2018-05-27 - SLYIP CAMPAIGN USES GRANDSOFT EK TO PUSH URSNIF

ASSOCIATED FILES:

  • 2018-05-27-1st-run-SlyIP-Grandsoft-EK-with-post-infection-traffic.pcap   (10,428,474 bytes)
  • 2018-05-27-2nd-run-SlyIP-Grandsoft-EK-with-post-infection-traffic.pcap   (16,254,665 bytes)
  • 2018-05-27-1st-run-SlyIP-Grandsoft-EK-payload-Ursnif.exe   (558,592 bytes)
  • 2018-05-27-2nd-run-SlyIP-Grandsoft-EK-payload-Ursnif.exe   (522,240 bytes)
  • 2018-05-27-both-runs-Grandsoft-EK-CVE-2016-0189.txt   (25,393 bytes)
  • 2018-05-27-both-runs-Grandsoft-EK-dwie.hta.txt   (2,031 bytes)
  • 2018-05-27-both-runs-Grandsoft-EK-fake-DLL-from-VBscript-in-CVE-2016-0189.dll   (4,429 bytes)
  • 2018-05-27-both-runs-Grandsoft-EK-landing-page.txt   (530 bytes)

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

TRAFFIC


Shown above:  Some of the HTTP requests from an infection filtered in Wireshark.

 


Shown above:  Some of the Tor traffic with the HTTP requests from an infection filtered in Wireshark.

 


Shown above:  More filtering in Wireshark to for a better idea of the SMTP traffic and HTTP traffic on non-standard ports.

 


Shown above:  One of the HTTP POST requests related to work.a-poster.info.

 


Shown above:  Another one of the HTTP POST requests related to work.a-poster.info.

 

GRANDSOFT EK TRAFFIC:

 

POST-INFECTION TRAFFIC CAUSED BY THE URSNIF MALWARE:

 

FILE HASHES

GRANDSOFT EK LANDING PAGE:

WEB PAGE WITH CVE-2016-0189 VBSCRIPT EXPLOIT FROM GRANDSOFT EK:

FAKE DLL FROM CVE-2016-0189 VBSCRIPT EXPLOIT:

DWIE.HTA FILE SENT BY GRANDSOFT EK:

SLYIP GRANDSOFT EK PAYLOAD (URSNIF) - 1ST RUN:

SLYIP GRANDSOFT EK PAYLOAD (URSNIF) - 2ND RUN:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.