Malware analysis Gozi ISFB – Bank Trojan aka Ursnif

This is the Gozi IFSB malware, created to steal data & informations from the victims. In the folder you will see all the files needed to create your own malware server.

For this malware analysis I will use an .bin found after google search.

Cyber security - Malware analysis

With this .bin file I will be 2 steps closer for the analysis. I don’t have the .doc/.pdf file with the payload, but the .bin is the downloaded file resulted from the payload.

I will transform the .bin file to infected.exe(10000.exe)!

008c4bd6ee834d113cfc693af0ea90396eaa47e860bcdd567ffd964b57434e1d.bin

MD5: e6d118192fc848797e15dc0600834783

SHA1: 16d5ded68677f4a870423d3fd30da8377a5b2408

Let’s go to security manipulation and creation of the malware on the system. The $LN33 it is exported by the executable, after that will jump to C Runtime Library.

Calling the security_init_cookie for buffer overrun protection to comprommise the system security.

Cyber security - Malware analysis Prodefence SRL

Let’s run the infected file to see his actions!

I see that the explorer.exe has some activiti.

Cyber security - Malware analysis
SC Prodefence SRL
Cyber security – Malware analysis

There I have some movements… let’s go to \Roaming\MIcrosoft\ to see the new folder created ‘BthM300C’.

SC Prodefence SRL

An executable(the same .exe with diffrerent name) created in new folder after runed the infected.exe / D3DCsapi.exe aka 1000.exe

Cyber security - Malware analysis

The Registry.

Cyber security - Malware analysis
Prodefence SRL

Now… the explorer.exe.

24 .dll are suspicious.

That means some of them are from the injection process.

Cyber security - Malware analysis

explorer.exe (2304)  – 52074 – 166.124.148.146.bc.googleusercontent.com.

This is an Google Cloud Platform and the explorer.exe has some connections there.

genesisgrandergh.at

  • Port: 62809, Dst Port: 53
  • Standard query response 0xd314 Server failure
  • ns1.suspended-domain.com

bitsupport.top

  • Standard query response 0xd314 Server failure
  • ns1.suspended-domain.com

carloslimmheklo.at

  • Port: 58097, Dst Port: 53
  • ns1.suspended-domain.com

databasecollection.pw  OK

  • Port: 62809, Dst Port: 53
  • Pubkey: 04b7b8c4d1d482255514ccf90c896acb7b5baaa7208eea67

Name Servers:

  • ns4.sinkhole.ch
  • ns3.sinkhole.ch
  • ns2.sinkhole.ch
  • ns1.sinkhole.ch

Now … becouse I have some extra informations.. I will try to find more infected domains.

The Gozi malware is using friendly websites to infect the visitors, others trojans or payloads included on .doc files, for better security bypass.

Virus Total Report

https://www.virustotal.com/#/file/008c4bd6ee834d113cfc693af0ea90396eaa47e860bcdd567ffd964b57434e1d/detection

sinkhole.ch server hosting malware

https://www.malwareurl.com/ns_listing.php?ns=ns2.sinkhole.ch

https://securitytrails.com/list/ns/NS1.SINKHOLE.CH?ref=abuseipdb

About Gozi(Ursniff)

https://www.secureworks.com/research/gozihttps://www.csoonline.com/article/2123315/identity-theft-prevention/inside-the-global-hacker-service-economy.html?page=2

Alex Anghelus

SC Prodefence SRL CEO - Cyber Security, Pentesting & Ethical Hacking - Malware Analyst

SC ProDefence SRL - Cyber Security Services