d292029c7752b0a 4.099338 
.plugins   0x2d000     0xb34        0x1000     36234221ea257e7ca55b1a4622f4a4dc 0.485867    [SUSPICIOUS]
 

.rsrc         0x2e000     0x10          0x1000     620f0b67a91f7f74151bc5be745b7110 0.000000 
.reloc       0x2f000     0x1d92      0x2000     e4167c88184fa8d240732352db5a23f9 5.141479  

Imports:

[1] KERNEL32.dll
[2] USER32.dll
[3] ADVAPI32.dll
[4] SHLWAPI.dll
[5] WININET.dll
[6] urlmon.dll
[7] WS2_32.dll

PDB: 

g:\mail\pc-util\back\backdoor1\Release\BsDll[.]pdb


Military keywords:

army
Army
ARMY
Military
military
MILITARY
weapon
Weapon
WEAPON
battle
Battle
BATTLE
munition
missile
Missile
MISSILE
Aircraft
Figther
Resolve
resolve
Operation
operation
OPERATION
Air Force
AirForce
airforce
AF Portal
AFPortal
EMAIL
AIRFORCE
AIR FORCE
email
NIPR
nipr
SIPR
sipr
SNAP
KORCOM
CENTRIX
GCCS
KR/FE
SMIL
Intranet
intranet
RCIO
TNOSC
RIPR
COMSEC
PACCOM
USFK
PENTAGON
CJCS
cassifi
securet
CASSIFI
Cassifi
Certificat
CERTIFICAT
Pentagon
pentagon
usfk
RSOI
xfdl

 Self-delete batch script routine:

@echo off
:start
if not exist %WINDIR%\system32\ipv6ld.dll goto done
del %WINDIR%\system32\ipv6ld.dll
goto start
:done
del %0



Backdoor commands:


p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}

"Amazon Order Cancelled": Weight Loss Spam Campaign via Obfuscated JavaScript

Date: June 9, 2017
Source: Email Spam
From: “order-update@amazon[.]com”
Subject: Your order 12-2385-8791 has been successfully canceled
Here is the full spam chain:

  • First email href redirect
  • hxxp://hutforeverwest[.]com/spaniardizes[.]php

  • Obfuscated href JS redirect
  • hxxp://mind-brains[.]world/?a=401336&c=cpcdiet&s01062017

  • Third-layer PHP redirect
  • hxxp://mind-brains[.]world/us/xxrr/clanew-tmz?bhu=3cMnEa2X97RGXu9jwQsJegZiZHBadNzjjiV9

  • Final landing page
  • hxxps://cla-extract-portal[.]com/cla_list/cla_improved3/?click_id=06_41055726_71b340f6-3122-4a01-9fef-f945e4e6e8d7&subid1=313491&netid=3&ver=old&ad=1gPA


    II. Review the copied PHP page via the curl command 
    curl hxxp://hutforeverwest[.]com/spaniardizes[.]php

    III. JavaScript function resolves to hxxp://mind-brains[.]world/?a=401336&c=cpcdiet&s01062017, viewed by simply printing an alert box to the screen via the alert() JavaScript function.



    III. Encoded JavaScript href() redirect -> 

    hxxp://mind-brains[.]world/us/xxrr/clanew-tmz?bhu=3cMnEa2X97RGXu9jwQsJegZiZHBadNzjjiV9

    IV. The landing page leads to the “CLA Safflower Oil” weight loss product landing.



    V. Final landing product page (id: 313491) -> 

    hxxps://cla-extract-portal[.]com/cla_list/cla_improved3/?click_id=06_41055726_71b340f6-3122-4a01-9fef-f945e4e6e8d7&subid1=313491&netid=3&ver=old&ad=1gPA


    Here is the full spam chain:
    • First email href redirect
    • hxxp://hutforeverwest[.]com/spaniardizes[.]php

    • Obfuscated href JS redirect
    • hxxp://mind-brains[.]world/?a=401336&c=cpcdiet&s01062017

