Sometimes, when analysing a malware sample you think: "Wait a minute, I have seen this before". While it's already known that the author of Jolly Roger Stealer is also behind TreasureHunter, this person also wrote H1N1 Loader. When you take a look at the disassembly of Jolly Roger Stealer and H1N1 Loader it becomes clear that it's the same coding style. Also, the two malware use the same techniques to obfuscate strings, hashing API functions, using shellcode and patching Windows files to bypass UAC.
Once decrypted into memory, it in turn decrypts the final payload from its .data section and stores it to the Windows registry. Moreover, it creates either a process of svchost.exe or wuauclt.exe and patches its entrypoint with a shellcode. This shellcode than loads the final payload from the registry into memory, unpacks (Upack) and executes it.
H1N1 Loader comes in the form of an executable with no imports. It carries the encrypted and Upack compressed payload in the .text section. To bypass UAC it uses a modified version of the Wusa.exe method which also includes the patching of a Windows file with a shellcode.
A comparison of both malware can be seen in the following flowchart:
As you can see, the final payload is always a DLL file which is compressed with Upack. Patching the entrypoint of Windows system files seems to be the preferred method of the author to bypass UAC. The final payload of Jolly Roger Stealer doesn't use any string obfuscation and API function hashing. One can think that it was only encrypted with the help of a crypter which was written by the H1N1 Loader. However, I think it's more likely that both malware are written by the same person, since also the advertises share some similarities. Moreover, I have neither seen nor read about any crypter which uses the described techniques.
As mentioned above, both malware use the same method to obfuscate sensitive strings:
And the almost identical hashing algorithm for API functions and library names:
H1N1 Loader (v2): 7b49fcc3c8d77e1da69fb36c747028855ce187cf60073caeb199a5b49fadf9cb
Comparison of Jolly Roger Stealer and H1N1 Loader (v2)
Jolly Roger Stealer comes in the form of a Visual Basic executable with the encrypted payload in the resource section. Interestingly, the decryption algorithm uses the PXOR instruction (MMX) along with the registers MM0 and MM1.Figure 1: Decryption algorithm of Jolly Roger Stealer |
Once decrypted into memory, it in turn decrypts the final payload from its .data section and stores it to the Windows registry. Moreover, it creates either a process of svchost.exe or wuauclt.exe and patches its entrypoint with a shellcode. This shellcode than loads the final payload from the registry into memory, unpacks (Upack) and executes it.
H1N1 Loader comes in the form of an executable with no imports. It carries the encrypted and Upack compressed payload in the .text section. To bypass UAC it uses a modified version of the Wusa.exe method which also includes the patching of a Windows file with a shellcode.
A comparison of both malware can be seen in the following flowchart:
Figure 2: Comparison of the functionalities of Jolly Roger Stealer and H1N1 Loader |
As you can see, the final payload is always a DLL file which is compressed with Upack. Patching the entrypoint of Windows system files seems to be the preferred method of the author to bypass UAC. The final payload of Jolly Roger Stealer doesn't use any string obfuscation and API function hashing. One can think that it was only encrypted with the help of a crypter which was written by the H1N1 Loader. However, I think it's more likely that both malware are written by the same person, since also the advertises share some similarities. Moreover, I have neither seen nor read about any crypter which uses the described techniques.
As mentioned above, both malware use the same method to obfuscate sensitive strings:
Figure 3: Comparison of the string obfuscation techniques |
And the almost identical hashing algorithm for API functions and library names:
Figure 4: Comparison of the hashing algorithms |
Conclusion
Sometimes it happens that you can connect the dots between several malware. My theory is that the author first released Jolly Roger Stealer at the end of 2013, but dropped the project for some reasons. He went on with TreasureHunter which first appeared around one year after the first Jolly Roger Stealer samples were seen. Later, he started to write H1N1 Loader which is based on his former project Jolly Roger Stealer.Hashes (SHA-256)
Jolly Roger Stealer: c0b4f9060a9d02904a279db05292cafa360f91b9350742354987b55acebfec0dH1N1 Loader (v2): 7b49fcc3c8d77e1da69fb36c747028855ce187cf60073caeb199a5b49fadf9cb