[2018-05-27] Slyip->GrandSoft->Ursnif

May 27, 2018

Overview

Saz file is 2018-05-27_23-18-00.saz

(↓Analysis result using EKFiddle)

Malware

Ursnif

c00e775af8ec1fb973bbfed3d68753b13f2d3e0254daa9454ed27a075c0203a9
[Hybrid-Analysis] [VirusTotal]

Traffic-Chain

[Slyip Campaign]
http[:]//fasthosting.slyip.net/index.php?browser=ie&countryname=United+States
↓
[Slyip Campaign]
http[:]//fasthosting.slyip.net/index.php?browser=ie&countryname=United+States
↓
[Slyip Campaign]
http[:]//fasthosting.slyip.com/3qLMth?browser=ie&countryname=United+States
↓
[GrandSoft Exploit Kit][Landing Page]
http[:]//nrhnvelcro.project-x-adminko-test.tk/meccafeisty_hickory.php
↓
[GrandSoft Exploit Kit][CVE-2016-0189]
http[:]//nrhnvelcro.project-x-adminko-test.tk/getversionpd/1/2/3/4
↓
[GrandSoft Exploit Kit][Malware Payload]
http[:]//nrhnvelcro.project-x-adminko-test.tk/8/1954