    • Third-layer PHP redirect
    • hxxp://mind-brains[.]world/us/xxrr/clanew-tmz?bhu=3cMnEa2X97RGXu9jwQsJegZiZHBadNzjjiV9

    • Final landing page
    • hxxps://cla-extract-portal[.]com/cla_list/cla_improved3/?click_id=06_41055726_71b340f6-3122-4a01-9fef-f945e4e6e8d7&subid1=313491&netid=3&ver=old&ad=1gPA

        p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}

        Buhtrap Malware Analysis

        Goal: Reverse and analyze Buhtrap Banking Trojan. This was one of the most high-profile Trojan attacking various financial institutions in Russia in 2015-2016.
        Sourcea6569546896b6d8ad95e4dbcc346a68b
        Config Source: Github


        Static Analysis: Buhtrap Trojan



        I. === MZ Header ===

        •             signature:                         “MZ”
        •             reloc_table_offset:         64            0x40
        •             lfanew:                              224          0xe0

        II. === Packer / Compiler ===

        •   MS Visual C++ v8.0



        III. === BINARY ===

        # IMAGE_FILE_HEADER:

        •             Machine:                                   332         0x14c  x86
        •             NumberOfSections:                  4             4
        •             TimeDateStamp:                       “2016-09-06 11:23:33”
        •             PointerToSymbolTable:            0             0
        •             NumberOfSymbols:                  0             0
        •             SizeOfOptionalHeader:            224          0xe0
        •             Characteristics:                       259         0x103  RELOCS_STRIPPED, EXECUTABLE_IMAGE 32BIT_MACHINE

        IV. === SECTIONS ===

          NAME          RVA      VSZ   RAW_SZ  RAW_PTR  nREL  REL_PTR nLINE LINE_PTR     FLAGS

        •   .text        1000       16f24    17000      400          0        0     0      0  60000020  R-X CODE
        •   .rdata     18000     80f2      8200       17400        0        0     0      0  40000040  R– IDATA
        •   .data       21000     190a8   10600      1f600       0         0     0      0  c0000040  RW- IDATA
        •   .rsrc        3b000     780       800          2fc00       0         0     0      0  40000040  R– IDATA


        V. === SECURITY === Digital Certificate “Bit-Trejd” (Moscow, Russia)

        Certificate:
            Data:
                Version: 3 (0x2)
                Serial Number:
                    54:46:0e:1f:cd:61:2c:d3:37:7a:c2:cd:76:e4:24:0f
            Signature Algorithm: sha256WithRSAEncryption
                Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Code Signing CA
                Validity
                    Not Before: May 30 00:00:00 2016 GMT
                    Not After : May 30 23:59:59 2017 GMT
                Subject: C=RU/postalCode=127051, ST=Moscow, L=Moscow/street=1st Kolobovskij pereulok d. 27/3 str.3 office 30, O=Bit-Trejd, OU=IT, CN=Bit-Trejd
                Subject Public Key Info:
                    Public Key Algorithm: rsaEncryption
                        Public-Key: (2048 bit)
                        Modulus:
                            00:b2:0a:6e:fb:0c:35:1a:7a:fe:01:ce:47:6f:90:
                            07:ba:4c:e4:c7:64:05:57:e1:19:21:e3:df:ef:c2:
                            60:7d:e0:1c:fa:9a:49:b3:d4:ad:8d:ba:59:e8:2a:
                            5d:6e:42:3e:4c:18:07:00:d4:50:60:09:c5:3b:62:
                            1e:e2:34:bd:be:1c:16:04:a5:37:6d:11:34:41:ad:
                            94:26:9a:80:d4:41:be:a1:1c:c8:19:d2:a7:0d:43:
                            d4:8e:15:b9:2d:1e:c9:26:57:49:b4:6b:2c:e5:34:
                            e2:7a:e8:9d:8c:16:0e:45:da:68:dd:97:f0:18:96:
                            34:f0:aa:fc:78:5d:18:95:39:6b:41:5b:6a:2b:cd:
                            20:30:1a:bf:3f:93:47:11:03:ed:3a:f4:c0:18:d8:
                            cb:cf:ba:9d:5f:5f:c2:d6:0d:3f:60:bd:d8:ca:0b:
                            bc:a2:b1:6b:2a:33:a5:af:ef:8e:90:be:67:16:13:
                            4e:58:01:48:dd:61:0e:85:11:f8:b0:83:d4:7a:40:
                            a3:50:ae:9e:a1:56:1a:a2:a1:a7:75:a1:04:9d:11:
                            60:42:f9:a7:9a:9f:cf:56:7a:c9:2b:00:66:39:98:
                            49:5a:7c:44:f1:62:d2:72:8b:e8:47:8f:46:5d:8e:
                            df:9c:2f:20:5e:e1:a7:ed:f0:60:f1:98:1e:4b:c6:
                            91:51
                        Exponent: 65537 (0x10001)
                X509v3 extensions:
                    X509v3 Authority Key Identifier: 
                        keyid:29:91:60:FF:8A:4D:FA:EB:F9:A6:6A:B8:CF:F9:E6:4B:BD:49:CE:12

