A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #14785  by hnpl2011
 Sat Jul 21, 2012 2:33 am
rkhunter wrote:Another Ursnif dropper with x32/x64 payload.

SHA1: 7bf57ccfde72a77d568e135c35ec7f41b68a0470
MD5: 79696dbcecbbaa9eda18e05805635fa5


Decrypted dropper with x32/x64 dlls in attach.

Dll registered via HKLM\System\CurrentControlSet\Session Manager\AppCertDlls

epic detection
dropper 16 / 42 https://www.virustotal.com/file/4f48554 ... /analysis/
decrypted 12 / 42 https://www.virustotal.com/file/3e4c5c9 ... /analysis/
x32 dll 5/42 https://www.virustotal.com/file/4df4099 ... 342278900/
x64 dll 1 / 42 https://www.virustotal.com/file/3f2bfd2 ... 342278955/
wrong password!
 #18025  by unixfreaxjp
 Mon Feb 04, 2013 11:02 am
I have a terrible headache with the trojan payload provided by exploit kit,
the infected download url is here:
Image
(↑just checked, still up..may God curse the lazy tax money eater involved to a frog for not shut this ASAP..)
Just in case overall sample is here with all exploit data.
And the binary is attached in this message.
Virus Total report is here
I saw this sample from 0 detection ratio until now becoming 15 or more.

Most of the infection work I figured it well, like I wrote here
But there's no networking happens.. yet I have a strong hunch this is a PWS for sure,
Honestly, I am not so sure to state this as Cridex since none of the Cridex I know work like this, but, since I can't find other threat for PWS kindly forgive me to post this case here for a start.
After restarting the explorer the binary itself always quit and never came to be resident in memory in my test case, PS: the log of the file process & registry process is here
I mean what's the real purpose of this infection?
Any help to solve this mistery will be highly appreciated, and thank you in advance.
You do not have the required permissions to view the files attached to this post.
 #18026  by EP_X0FF
 Mon Feb 04, 2013 11:28 am
This is Ursnif variant. Take decrypted payload dll. Posts moved.
You do not have the required permissions to view the files attached to this post.
 #18028  by kmd
 Mon Feb 04, 2013 12:02 pm
EP_X0FF wrote:This is Ursnif variant. Take decrypted payload dll. Posts moved.
out of curiosity, how do you know it ursnif?
 #18029  by EP_X0FF
 Mon Feb 04, 2013 12:13 pm
kmd wrote:
EP_X0FF wrote:This is Ursnif variant. Take decrypted payload dll. Posts moved.
out of curiosity, how do you know it ursnif?
1. The same set and combination of hooked API (CreateProcess/CreateProcessAsUser/TranslateMessage etc)
2. Same dll structure, including set of used constants, e.g "NEWGRAB SCREENSHOT PROCESS HIDDEN". The same AppCertDll compatible "client.dll", exporting required function CreateProcessNotify, see http://www.kernelmode.info/forum/viewto ... 552#p16552, however this feature seems unused by this dropper.
 #19033  by Xylitol
 Sun Apr 21, 2013 4:36 pm
You do not have the required permissions to view the files attached to this post.
 #19083  by Horgh
 Fri Apr 26, 2013 6:30 am
I coded a little tool to extract dlls (x64 + x86) from unpacked ursnif samples.
I advise you to read the readme before using it, it's a bit demanding about the dumps.
I included the source code (masm) as well.
You do not have the required permissions to view the files attached to this post.
 #19090  by Horgh
 Fri Apr 26, 2013 2:40 pm
In attach a Papras I found on a BH EK this morning.
In the archive : dropper + unpacked, x86 dll + unpacked, x64 dll

Config :
00BEB438 ; Client initialization file for ISFB 2.2....; Default C&C hosts
00BEB478 ..Hosts = illnessofthesociety.ru ilvariantodelsalko.ru ilcambogi
00BEB4B8 acyprustax.ru....; RC6-key used for obfuscating server requests.
00BEB4F8 .ServerKey = 0123456789ABCDEF....; Time interval to check new co
00BEB538 nfig (seconds)..ConfigTimeout = 900....; Time interval to check
00BEB578 new task (seconds)..TaskTimeout = 130....; Current group index..
00BEB5B8 Group = 2003....; Time interval to send BC request (seconds)..Bc
00BEB5F8 Timeout = 30....
Papras.7z
You do not have the required permissions to view the files attached to this post.
 #19203  by Horgh
 Mon May 06, 2013 8:53 am
I modified my previous tool to create a new one able to extract and uncompress the config file of the bot from the unpacked dlls.
Like for the first one, you should read the readme before using it ; and the source code is included.
Papras config extractor.zip
You do not have the required permissions to view the files attached to this post.