{"id":427,"date":"2018-11-27T14:27:05","date_gmt":"2018-11-27T12:27:05","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=427"},"modified":"2026-06-08T22:44:36","modified_gmt":"2026-06-08T22:44:36","slug":"ursnif-malware-behaviour-removal","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/ursnif-malware-behaviour-removal\/","title":{"rendered":"Ursnif Malware \u2014 behaviour and removal"},"content":{"rendered":"

Follow on<\/strong>: Linkedin<\/a> & Twitter<\/a><\/h2>\n

In this article we provide a detailed analysis of the Ursnif malware<\/strong> (previously introduced: Ursnif, attacks in Italy – LINK<\/a>), identifying its infection and persistence characteristics.<\/p>\n

MITRE ATT&CK applied to Ursnif<\/h2>\n

The infection chain resembles that of other malware:<\/p>\n

    \n
  1. an email sent with a malicious attachment<\/li>\n
  2. execution of PowerShell commands<\/li>\n
  3. download and execution of the Trojan<\/strong>.<\/li>\n<\/ol>\n

    Using the MITRE ATT&CK<\/strong> matrix (MITRE’s Adversarial Tactics, Techniques, and Common Knowledge<\/em>) we can map the malware’s characteristics (techniques and tactics) and correlate it with samples exhibiting identical behavior.<\/p>\n

    \"\"
    URSNIF MITRE ATT&CK<\/figcaption><\/figure>\n

    Malware Details<\/h2>\n\n\n\n\n\n\n\n
    Info<\/strong><\/span><\/td>\nValue<\/strong><\/span><\/td>\n<\/tr>\n
    \n
    MD5<\/span><\/strong><\/span><\/div>\n<\/td>\n
    		ab33b0f6560c16133339182b8c5030ce<\/span><\/td>\n<\/tr>\n
    SHA1<\/span><\/strong><\/span><\/td>\n261cb3e5595f4cca5a0c0a12006288e48a8f6d1e<\/span><\/td>\n<\/tr>\n
    SHA256<\/strong>
    <\/span><\/td>\n    		0ce4392261f6d8d0a2fa666b649860716527f41ea90de948fb03affed69a50ac<\/span><\/td>\n<\/tr>\n
    VirusTotal<\/strong><\/span><\/td>\nVirusTotal Link<\/a><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    The malware was compressed with the UPX 3.0.6<\/strong> packer:<\/p>\n

    \"\"<\/p>\n

    The PDB Path<\/strong> allows us to extend the search to other samples not covered in this analysis, but which we consider valuable for tracking the offensive operations of the criminal group:<\/p>\n\n\n\n\n
    PDB Path:<\/strong><\/span><\/td>\ny:\\test4\\zzz1\\Release\\zzz1.pdb<\/span><\/td>\n<\/tr>\n
    Related malware <\/strong><\/span>

    <\/p>\n

    (same PDB path):<\/strong><\/span><\/p>\n<\/td>\n

    		HYBRIDANALYSIS LINK<\/a><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    Dynamic Malware Analysis<\/h2>\n

    During the startup phase, the malware performs a series of operations. Through WMIC<\/strong> commands it executes activities for persistence<\/strong> by exploiting registry keys, then injects itself via PowerShell<\/strong> into system processes (explorer.exe<\/strong>). Our Managed Detection and Response<\/a> capabilities have identified this injection pattern as a critical indicator of compromise requiring immediate containment.<\/p>\n

    \"\"
    Process Map – Ursnif<\/figcaption><\/figure>\n

    Network indicators of compromise for Ursnif malware infection:<\/p>\n\n\n\n\n\n
    DNS requests<\/span><\/strong><\/span><\/td>\n<\/tr>\n
    ninasukash[.]com<\/span><\/td>\n<\/tr>\n
    cjwefomatt[.]com<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    Have we been compromised?<\/h2>\n

    To identify potential compromises within corporate infrastructure<\/strong>, it is necessary to search firewall, proxy, or router logs for the domains: “ninasukash[.]com<\/span>” and “cjwefomatt[.]com<\/span>“.<\/p>\n

    To verify whether a workstation has been affected by this malware, multiple tools exist for Incident Response<\/strong> activities. For manual inspection, anomalies can be identified in registry keys used by the malware for system startup, located at the following path:<\/p>\n

    \n

    HKCU:\\Software\\AppDataLow\\Software\\Microsoft\\<\/span><\/p>\n<\/blockquote>\n

    Persistence Details<\/h2>\n

    For persistent access to the compromised system, the malware is embedded within registry keys through an attack known as a fileless attack<\/strong><\/em> (T1547.001 – Registry Run Keys \/ Startup Folder). Nothing is written to disk and the malware is injected into system processes during operating system startup.<\/p>\n

    \n

    “C:\\Windows\\system32\\wbem\\wmic.exe” \/output:clipboard process call create “powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty ‘HKCU:\\Software\\AppDataLow\\Software\\Microsoft\\89726C36-545A-A301-A6CD-C8873A517CAB’).crypptsp))”<\/span><\/p>\n<\/blockquote>\n

    The malware creates a series of registry subkeys<\/strong> at the following path (the final portion is randomized):<\/p>\n

    \n

    HKCU:\\Software\\AppDataLow\\Software\\Microsoft\\89726C36-545A-A301-A6CD-C8873A517CAB<\/span><\/span><\/p>\n<\/blockquote>\n

    The Ursnif<\/strong> malware, positioned within the key “89726C36-545A-A301-A6CD-C8873A517CAB<\/span><\/span>“, is executed at RUN<\/strong> via the command:<\/p>\n

    \n

    powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty ‘HKCU:\\Software\\AppDataLow\\Software\\Microsoft\\89726C36-545A-A301-A6CD-C8873A517CAB’).crypptsp<\/strong>))<\/span><\/p>\n<\/blockquote>\n\n\n

    Offensive Infrastructure Systems<\/h2>\n\n\n\n

    The Ursnif variant analysed is part of a malware campaign initiated on 11 November<\/strong> and is characterised by the root folder “YER” used by the malware distribution system. Recent tracking has identified additional Ursnif campaigns<\/strong> by the team at Reaqta<\/a>:<\/p>\n\n\n\n