                    X509v3 Subject Key Identifier: 
                        54:4B:73:AE:F7:EA:10:02:52:02:6E:75:9A:6C:7A:B2:D8:70:42:16
                    X509v3 Key Usage: critical
                        Digital Signature
                    X509v3 Basic Constraints: critical
                        CA:FALSE
                    X509v3 Extended Key Usage: 
                        Code Signing
                    Netscape Cert Type: 
                        Object Signing
                    X509v3 Certificate Policies: 
                        Policy: 1.3.6.1.4.1.6449.1.2.1.3.2
                          CPS: https://secure.comodo.net/CPS

                    X509v3 CRL Distribution Points: 

                        Full Name:
                          URI:http://crl.comodoca.com/COMODORSACodeSigningCA.crl

                    Authority Information Access: 
                        CA Issuers – URI:http://crt.comodoca.com/COMODORSACodeSigningCA.crt
                        OCSP – URI:http://ocsp.comodoca.com

        === RESOURCES === 

        FILE_OFFSET    CP  LANG     SIZE  TYPE          NAME
            0x2fd88  1252 0x419      184  BITMAP        #30994
            0x2fe40  1252 0x419      324  BITMAP        #30996
            0x2ff84  1252     0      196  DIALOG        DLG_INPUTQUERYSTR
            0x30048  1252     0      440  DIALOG        DLG_PRESETUP
            0x30200  1252 0x243b      381  MANIFEST      #1

        === SIGNATURE === 
          ——————————————–
          000017d1 1299 classical random incrementer 0x343FD 0x269EC3 [32.le.8&]
          0001f410 2545 anti-debug: IsDebuggerPresent [..17]
          00030380 3032 PADDINGXXPADDING [..16]
          0003045a 917  SSH RSA id-sha1 OBJ.ID. oiw(14) secsig(3) algorithms(2) 26 [..15]

