{ "Event": { "analysis": "2", "date": "2016-03-28", "extends_uuid": "", "info": "OSINT - TREASUREHUNT: A CUSTOM POS MALWARE TOOL", "publish_timestamp": "1459171231", "published": true, "threat_level_id": "3", "timestamp": "1459171202", "uuid": "56f92df0-24f0-4c6e-a297-6f2402de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1459170858", "to_ids": false, "type": "link", "uuid": "56f92e2a-1be0-4a3a-a3b6-3f2a02de0b81", "value": "https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1459170876", "to_ids": true, "type": "pattern-in-file", "uuid": "56f92e3c-2ab8-4dba-bc15-74ae02de0b81", "value": "%USERPROFILE%\\documents\\visual studio 2012\\Projects\\treasureHunter\\Release\\treasureHunter.pdb" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1459170927", "to_ids": false, "type": "comment", "uuid": "56f92e6f-b504-4115-81bd-3f2f02de0b81", "value": "Since early 2015, FireEye Threat Intelligence has observed the significant growth of point-of-sale (POS) malware families in underground cyber crime forums. POS malware refers to malicious software that extracts payment card information from memory and usually uploads that data to a command and control (CnC) server.\r\n\r\nAlthough the PCI DSS rules changed in October 2015, leaving retailers who have not transitioned from existing \u00e2\u20ac\u0153swipe\u00e2\u20ac\u009d cards to EMV or \u00e2\u20ac\u0153chip\u00e2\u20ac\u009d enabled cards liable for card present fraud in more ways than before, many retailers are still in the process of transitioning to chip-enabled card technology. Criminals appear to be racing to infect POS systems in the United States before US retailers complete this transition. In 2015, more than a dozen new POS malware families were discovered.[1]\r\n\r\nPOS malware may be freely available, available for purchase, or custom-built for specific cyber criminals. Free tools are often a result of malware source code being leaked, and tend to be older and more easily detected by security software. POS malware available for purchase may be newly developed tools or modified versions of older tools. Then there is another class of POS malware that is developed for use exclusively by a particular threat group.\r\n\r\nIn this article we examine TREASUREHUNT, POS malware that appears to have been custom-built for the operations of a particular \u00e2\u20ac\u0153dump shop,\u00e2\u20ac\u009d which sells stolen credit card data. TREASUREHUNT enumerates running processes, extracts payment card information from memory, and then transmits this information to a command and control server." }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459170981", "to_ids": true, "type": "md5", "uuid": "56f92ea5-2d50-4fc9-92ef-6f2302de0b81", "value": "cec2810556c63e9c225afb6a5ca58bc1" }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459170982", "to_ids": true, "type": "md5", "uuid": "56f92ea6-2890-41b3-8059-6f2302de0b81", "value": "cb75de605c171e36c8a593e337275d8f" }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459170982", "to_ids": true, "type": "md5", "uuid": "56f92ea6-009c-4348-a0b2-6f2302de0b81", "value": "6a9348f582b2e121a5d9bff1e8f0935f" }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459170982", "to_ids": true, "type": "md5", "uuid": "56f92ea6-5070-43a2-a874-6f2302de0b81", "value": "070e9a317ee53ac3814eb86bc7d5bf49" }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459170982", "to_ids": true, "type": "md5", "uuid": "56f92ea6-18ec-4295-acf9-6f2302de0b81", "value": "3e2003878b364b5d77790109f24c9137" }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459170983", "to_ids": true, "type": "md5", "uuid": "56f92ea7-4c38-4d72-ada3-6f2302de0b81", "value": "21f99135f836fb4d3f4685d704a4460d" }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459170983", "to_ids": true, "type": "md5", "uuid": "56f92ea7-0eb4-4fd2-a1e9-6f2302de0b81", "value": "ea6248e4ddd080e60e6140ab0f8562e1" }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459170983", "to_ids": true, "type": "md5", "uuid": "56f92ea7-af3c-4c3f-9520-6f2302de0b81", "value": "48692beb88058652115b5c447cd28589" }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459170984", "to_ids": true, "type": "md5", "uuid": "56f92ea8-ecd4-43e1-ad7c-6f2302de0b81", "value": "9f9c2e6072e0a233631d234bdcf1b293" }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1 - Xchecked via VT: cec2810556c63e9c225afb6a5ca58bc1", "deleted": false, "disable_correlation": false, "timestamp": "1459171050", "to_ids": true, "type": "sha256", "uuid": "56f92eea-ac18-4ba4-ab20-3f2f02de0b81", "value": "046d0b8024cea9c6aea2ef04b51ce9fd482214fbb3ef068a85c0f91f193f248f" }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1 - Xchecked via VT: cec2810556c63e9c225afb6a5ca58bc1", "deleted": false, "disable_correlation": false, "timestamp": "1459171051", "to_ids": true, "type": "sha1", "uuid": "56f92eeb-30ec-4789-aafb-3f2f02de0b81", "value": "95cfa6e9e2eab0e5e34a96ce6781320d42ff8c0b" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1459171051", "to_ids": false, "type": "link", "uuid": "56f92eeb-1ccc-4c4f-8e3f-3f2f02de0b81", "value": "https://www.virustotal.com/file/046d0b8024cea9c6aea2ef04b51ce9fd482214fbb3ef068a85c0f91f193f248f/analysis/1458803364/" }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1 - Xchecked via VT: 6a9348f582b2e121a5d9bff1e8f0935f", "deleted": false, "disable_correlation": false, "timestamp": "1459171051", "to_ids": true, "type": "sha256", "uuid": "56f92eeb-8880-47ad-b5a3-3f2f02de0b81", "value": "fe5f50fce2f430432a636ef899919505e9477968d8caff7506e888cffed0b5f8" }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1 - Xchecked via VT: 6a9348f582b2e121a5d9bff1e8f0935f", "deleted": false, "disable_correlation": false, "timestamp": "1459171052", "to_ids": true, "type": "sha1", "uuid": "56f92eec-9acc-40aa-a04c-3f2f02de0b81", "value": "e03dbcf2d45cf99fbcd9aef453cdeb3a00c59d4c" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1459171052", "to_ids": false, "type": "link", "uuid": "56f92eec-74a4-47a5-8e1f-3f2f02de0b81", "value": "https://www.virustotal.com/file/fe5f50fce2f430432a636ef899919505e9477968d8caff7506e888cffed0b5f8/analysis/1450248638/" }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1 - Xchecked via VT: 070e9a317ee53ac3814eb86bc7d5bf49", "deleted": false, "disable_correlation": false, "timestamp": "1459171052", "to_ids": true, "type": "sha256", "uuid": "56f92eec-cb08-42a5-a92c-3f2f02de0b81", "value": "ceed84d8d76ee27c92d48dd01c96e6345fb3981319151601f78f4e9ec754a73b" }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1 - Xchecked via VT: 070e9a317ee53ac3814eb86bc7d5bf49", "deleted": false, "disable_correlation": false, "timestamp": "1459171053", "to_ids": true, "type": "sha1", "uuid": "56f92eed-be5c-45ca-988f-3f2f02de0b81", "value": "63f377989a84d65b372819992c95110318c6e7c9" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1459171053", "to_ids": false, "type": "link", "uuid": "56f92eed-a3d4-4e99-bb70-3f2f02de0b81", "value": "https://www.virustotal.com/file/ceed84d8d76ee27c92d48dd01c96e6345fb3981319151601f78f4e9ec754a73b/analysis/1440623335/" }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1 - Xchecked via VT: 3e2003878b364b5d77790109f24c9137", "deleted": false, "disable_correlation": false, "timestamp": "1459171053", "to_ids": true, "type": "sha256", "uuid": "56f92eed-74d0-4003-8897-3f2f02de0b81", "value": "68358c49d084939ecae7b78f2c0df0eb8d5b98f31dc13fb5878d8bfbdd5db86f" }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1 - Xchecked via VT: 3e2003878b364b5d77790109f24c9137", "deleted": false, "disable_correlation": false, "timestamp": "1459171054", "to_ids": true, "type": "sha1", "uuid": "56f92eee-b4fc-40b6-a166-3f2f02de0b81", "value": "efc73c637c63704c31a4b8516adc866feedbfc43" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1459171054", "to_ids": false, "type": "link", "uuid": "56f92eee-bf40-43c5-9093-3f2f02de0b81", "value": "https://www.virustotal.com/file/68358c49d084939ecae7b78f2c0df0eb8d5b98f31dc13fb5878d8bfbdd5db86f/analysis/1458802637/" }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1 - Xchecked via VT: 21f99135f836fb4d3f4685d704a4460d", "deleted": false, "disable_correlation": false, "timestamp": "1459171054", "to_ids": true, "type": "sha256", "uuid": "56f92eee-ce30-4600-b1c8-3f2f02de0b81", "value": "442bca26dddfe4a5d1c0b4adaaaab205a1dca856c41d9353ba45e0794e3660ed" }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1 - Xchecked via VT: 21f99135f836fb4d3f4685d704a4460d", "deleted": false, "disable_correlation": false, "timestamp": "1459171055", "to_ids": true, "type": "sha1", "uuid": "56f92eef-74b4-465d-84cf-3f2f02de0b81", "value": "a269ca72b899d30d9730d6a213f643c5e560bdd4" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1459171055", "to_ids": false, "type": "link", "uuid": "56f92eef-d390-4ef2-b190-3f2f02de0b81", "value": "https://www.virustotal.com/file/442bca26dddfe4a5d1c0b4adaaaab205a1dca856c41d9353ba45e0794e3660ed/analysis/1458802460/" }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1 - Xchecked via VT: ea6248e4ddd080e60e6140ab0f8562e1", "deleted": false, "disable_correlation": false, "timestamp": "1459171055", "to_ids": true, "type": "sha256", "uuid": "56f92eef-b2d4-4816-ac53-3f2f02de0b81", "value": "7eca8bf6d17891529c74d8fce85471135a203f312ae09fe3d907355c7dea9f59" }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1 - Xchecked via VT: ea6248e4ddd080e60e6140ab0f8562e1", "deleted": false, "disable_correlation": false, "timestamp": "1459171056", "to_ids": true, "type": "sha1", "uuid": "56f92ef0-3d38-49f3-82cb-3f2f02de0b81", "value": "67bd53130d2ebe851489b607b81ca2d2fb0a20f9" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1459171056", "to_ids": false, "type": "link", "uuid": "56f92ef0-68b8-4ca9-b104-3f2f02de0b81", "value": "https://www.virustotal.com/file/7eca8bf6d17891529c74d8fce85471135a203f312ae09fe3d907355c7dea9f59/analysis/1458803543/" }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1 - Xchecked via VT: 48692beb88058652115b5c447cd28589", "deleted": false, "disable_correlation": false, "timestamp": "1459171056", "to_ids": true, "type": "sha256", "uuid": "56f92ef0-d61c-4aa4-a5b8-3f2f02de0b81", "value": "6a6b099dd313cfd9009d28f42613ed0375ffac9e03e5392329a2a3a4a5c358cd" }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1 - Xchecked via VT: 48692beb88058652115b5c447cd28589", "deleted": false, "disable_correlation": false, "timestamp": "1459171057", "to_ids": true, "type": "sha1", "uuid": "56f92ef1-102c-43b0-bc57-3f2f02de0b81", "value": "0b3c2a94075a7ad996cedc81bd29e44a8ea9ed05" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1459171057", "to_ids": false, "type": "link", "uuid": "56f92ef1-1fc8-4a34-a578-3f2f02de0b81", "value": "https://www.virustotal.com/file/6a6b099dd313cfd9009d28f42613ed0375ffac9e03e5392329a2a3a4a5c358cd/analysis/1458802694/" }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1 - Xchecked via VT: 9f9c2e6072e0a233631d234bdcf1b293", "deleted": false, "disable_correlation": false, "timestamp": "1459171057", "to_ids": true, "type": "sha256", "uuid": "56f92ef1-0fa4-4296-863c-3f2f02de0b81", "value": "ab7ac10833cf5936c98554c20a123c395631e09200b4f87a610195bf49dda8e1" }, { "category": "Payload delivery", "comment": "TREASUREHUNT 0.1 - Xchecked via VT: 9f9c2e6072e0a233631d234bdcf1b293", "deleted": false, "disable_correlation": false, "timestamp": "1459171057", "to_ids": true, "type": "sha1", "uuid": "56f92ef1-5540-44ce-8692-3f2f02de0b81", "value": "ebcc227dbf3c33c3fc9e825ee62382e20a8756ee" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1459171058", "to_ids": false, "type": "link", "uuid": "56f92ef2-aa44-45f1-b419-3f2f02de0b81", "value": "https://www.virustotal.com/file/ab7ac10833cf5936c98554c20a123c395631e09200b4f87a610195bf49dda8e1/analysis/1458803121/" }, { "category": "Network activity", "comment": "TREASUREHUNT v0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459171122", "to_ids": true, "type": "url", "uuid": "56f92f32-3d88-4926-902b-3f2602de0b81", "value": "millionjam.eu/megastock/gate.php" }, { "category": "Network activity", "comment": "TREASUREHUNT