2019-09-26 - DATA DUMP: TWO GOZI/ISFB (URSNIF) INFECTIONS

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2019-09-26-1st-run-Ursnif-with-Predator-The-Thief-and-spambot-infection-traffic.pcap.zip   23.1 MB (23,097,162 bytes)
• 2019-09-26-2nd-run-Ursnif-with-Predator-The-Thief-and-Trickbot-infection-traffic.pcap.zip   14.8 MB (14,781,874 bytes)
• 2019-09-26-info-on-malware-and-artifacts-from-two-Ursnif-infections.txt.zip   2.2 kB (2,152 bytes)
• 2019-09-26-malware-and-artifacts-from-two-Ursnif-infections.zip   18.1 MB (18,104,652 bytes)

NOTES:

• Both infections had Predator the Thief and Trickbot gtag leo19 as the follow-up malware.
• But the Trickbot EXE crashed unless I ran it manually as an administrator.
• For the first infection I didn't do this, so there is no Trickbot traffic.
• The second infection has Trickbot traffic.
• The first infection has spambot traffic and some other traffic weirdness I've seen before with Ursnif.
• There are examples of Ursnif malspam in the spambot traffic from the first infection pcap.
• To extract a malspam example in Wireshark, use File --> Export Objects --> IMF
• Then select the first object from the list and save it as an .eml file.

 

Click here to return to the main page.