        Configuration: Buhtrap Trojan

        • Targeted processes

        p-client.exe.prclient.exe.rclient.exe.saclient.exe.SRCLBClient.exe.twawebclient.exe.vegaClient.exe.dsstart.exe.dtpaydesk.exe.eelclnt.exe.elbank.exe.etprops.exe.eTSrv.exe.ibconsole.exe.kb_cli.exe.KLBS.exe.KlientBnk.exe.lfcpaymentais.exe.loadmain.exe.lpbos.exe.mebiusbankxp.exe.mmbank.exe.pcbank.exe.pinpayr.exe.Pionner.exe.pkimonitor.exe.pmodule.exe.pn.exe.postmove.exe.productprototype.exe.quickpay.exe.rclaunch.exe.retail.exe.retail32.exe.translink.exe.unistream.exe.uralprom.exe.w32mkde.exe.wclnt.exe.wfinist.exe.winpost.exe.wupostagent.exe.Zvit1DF.exe.BC_Loader.exe.Client2008.exe.IbcRemote31.exe._ftcgpk.exe.scardsvr.exe.CL_1070002.exe.intpro.exe.UpMaster.exe.SGBClient.exe.el_cli.exe.MWClient32.exe.ADirect.exe.BClient.exe.bc.exe.ant.exe.arm.exe.arm_mt.exe.ARMSH95.EXE.asbank_lite.exe.bank.exe.bank32.exe.bbms.exe.bk.exe.BK_KW32.EXE.bnk.exe.CB.exe.cb193w.exe.cbank.exe.cbmain.ex.CBSMAIN.exe.CbShell.exe.clb.exe.CliBank.exe.CliBankOnlineEn.exe.CliBankOnlineRu.exe.CliBankOnlineUa.exe.client2.exe.client6.exe.clientbk.exe.clntstr.exe.clntw32.exe.contactng.exe.Core.exe.cshell.exe.cyberterm.exe.client.exe.cncclient.exe.bbclient.exe.EximClient.exe.fcclient.exe.iscc.exe.kabinet.exe.SrCLBStart.exe.srcbclient.exe.Upp_4.exe.Bankline.EXE.GeminiClientStation.exe._ClientBank.exe.ISClient.exe.cws.exe.CLBANK.EXE.IMBLink32.exe.cbsmain.dll.GpbClientSftcws.exe.Run.exe.SGBClient.ex.sx_Doc_ni.exe.icb_c.exe.Client32.exe.BankCl.exe.ICLTransportSystem.exe.GPBClient.exe.CLMAIN.exe.ONCBCLI.exe.CLBank3.exe.rmclient.exe.FColseOW.exe.RkcLoader.exe

        • Targeted applications

        %PROFILE%…iBank2..%APPDATA%…%DESKTOP%…amicon,bifit,*bss,*ibank……..%PROGRAMFILES32%….%SYSTEMDRIVE%…*…*\……*gpb,inist,mdm,bifit,Aladdin,Amicon,*bss,Signal-COM,iBank2,*\bc.exe,*\*\intpro.exe,*cft,agava,*R-Style,*AKB Perm….*ELBA,*ELBRUS…%PROGRAMFILES64%….ቅ.*gpb,inist,mdm,bifit,Aladdin,Amicon,*bss,Signal-COM,iBank2,*\bc.exe,*\*\intpro.exe,*cft,agava,*R-Style,*AKB Perm

        • Targeted visited websites: 

        SFT,*Agava,*Clnt,*CLUNION.0QT,*5NT,*BS,*ELBA,*Bank,ICB_C,*sped,*gpb……..*ICPortalSSL*.*isfront.priovtb.com*.*ISAPIgate.dll*.*bsi.dll*.*PortalSSL*.*IIS-Gate.dll*.*beta.mcb.ru*.*ibank*.*ibrs*.*iclient*.*e-plat.mdmbank.com*.*sberweb.zubsb.ru*. *ibc*.*elbrus*.*i elba*.*clbank.minbank.ru*.*chelindbank.ru/online/*.*uwagb*.*wwwbank*.*dbo*.*ib.*.

        • Second-stage payload URL

        hxxp://rozhlas[.]site/news/business/release[.]bin (User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u;%s Trident/4.0)

        • Parsed browser history

        Google Chrome browser history location: 

        • %localappdata%\Google\Chrome\User Data\Default\History
        • %appdata%\Google\Chrome\User Data\Default\History

        Mozilla Firefox browser history location: 

        • %appdata%\Mozilla\Firefox\Profiles..*/*.GET…..*\places.sqlite

        Opera  browser history location: 

        • %appdata%\Opera\Opera\global_history.dat
        • Internet search history queries:  p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}

