A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #14785  by hnpl2011
 Sat Jul 21, 2012 2:33 am
rkhunter wrote:Another Ursnif dropper with x32/x64 payload.

SHA1: 7bf57ccfde72a77d568e135c35ec7f41b68a0470
MD5: 79696dbcecbbaa9eda18e05805635fa5


Decrypted dropper with x32/x64 dlls in attach.

Dll registered via HKLM\System\CurrentControlSet\Session Manager\AppCertDlls

epic detection
dropper 16 / 42 https://www.virustotal.com/file/4f48554 ... /analysis/
decrypted 12 / 42 https://www.virustotal.com/file/3e4c5c9 ... /analysis/
x32 dll 5/42 https://www.virustotal.com/file/4df4099 ... 342278900/
x64 dll 1 / 42 https://www.virustotal.com/file/3f2bfd2 ... 342278955/
wrong password!
 #18025  by unixfreaxjp
 Mon Feb 04, 2013 11:02 am
I have a terrible headache with the trojan payload provided by exploit kit,
the infected download url is here:
Image
(↑just checked, still up..may God curse the lazy tax money eater involved to a frog for not shut this ASAP..)
Just in case overall sample is here with all exploit data.
And the binary is attached in this message.
Virus Total report is here
I saw this sample from 0 detection ratio until now becoming 15 or more.

Most of the infection work I figured it well, like I wrote here
But there's no networking happens.. yet I have a strong hunch this is a PWS for sure,
Honestly, I am not so sure to state this as Cridex since none of the Cridex I know work like this, but, since I can't find other threat for PWS kindly forgive me to post this case here for a start.
After restarting the explorer the binary itself always quit and never came to be resident in memory in my test case, PS: the log of the file process & registry process is here
I mean what's the real purpose of this infection?
Any help to solve this mistery will be highly appreciated, and thank you in advance.
Attachments
Filename dune.exe in 7z pwd=infected
(158.17 KiB) Downloaded 88 times
 #18026  by EP_X0FF
 Mon Feb 04, 2013 11:28 am
This is Ursnif variant. Take decrypted payload dll. Posts moved.
Attachments
pass: malware
(45.35 KiB) Downloaded 91 times
 #18028  by kmd
 Mon Feb 04, 2013 12:02 pm
EP_X0FF wrote:This is Ursnif variant. Take decrypted payload dll. Posts moved.
out of curiosity, how do you know it ursnif?
 #18029  by EP_X0FF
 Mon Feb 04, 2013 12:13 pm
kmd wrote:
EP_X0FF wrote:This is Ursnif variant. Take decrypted payload dll. Posts moved.
out of curiosity, how do you know it ursnif?
1. The same set and combination of hooked API (CreateProcess/CreateProcessAsUser/TranslateMessage etc)
2. Same dll structure, including set of used constants, e.g "NEWGRAB SCREENSHOT PROCESS HIDDEN". The same AppCertDll compatible "client.dll", exporting required function CreateProcessNotify, see http://www.kernelmode.info/forum/viewto ... 552#p16552, however this feature seems unused by this dropper.
 #19083  by Horgh
 Fri Apr 26, 2013 6:30 am
I coded a little tool to extract dlls (x64 + x86) from unpacked ursnif samples.
I advise you to read the readme before using it, it's a bit demanding about the dumps.
I included the source code (masm) as well.
Attachments
(55.96 KiB) Downloaded 87 times
 #19090  by Horgh
 Fri Apr 26, 2013 2:40 pm
In attach a Papras I found on a BH EK this morning.
In the archive : dropper + unpacked, x86 dll + unpacked, x64 dll

Config :
00BEB438 ; Client initialization file for ISFB 2.2....; Default C&C hosts
00BEB478 ..Hosts = illnessofthesociety.ru ilvariantodelsalko.ru ilcambogi
00BEB4B8 acyprustax.ru....; RC6-key used for obfuscating server requests.
00BEB4F8 .ServerKey = 0123456789ABCDEF....; Time interval to check new co
00BEB538 nfig (seconds)..ConfigTimeout = 900....; Time interval to check
00BEB578 new task (seconds)..TaskTimeout = 130....; Current group index..
00BEB5B8 Group = 2003....; Time interval to send BC request (seconds)..Bc
00BEB5F8 Timeout = 30....
pwd : infected
(543.27 KiB) Downloaded 104 times
 #19203  by Horgh
 Mon May 06, 2013 8:53 am
I modified my previous tool to create a new one able to extract and uncompress the config file of the bot from the unpacked dlls.
Like for the first one, you should read the readme before using it ; and the source code is included.
(17.8 KiB) Downloaded 105 times