Behavior
Upon execution, Ursnif checks for the presence of any virtual or debugging environments; if found, it will show a fake alert message box with the text, "Error Initializing Client App!". It also performs process hollowing on svchost.exe or explorer.exe and injects a dll file (client.dll) based on the system enviornment (whether it is 32- or 64-bit).
Afterwards, it tries to steal multiple pieces of information from the system and store them in a file. It then connects to a malicious command and control (C&C) server.
Infection Vector
Ursnif is typically encountered when the user inadvertently opens a malicious file attachment that arrives via a spam email message.
Files Added
- Create a copy of itself at "%appdata%\[Random_Folder]\[Dropped_Filename].exe" where "Dropped_Filename" is a combination of strings taken from %system32% directory filenames.
- Creates a batch file at "%temp%\[Random_Folder]\[Random_File].bat" to execute and delete itself.
- Creates a storage file at %temp%\[Random_Hex].bin to store the stolen data. Stolen data is in cab file format, which is created by executing makecab.exe. The storage file contains the following information:
- Installed Device Drivers - Collected by executing driverquery.exe
- Installed Programs - Collected by executing reg.exe "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
- System Information - Collected by executing systeminfo.exe
- Current running process - Collected by executing tasklist.exe /SVC
Registry Changes
Adds the following registry key to run at startup:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[Dropped_Filename]:
"%appdata%\[Random_Folder]\[Dropped_Filename].exe
- HKCU\Software\AppDataLow\Software\Microsoft\{GUID}\Vars
- HKCU\Software\AppDataLow\Software\Microsoft\{GUID}\Files
- HKCU\Software\AppDataLow\Software\Microsoft\{GUID}\Config
Network Activity
It connects to the following server:
- bergesoma[.]com/images/[encryted_data]/[.jpeg|.gif|.bmp]
- polinodara[.]com/images/[encryted_data]/[.jpeg|.gif|.bmp]
Where encrypted_data contains the Username, Compute Name, Version of Injected process, System IP address and malware specific configuration details.
Other Behavior
The malware also has the capability to:
- Steal email data, which is collected by parsing different email file formats and applications (.wab, .pst)
- Intercept the data and web-forms of the following browsers: Chrome, Internet explorer, Thunderbird, Firefox
- Check for the presence of a virtual environment by checking the Device Informaton string against "vbox", "qemu", "vmware", "virtual hd"
- Detect Phishwall software
Analysis on file: b3764e1a3d0f7d164436d565226800f3c06a58ec
Analysis by: Neeraj Singh