          *SFT,*Agava,*Clnt,*CLUNION.0QT,*5NT,*BS,*ELBA,*Bank,ICB_C,*sped,*gpb……..*ICPortalSSL*.*isfront.priovtb.com*.*ISAPIgate.dll*.*bsi.dll*.*PortalSSL*.*IIS-Gate.dll*.*beta.mcb.ru*.*ibank*.*ibrs*.*iclient*.*e-plat.mdmbank.com*.*sberweb.zubsb.ru*. *ibc*.*elbrus*.*i-elba*.*clbank.minbank.ru*.*chelindbank.ru/online/*.*uwagb*.*wwwbank*.*dbo*.*ib.*

        • Self-delete cmd script: 

        cmd.exe /C for /l %%x in (0,0,0) do (ping -n 3 127.0.0.1 > NUL & for %%p in (“%s”) do (del /f /q %%p & if not exist %%p exit))



        The full configuration related to the Buhtrap malware is available here

        p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}

        p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px}

        Treasure Hunter Point-of-Sale Malware Analysis

        Goal: Reverse Treasure Hunter Point-of-Sale (POS) malware
        Source2dfddbc240cd6e320f69b172c1e3ce58
        Config: GitHub

        [*] MD5           : 2dfddbc240cd6e320f69b172c1e3ce58
        [*] SHA-1        : e573a6fd61fd3928201d85dbffe5aefe21e49192
        [*] SHA-256    : e70614382ad300bd8c1f2cedb3259212057c40433e22ffeee7292ae576c4eae2


        [+] File Type: EXE
        [+] Address of entry point      : 0x00005a82
        [+] Image Base Address                     : 0x00400000
        [+] Packer / Compiler: MS Visual C++ 8.0

        ————————————————————
        Executable         \Windows\explorer.exe
        Executable         \jucheck.exe
        Web Page           logmeinrescue[.]us[.]com/system/oauth/gate[.]php
        Library               ADVAPI32.dll
        Library               KERNEL32.dll
        Library               SHELL32.dll
        Library               USER32.dll
        Library               USERENV.dll
        Library               WINHTTP.dll
        Database            C:\work\treasureHunter\Release\treasureHunter.pdb

        [+] Sections
                    Name: .text     Virtual Address: 0x00001000 Size: 0x0000fcda        Entropy: 6.667572
                    Name: .rdata  Virtual Address: 0x00011000 Size: 0x00005eb2        Entropy: 4.641277
                    Name: .data    Virtual Address: 0x00017000 Size: 0x00002fe0        Entropy: 3.331543
                    Name: .rsrc     Virtual Address: 0x0001a000 Size: 0x000001e0       Entropy: 4.710061
                    Name: .reloc   Virtual Address: 0x0001b000 Size: 0x000012a4       Entropy: 6.678696

        Treasure Hunter POS configuration

        7200000._GATE_URL_PLACEHOLDER
        3600000.SE_MINUTES_PLACEHOLDER
        600000.USE_MINUTES_PLACEHOLDER
        1SE_CLINGFISH_MODE_PLACEHOLDER
        120000.SH_PAUSE_MINUTES_PLACEHOLDER
        1800000.SE_AFTER_CLINGFISH_MINUTES_PLACEHOLDER
        50.CKS_ARR_SIZE_PLACEHOLDER
        fdsfsdfasfdasfad.CEHOLDER
        [File stream]: ntuser.ini:..A78I88JP02S1..CJEPKS0CONN2..MKF82S32UFBS

