[2018-05-24] Slyip->GrandSoft->Ursnif

May 24, 2018

Overview

Saz file is 2018-05-24_19-25-45.saz

(↓Analysis result using EKFiddle)

Malware

Ursnif

df50d380a240ec0719dec908a93fa0738ebc2d476b7c8be36c008f32b808998b
[Hybrid-Analysis] [VirusTotal]

Traffic-Chain

[Slyip Campaign]
http[:]//eurohosting.slyip.net/index.php?browser=ie&countryname=United+States
↓
[Slyip Campaign]
http[:]//eurohosting.slyip.net/index.php?browser=ie&countryname=United+States
↓
[Slyip Campaign]
http[:]//eurohosting.slyip.com/3qLMth?browser=ie&countryname=United+States
↓
[GrandSoft Exploit Kit][Landing Page]
http[:]//sketches.gumpzzyr.xyz/locks_wavelength.php
↓
[GrandSoft Exploit Kit][CVE-2016-0189]
http[:]//sketches.gumpzzyr.xyz/getversionpd/1/2/3/4
↓
[GrandSoft Exploit Kit][Malware Payload]
http[:]//sketches.gumpzzyr.xyz/8/6495