👃🏼

Ursnif Analysis

Ursnif send a http request to the C2 server, which then download an encrypted payload down to the victim

Traffic Simulation to download the payload

notion image
notion image
Assuming we don’t have the key to decrypt the payload (which most of the time we don’t), we can replay the traffic back to the malware sample and get it to decrypt the payload.
We use inetsim to simulate the traffic to the malware and host the payload on the inetsim machine. When the malware tries to resolve for our DNS, it will succeed and proceed to query for the payload.
notion image
When we analyze the code for Ursnif, we see that it makes a request to the same URL as above which is api2.doter.at
notion image
We then modify the Ursnif binary to change the DNS server it queries to our own hosted DNS server on inetsim, as they are all hardcoded in the executable
notion image
Once the connection is established, it spawn Internet Explorer in the background to communicate with the site and download the payload we have hosted using inetsim
notion image
notion image

Decrypting the payload

Following the execution, it copies the public key into the heap which is used to decrypt the last 64 bytes of the payload, which is used as a Serpent key to decrypt the rest of the payload
notion image
We can see the decrypted executable by identifying the MZ in the dump
notion image