        Additional configuration data
        \?.POST….Content-Type: 
        application/x-www-formurlencoded..SOFTWARE\Microsoft\Windows NT\CurrentVersion..DigitalProductId..\\.\PhysicalDrive0..;.???ssuccessfully sent the dumps!..???SSeDebugPrivilege….Couldn’t get a snapshot of the memory processes!….couldn’t get a snapshot of the memory processes!..Clingfish mode activated!.SOFTWARE\Microsoft\Windows\CurrentVersion\Run…Error opening registry key for autostart in HKLM- not enough rights, trying to open in HKCU….Unknown error opening registry key for autostart..???k..Error creating registry key for autostart…Successfully created registry key for autostart.??????..Already running from the desired location…Successfully created the directory..Successfully copied the file..Failed to copy the file…Failed to create the directory, entering re-install (update) mode…Successfully deleted destination file…Failed to delete the destination file…Error – Treasure Hunter is already running on this computer! To re-install, close the jucheck[.]exe process and try again.An unknown error occured!.Cannot find %AppData%!..Failed to execute the file..Successfully executed thecfile….TreasureHunter version 0.1.1 Alpha, created by Jolly Roger (jollyroger@prv[.]name) for BearsInc. Greets to Xylitoland co…..Failed to delete original file, retrying..????????..Successfully deleted original file..Couldn’t get debug privileges.Successfully reached the gate.Failed to reach the gate…
        Cryptographic functions:
        offset   num  description [bits.endian.size] 
          000151e0 2415 Misty md5const [32.le.256]
          00015db2 2545 anti-debug: IsDebuggerPresent [..17]
          000172e8 2053 RIPEMD-128 InitState [32.le.16&]
        API Logger
        404ce2        CreateMutex(41ab9249dbb6472366a18be70e72cc72)   
        4048ce        WaitForSingleObject(768,0)         
        77f66aed     WaitForSingleObject(764,0)     
        404a27        Copy(C:\Documents and Settings\Administrator\Desktop\treasure.exe->C:\Documents and Settings\Administrator\Application Data\41ab9249dbb6472366a18be70e72cc72\jucheck.exe) 
        7c8283dc    WriteFile(h=75c)           
        404824       RegSetValueExA (jucheck)
        404b99       CreateProcessA(C:\Documents and Settings\Administrator\Application Data\41ab9249dbb6472366a18be70e72cc72\jucheck.exe,C:\Documents and Settings\Administrator\Application Data\41ab9249dbb6472366a18be70e72cc72\jucheck.exe 2fb216b58f88bebe8bec6e851f40904b373a574aa4d279d0a109a32efd84d3475b82b1e4fb1a37ac2250d1c1af226a677552901f268fa61bba0e4971,0,C:\Documents and Settings\Administrator\Application Data\41ab9249dbb6472366a18be70e72cc72)

        Yara Signature
        rule crime_win_treasurehunter_pos {
            meta:
                description = “Detects a TreasureHunter PoS variant
                author = “Vitali Kremez”
                date = “2016-07-08”
                hash = “e70614382ad300bd8c1f2cedb3259212057c40433e22ffeee7292ae576c4eae2”

            strings:
                $s0 = “Error – Treasure Hunter is already running on this computer! To re-install, close the jucheck.exe process and try again” fullword wide
                $s1 = “logmeinrescue.us.com/system/oauth/gate.php” fullword ascii
                $s2 = “C:\\work\\treasureHunter\\Release\\treasureHunter.pdb” fullword ascii
                $s3 = “Couldn’t get a snapshot of the memory processes!” fullword wide
                $s4 = “Error opening registry key for autostart in HKLM – not enough rights, trying to open in HKCU” fullword wide
                $s5 = “TreasureHunter version 0.1.1 Alpha, created by Jolly Roger (jollyroger@prv.name) for BearsInc. Greets to Xylitol and co.” fullword wide
                $s6 = “\\Windows\\explorer.exe” fullword ascii
                $s7 = “Failed to execute the file” fullword wide
                $s8 = “ssuccessfully sent the dumps!” fullword wide
                $s9 = “\\jucheck.exe” fullword ascii
                $s10 = “Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.3072” ascii
                $s11 = “Successfully executed the file” fullword wide
                $s12 = “GETKEYS” fullword ascii
            condition:
                  uint16(0) == 0x5a4d and filesize < 295KB and 2 of ($s*)

        Snort Ruleset

        alert any $HOME_NET any -> any any (msg:” TreasureHunter POS Alert”; content: “logmeinrescue.us.com”; “/system/oauth/gate.php”; “pcre: “/.*(request=|\&use=|\&id=).*/”;  classtype: Trojan-activity)

        Yara Signature (7/8/2018):
        rule crime_win32_treasurehunter_pos {
        meta:
        description = “Detects generic unpacked TreasureHunter POS”
        author = “@VK_Intel”
        reference = “TreasureHunter POS”
        date = “2018-07-08”
        hash = “f4ba09a65d5e0a72677580646c670d739c323c3bca9f4ff29aa88f58057557ba”
        strings:

        $magic = { 4d 5a }

        $s0 = “Error – Treasure Hunter is already running on this computer! To re-install, close the jucheck.exe process and try again” fullword wide
        $s1 = “C:\\Users\\user\\Desktop\\trhutt34C\\cSources\\treasureHunter\\Release\\treasureHunter.pdb” fullword ascii
        $s2 = “Couldn’t get a snapshot of the memory processes!” fullword wide
        $s3 = “TreasureHunter version 0.1 Alpha, created by Jolly Roger (jollyroger@prv.name) for BearsInc. Greets to Xylitol and co.” fullword wide
        $s4 = “Couldn’t get debug privileges” fullword wide
        $s5 = “Failed to execute the file” fullword wide
        $s6 = “ssuccessfully sent the dumps!” fullword wide
        $s7 = “Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .” ascii
        $s8 = “Successfully executed the file” fullword wide
        $s9 = “Cannot find %AppData%!” fullword wide
        $s10 = “\\Windows\\explorer.exe” fullword ascii
        $s11 = “\\jucheck.exe” fullword ascii

        condition:
        $magic at 0 and filesize < 235KB and 9 of ($s*)

        }

        p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}

        QakBot Main Core Configuration

        Source: X-Force IBM blog 

        Sample MD5: 8a3ab5d3fa3644ec1829e7825b0a22a3
        Full core Quakbot config: Github

        p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; -webkit-text-stroke: #000000} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; -webkit-text-stroke: #000000; min-height: 12.0px} span.s1 {font-kerning: none}

        Here is the excerpt from their sample .cfg pertaining to targeted financial institutions in the sample (MD5: 8a3ab5d3fa3644ec1829e7825b0a22a3):

        The targeted financial instutions appears to the as follows:

