Karsten Hahn: fileless Ursnif/Gozy static analysis and unpacking
The malware analyst Karsten Hahn recently published a very interesting video about the analysis of a sample of the well-known malware Ursnif.
Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, spearphishing attacks and malicious links.
Hahn analyzed a specific variant of the malware:
Gozi is delivered via SEO poisoning of malicious websites and delivered as JScript in a ZIP archive, often disguised as important document. After installation it is fileless, using the registry to reside in and inject the payload into legitimate processes. We analyze a Gozi sample and statically unpack the various stages of the infection chain.
The video
Used tools
- de4js: https://lelinhtinh.github.io/de4js/
- DnSpy: https://github.com/dnSpy/dnSpy/releases
- PEStudio: https://www.winitor.com/
- Notepad++: https://notepad-plus-plus.org/downloads/
- Python: https://www.python.org/downloads/
- Sysinternals Suite: https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite