Introduction In the last arcitle about Ursnif campaign have been presented the ursnif powershell downloader, which was also able to download the GandCrab payload. This payload was injected as DLL library into the running process and during the last analysis I have extracted it. Now, it is time to look more closely at this GandCrab sample. Obfuscated strings After a quick look at the disassembly we can notice many calls to one particular function, in our case named by IDA as sub_10009E69.
Introduction In the first part of this analysis have been presented the two types of macro-enabled documents with powershell downloader spreading via emails in recent campaign. The powershell downloaders and/or the macros were slightly obfuscated, however, it was easy to defeat this obfuscation and reveal their purpose. Unfortunatelly, during my analysis the downloaded content was not present on the involved servers and also in the most cases it was not available even during the analysis on sandboxes like Any.
Overview During the first half of February 2019 there was an increase in occurences of the spam messages containing attached documents with the names in the form “Request” followed by the number, like “Request15.doc”. These documents contains slightly obfuscated macros which leads to execution of the powershell downloader. This powershell downloader connects to the domains registered in Russian Federation and resolved to the Russian IP adresses. It seems that on these servers are hosted malicious content, in many cases detected as the Ursnif malware.
Introduction My friend have got one USB stick infected with malware, at least that’s what one AntiVirus product reported about it. But strange thing happen, it seemed that the detected file was not present on this USB key. Not only the detected file, but also all of the user data was missing. Only one .lnk file was present in the root of the filesystem. So, this is point where our investigation begins…