        cfg[.]tdetreasury[.]tdbank[.]com;cmoltp[.]bbt[.]com;cashmanageronline[.]bbt[.]com;[.]hsbcnet[.]com;ebc_ebc;blilk[.]com;bankeft[.]com;cmol[.]bbt[.]com;securentrycorp[.]zionsbank[.]com;tmcb[.]zionsbank[.]com;[.]web-access[.]com;nj00-wcm;commercial[.]bnc[.]ca;/clkccm/;paylinks[.]cunet[.]org;e-facts[.]org;accessonline[.]abnamro[.]com;providentnjolb[.]com;firstmeritib[.]com;corporatebanking;firstmeritib[.]com/defaultcorp[.]aspx;e-moneyger[.]com;jsp/mainWeb[.]jsp;svbconnect[.]com;premierview[.]membersunited[.]org;each[.]bremer[.]com;iris[.]sovereignbank[.]com;/wires/;paylinks[.]cunet[.]org;securentrycorp[.]amegybank[.]com;businessbankingcenter[.]synovus[.]com;businessinternetbanking[.]synovus[.]com;ocm[.]suntrust[.]com;otm[.]suntrust[.]com;cashproonline[.]bankofamerica[.]com;singlepoint[.]usbank[.]com;netconnect[.]bokf[.]com;business-eb[.]ibanking-services[.]com;cashproonline[.]bankofamerica[.]com;/cashplus/;ebanking-services[.]com;/cashman/;web-cashplus[.]com;treas-mgt[.]frostbank[.]com;businesseb[.]ibanking-services[.]com;treasury[.]pncbank[.]com;access[.]jpmorgan[.]com;tssportal[.]jpmorgan[.]com;ktt[.]key[.]com;onlineserv/CM;premierview[.]membersunited[.]org;directline4biz[.]com;[.]webcashmgmt[.]com;tmconnectweb;moneymanagergps[.]com;ibc[.]klikbca[.]com;directpay[.]wellsfargo[.]com;express[.]53[.]com;ctm[.]53[.]com;itreasury[.]regions[.]com;itreasurypr[.]regions[.]com;cpw-achweb[.]bankofamerica[.]com;businessaccess[.]citibank[.]citigroup[.]com;businessonline[.]huntington[.]com;/cmserver/;goldleafach[.]com;iachwellsprod[.]wellsfargo[.]com;achbatchlisting;/achupload;commercial2[.]wachovia[.]com;commercial3[.]wachovia[.]com;commercial4[.]wachovia[.]com;wc[.]wachovia[.]com;commercial[.]wachovia[.]com;wcp[.]wachovia[.]com;chsec[.]wellsfargo[.]com;wellsoffice[.]wellsfargo[.]com;/ibws/;/stbcorp/;/payments/ach;trz[.]tranzact[.]org;/wiret;/payments/ach;cbs[.]firstcitizensonline[.]com;/corpach/;scotiaconnect[.]scotiabank[.]com;webexpress[.]tdbank[.]com;businessonline[.]tdbank[.]com;/wcmpw/;/wcmpr/;wcmtr/;tcfexpressbusiness[.]com;trz[.]tranzact[.]org

        p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; -webkit-text-stroke: #000000} span.s1 {font-kerning: none}

        06-01-2017 Spora Ransomware Configuration

        p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} span.s1 {font: 12.0px ‘PingFang SC’} span.s2 {font: 12.0px ‘Arial Unicode MS’} span.s3 {font: 12.0px ‘Malayalam Sangam MN’}

        Goal: Obtain latest Spora ransomware configration for malware analysis:
        Config Source: Github 





        The Spora semi-config is as follows:

        p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; -webkit-text-stroke: #000000} span.s1 {font-kerning: none}
        email…msg…avi…mp4…wmv…cue…nrg…bin…mds…mdf…iso…sdf…tmd…sdb…ldf…frm…dbs…db3…sql2..sql1..sql…lic…key…cer…pfx…vob…vmxf..vmx…vmsd..vmdk..vhdx..vhd…vdi…vbox..dwf…dxf…cfg…cab…tar…arj…ace…accdb…mdb…pdb…backupdb..wbcat…ful…wbk…010…009…008…007…006…005…004…003…002…bak4..bak3..bak2..bak1..bak…tib…xlam..docxml..backup..7z..rar…zip…bmp…tiff..jpeg..jpg…gsf…geo…efd…cdn…elf…lgp…lgf…log…epf…cfu…cf..dt..sqlite..dbf…1cd…cd..cdr…dwg…psd…ppsm..ppsx..potm..potx..pptm..pptx..bpdx..pdf…rtf…odt…xltm..xltx..xlsb..xlsm..xlsx..xls…docm..docx..doc…dot..games.program files (x86).program files.windows…\*.*..%s%02X%01X-%01X%01X..\%s.%s\%s[.]html..\%s[.]html..}..lnk../c start explorer[.]exe “%s” & type “%s” >”%%temp%%\%s” && “%%temp%%\%s”.cmd[.]exe.shell32[.]dll.%08x%04x%04x[.]exe..%s\%u.:Zone.Identifier..\.runas./c “%s” /u….process call create “ md[.]exe /c vssadmin[.]exe delete shadows /quiet /all”..wmic[.]exe..IsShortcut..SOFTWARE\Classes\lnkfile..\%u.m%u./