Assuming we don’t have the key to decrypt the payload (which most of the time we don’t), we can replay the traffic back to the malware sample and get it to decrypt the payload.
We use inetsim to simulate the traffic to the malware and host the payload on the inetsim machine. When the malware tries to resolve for our DNS, it will succeed and proceed to query for the payload.
When we analyze the code for Ursnif, we see that it makes a request to the same URL as above which is api2.doter.at
We then modify the Ursnif binary to change the DNS server it queries to our own hosted DNS server on inetsim, as they are all hardcoded in the executable
Once the connection is established, it spawn Internet Explorer in the background to communicate with the site and download the payload we have hosted using inetsim
Decrypting the payload
Following the execution, it copies the public key into the heap which is used to decrypt the last 64 bytes of the payload, which is used as a Serpent key to decrypt the rest of the payload
We can see the decrypted executable by identifying the MZ in the dump