![]() ![]() The second pcap for this tutorial, Ursnif-traffic-example-2.pcap, is available here. These patterns are commonly seen from Ursnif samples that do not use HTTPS traffic. Note how patterns from Ursnif traffic in the December 10th example are similar to the patterns we find in example 1. Domain for GET and POST requests after Ursnif is persistent: api.ahah100at.Request for follow-up data: hxxp://one.ahah100at/jvassets/o1/s64.dat.Domain for initial GET requests: foo.fulldinat.Mixed with the other malware activity, this December 10th example contains the following indicators for Ursnif: We can find the same pattern from Ursnif activity caused by a Hancitor infection on December 10,2019. Example of an HTTP GET request caused by our first Ursnif example. Figure 4 highlights the GET request.įigure 4. Note how the GET request starts with /api1/ and is followed by a long string of alpha-numeric characters with backslashes and underscores. The TCP stream window shows the full URL. Domain for GET and POST requests after Ursnif is persistent: h1.wensaatįollow the TCP stream for the very first HTTP GET request at 20:13:09 UTC.Request for follow-up data: hxxp://api2.casysat/jvassets/xI/t64.dat.Domain for initial GET requests: w8.wensaat.The following HTTP data is used during the traffic in our first example: HTTP GET and POST requests after Ursnif is persistent in the Windows registry.HTTP GET request for follow-up data, with the URL ending in.HTTP GET requests caused by the initial Ursnif binary.This category of Ursnif causes the following traffic: In this example, the Ursnif-infected host generates post-infection traffic to 8.208.24139 using various domain names ending with. The pcap for example 1 filtered in Wireshark. ![]() Open the pcap in Wireshark and filter on http.request as shown in Figure 3.įigure 3. Example 1 has been stripped of all traffic not directly related to the Ursnif infection. The chain of events behind this traffic was tweeted here. The first pcap for this tutorial, Ursnif-traffic-example-1.pcap, is available here. Example of Windows registry updates caused by samples of Ursnif, either with or without HTTPS post-infection traffic. For example, both types of Ursnif remain persistent on a Windows host by updating the Windows registry, such as the example shown in Figure 2.įigure 2. Malware samples from either of these categories create the same type of artifacts on an infected Windows host. Ursnif with HTTPS post-infection traffic.Ursnif without HTTPS post-infection traffic. ![]() This tutorial covers two categories of Ursnif infection traffic: Flowchart from one of the more common Ursnif distribution campaigns. We frequently find examples of Ursnif from malspam-based distribution campaigns, such as the example in Figure 1.įigure 1. In some cases, Ursnif is a follow-up infection caused by different malware families like Hancitor, as reported in this recent example. Ursnif can be distributed through web-based infection chains and malicious spam (malspam). You should also have experience with Wireshark display filters as described in this additional tutorial. Note: This tutorial assumes you have a basic knowledge of Wireshark, and it uses a customized column display shown in this tutorial.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |