2020-03-31 - URSNIF (GOZI/IFSB) INFECTION

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2020-03-31-Ursnif-IOCs.txt.zip   1.4 kB (1,393 bytes)
• 2020-03-31-Ursnif-infection-traffic.pcap.zip   560 kB (559,599 bytes)
• 2020-03-31-Ursnif-malware.zip   2.0 MB (1,987,387 bytes)

 

IMAGES

Shown above:  Downloading a password-protected zip archive from one of the links.

 

Shown above:  Extracting the EXE from the password-protected zip archive.

 

Shown above:  Traffic from the infection filtered in Wireshark.

 

Shown above:  Registry updates after the initial infection.

 

Click here to return to the main page.