v0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459171123", "to_ids": true, "type": "url", "uuid": "56f92f33-d728-4b66-9836-3f2602de0b81", "value": "cortykopl.com/sdfsgsdsdssdf/gate.php" }, { "category": "Network activity", "comment": "TREASUREHUNT v0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459171123", "to_ids": true, "type": "url", "uuid": "56f92f33-7eb4-49a3-be41-3f2602de0b81", "value": "91.232.29.83/sdfsgsdsdssdf/gate.php" }, { "category": "Network activity", "comment": "TREASUREHUNT v0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459171123", "to_ids": true, "type": "url", "uuid": "56f92f33-f708-441f-878d-3f2602de0b81", "value": "179.43.160.34/wp-content/temp/gate.php" }, { "category": "Network activity", "comment": "TREASUREHUNT v0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459171123", "to_ids": true, "type": "url", "uuid": "56f92f33-ad68-4f3f-8d32-3f2602de0b81", "value": "3sipiojt.com/noth/gate.php" }, { "category": "Network activity", "comment": "TREASUREHUNT v0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459171124", "to_ids": true, "type": "url", "uuid": "56f92f34-b594-40c9-8f45-3f2602de0b81", "value": "friltopyes.com/southcal/gate.php" }, { "category": "Network activity", "comment": "TREASUREHUNT v0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459171124", "to_ids": true, "type": "url", "uuid": "56f92f34-05fc-4b79-9aa7-3f2602de0b81", "value": "seatrip888.eu/gate.php" }, { "category": "Network activity", "comment": "TREASUREHUNT v0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459171124", "to_ids": true, "type": "url", "uuid": "56f92f34-eb28-45fe-b3c6-3f2602de0b81", "value": "friltopyes.com/alabol/gate.php" }, { "category": "Network activity", "comment": "TREASUREHUNT v0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459171125", "to_ids": true, "type": "url", "uuid": "56f92f35-fc5c-4f56-9fac-3f2602de0b81", "value": "friltopyes.com/nothcal/gate.php" }, { "category": "Network activity", "comment": "TREASUREHUNT v0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459171157", "to_ids": true, "type": "domain", "uuid": "56f92f55-ac44-403f-ab8a-74ad02de0b81", "value": "millionjam.eu" }, { "category": "Network activity", "comment": "TREASUREHUNT v0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459171158", "to_ids": true, "type": "domain", "uuid": "56f92f56-8260-4ad2-9d62-74ad02de0b81", "value": "cortykopl.com" }, { "category": "Network activity", "comment": "TREASUREHUNT v0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459171158", "to_ids": true, "type": "ip-dst", "uuid": "56f92f56-cb74-431d-8695-74ad02de0b81", "value": "91.232.29.83" }, { "category": "Network activity", "comment": "TREASUREHUNT v0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459171158", "to_ids": true, "type": "ip-dst", "uuid": "56f92f56-b3e0-4cf5-82ac-74ad02de0b81", "value": "179.43.160.34" }, { "category": "Network activity", "comment": "TREASUREHUNT v0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459171159", "to_ids": true, "type": "domain", "uuid": "56f92f57-e3f4-40e8-8bf1-74ad02de0b81", "value": "3sipiojt.com" }, { "category": "Network activity", "comment": "TREASUREHUNT v0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459171159", "to_ids": true, "type": "domain", "uuid": "56f92f57-2024-43e8-a11c-74ad02de0b81", "value": "friltopyes.com" }, { "category": "Network activity", "comment": "TREASUREHUNT v0.1", "deleted": false, "disable_correlation": false, "timestamp": "1459171160", "to_ids": true, "type": "domain", "uuid": "56f92f58-49e4-4721-ab04-74ad02de0b81", "value": "seatrip888.eu" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1459171177", "to_ids": true, "type": "md5", "uuid": "56f92f69-d568-4a12-a081-3f2802de0b81", "value": "2dfddbc240cd6e320f69b172c1e3ce58" }, { "category": "Network activity", "comment": "TREASUREHUNT v0.1.1", "deleted": false, "disable_correlation": false, "timestamp": "1459171202", "to_ids": true, "type": "hostname", "uuid": "56f92f82-de18-4d14-91fb-6f2302de0b81", "value": "logmeinrescue.us.com" } ] } }