Upon execution, Ursnif checks for the presence of any virtual or debugging environments; if found, it will show a fake alert message box with the text, "Error Initializing Client App!". It also performs process hollowing on svchost.exe or explorer.exe and injects a dll file (client.dll) based on the system enviornment (whether it is 32- or 64-bit).
Afterwards, it tries to steal multiple pieces of information from the system and store them in a file. It then connects to a malicious command and control (C&C) server.
Ursnif is typically encountered when the user inadvertently opens a malicious file attachment that arrives via a spam email message.
- Create a copy of itself at "%appdata%\[Random_Folder]\[Dropped_Filename].exe" where "Dropped_Filename" is a combination of strings taken from %system32% directory filenames.
- Creates a batch file at "%temp%\[Random_Folder]\[Random_File].bat" to execute and delete itself.
- Creates a storage file at %temp%\[Random_Hex].bin to store the stolen data. Stolen data is in cab file format, which is created by executing makecab.exe. The storage file contains the following information:
- Installed Device Drivers - Collected by executing driverquery.exe
- Installed Programs - Collected by executing reg.exe "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
- System Information - Collected by executing systeminfo.exe
- Current running process - Collected by executing tasklist.exe /SVC
Adds the following registry key to run at startup:
It connects to the following server:
Where encrypted_data contains the Username, Compute Name, Version of Injected process, System IP address and malware specific configuration details.
The malware also has the capability to:
- Steal email data, which is collected by parsing different email file formats and applications (.wab, .pst)
- Intercept the data and web-forms of the following browsers: Chrome, Internet explorer, Thunderbird, Firefox
- Check for the presence of a virtual environment by checking the Device Informaton string against "vbox", "qemu", "vmware", "virtual hd"
- Detect Phishwall software
Analysis on file: b3764e1a3d0f7d164436d565226800f3c06a58ec
Analysis by: Neeraj Singh