| ID | X0022 |
| Aliases | Dreambot, Gozi |
| Platforms | Windows |
| Year | 2016 |
| Associated ATT&CK Software | Ursnif |
A banking trojan that uses malware macros to evade sandbox detection. Variant of Gozi.
See ATT&CK: Ursnif - Techniques Used.
| Name | Use |
|---|---|
| Persistance::Registry Run Keys / Startup Folder (F0012) | Adds registry entries to ensure automatic execution at every system startup [4] |
| Defense Evasion::Hijack Execution Flow (F0015) | Hooks various DLL exported functions when the component is loaded in their respective Browser application process is running to monitor network traffic [4] |
| Discovery::System Information Discovery (E1082) | Uses windows command prompt commands to gather system info, task list, installed drivers, and installed programs [4] |
| Collection::Input Capture (E1056) | Injects HTML into browser session to collect sensitive online banking information when the victim performs their online banking [5] |
| Anti-Static Analysis::Obfuscated Files or Information (E1027) | Creates an encrypted Registry key called TorClient to store its data [2] |
| Name | Use |
|---|---|
| Anti-Behavioral Analysis::Sandbox Detection::Self Check (B0007.007) | Ursnif uses malware macros to evade sandbox detection - checking whether the filename contains only hexadecimal characters before the extension [1] |
| Execution::Conditional Execution (B0025.004) | Macros check if there are at least 50 running processes with a graphical interface, check if a list of blacklisted processes are running, and checks if the application is running in Australia and is NOT affiliated with a select group of networks (Security Research, Hospitals, Universities, Veterans, etc.) [1] [1] |
| Anti-Behavioral Analysis::Virtual Machine Detection::Check Processes (B0009.004) | Checks if there are virtual machine processes running (Vbox, vmware, etc) [1] |
| Command and Control::Domain Name Generation (B0031) | Ursnif has used a Domain name generation algorithm in the past [2] |
| Command and Control::Command and Control Communication::Authenticate (B0030.011) | Ursnif variant Dreambot authenticates and encrypts traffic to C2 server using TOR [2] |
| Anti-Behavioral Analysis::Debugger Detection::TLS Callbacks (B0001.028) | Manipulates TLS Callbacks while injecting to child process [3] |
| Micro-Behavior::Memory::Change Memory Protection (C0008) | Changes the PE header of the child process to enable write access to that page, writes 18 bytes of buffer at offset 0x40 from the start of svchost.exe process executable in the target child process. Then changes the region protection back to "read only" to avoid suspicion [3] |
| Execution::Remote Commands (B0011) | Commands sent by a remote user can archive/upload files, capture screenshots, clear cookies, download execute other files, list running processes, reboot the affected system, steal certificates and cookies, update/download a configuration file, upload a log file which contains stolen information [5] |
SHA256 Hashes
- 6464cf93832a5188d102cce498b4f3be0525ea1b080fec9c4e12fae912984057
- 0b05fb5b97bfc3c82f46b8259a88ae656b1ad294e4c1324d8e8ffd59219005ac
URLS, IPs, and Domains
- hxxp://62.138.9[.]11/30030u
- hxxp://62.138.9[.]11/vnc32.dll
- hxxp://62.138.9[.]11/vnc64.dll
- 62.138.9[.]9
- 62.75.195[.]103
- 62.75.195[.]117
- ca-tda[.]com
- au-tdc[.]com
- au-tda[.]com
- 109.236.87[.]82:443
- hxxp://deekayallday[.]com/data/office
[1] https://www.proofpoint.com/us/threat-insight/post/ursnif-banking-trojan-campaign-sandbox-evasion-techniques
[2] https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality
[3] https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html
[4] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279
[5] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279