Analysis Report gg_1.gif.dll

Overview

General Information

Sample Name: gg_1.gif.dll
Analysis ID: 382564
MD5: 53f7e96f48283df339164afadd174638
SHA1: bd119af6c52876fb5d23398326850d87fe159735
SHA256: 4b8946f9fee32db6b42f7c0fdb70ca9ba7980c5932d3f959227cdfbef15e8c34
Tags: dllGGGoziIFSBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 4.2.rundll32.exe.4ba0000.2.raw.unpack Malware Configuration Extractor: Ursnif [[{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]
Multi AV Scanner detection for submitted file
Source: gg_1.gif.dll ReversingLabs: Detection: 41%
Machine Learning detection for sample
Source: gg_1.gif.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: gg_1.gif.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 1_2_00EA5F16
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA13C5 1_2_00EA13C5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA43D8 1_2_00EA43D8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA1CD0 1_2_00EA1CD0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA27D4 1_2_00EA27D4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA3FAB 1_2_00EA3FAB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA2FAF 1_2_00EA2FAF
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA88BA 1_2_00EA88BA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA92B2 1_2_00EA92B2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA31B3 1_2_00EA31B3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA2A69 1_2_00EA2A69
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA2566 1_2_00EA2566
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA1967 1_2_00EA1967
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA150C 1_2_00EA150C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA510C 1_2_00EA510C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA1B1E 1_2_00EA1B1E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA3A14 1_2_00EA3A14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03465F16 4_2_03465F16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03462566 4_2_03462566
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03461967 4_2_03461967
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03465262 4_2_03465262
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03462A69 4_2_03462A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03465378 4_2_03465378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0346150C 4_2_0346150C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03463A14 4_2_03463A14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03461B1E 4_2_03461B1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03465A25 4_2_03465A25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_034613C5 4_2_034613C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_034627D4 4_2_034627D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03461CD0 4_2_03461CD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_034643D8 4_2_034643D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03462FAF 4_2_03462FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03463FAB 4_2_03463FAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_034692B2 4_2_034692B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_034631B3 4_2_034631B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_034688BA 4_2_034688BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_03305F16 5_2_03305F16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_03305A25 5_2_03305A25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_03303A14 5_2_03303A14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_03301B1E 5_2_03301B1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0330150C 5_2_0330150C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_03305378 5_2_03305378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_03305262 5_2_03305262
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_03302566 5_2_03302566
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_03301967 5_2_03301967
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_03302A69 5_2_03302A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_033092B2 5_2_033092B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_033031B3 5_2_033031B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_033088BA 5_2_033088BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_03303FAB 5_2_03303FAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_03302FAF 5_2_03302FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_03301CD0 5_2_03301CD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_033027D4 5_2_033027D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_033043D8 5_2_033043D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_033013C5 5_2_033013C5
Uses 32bit PE files
Source: gg_1.gif.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal68.troj.winDLL@7/0@0/0
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServer
Source: gg_1.gif.dll ReversingLabs: Detection: 41%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServer
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK

Data Obfuscation:

barindex
PE file contains sections with non-standard names
Source: gg_1.gif.dll Static PE information: section name: .code
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA709D push edi; mov dword ptr [esp], FFFF0000h 1_2_00EA709E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA709D push 00000000h; mov dword ptr [esp], ebp 1_2_00EA70F5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA709D push esp; mov dword ptr [esp], 00000040h 1_2_00EA711D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA709D push 00000000h; mov dword ptr [esp], ecx 1_2_00EA716C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx 1_2_00EA5F7B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 1_2_00EA5F94
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 1_2_00EA5FDD
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 1_2_00EA604B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 1_2_00EA6124
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edi 1_2_00EA614F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edx 1_2_00EA625E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 1_2_00EA62B5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 1_2_00EA6343
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 1_2_00EA635D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], ebp 1_2_00EA6368
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 1_2_00EA6385
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edx 1_2_00EA63B4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 1_2_00EA6483
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 1_2_00EA64F2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 1_2_00EA64FE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 1_2_00EA650A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edi 1_2_00EA6567
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edi 1_2_00EA65A9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], eax 1_2_00EA6610
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 1_2_00EA6685
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx 1_2_00EA66C2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 1_2_00EA66E8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edi 1_2_00EA6781
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edx 1_2_00EA67B6
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 1_2_00EA684C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 1_2_00EA6858

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00EA2A69 xor edi, dword ptr fs:[00000030h] 1_2_00EA2A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03462A69 xor edi, dword ptr fs:[00000030h] 4_2_03462A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_03302A69 xor edi, dword ptr fs:[00000030h] 5_2_03302A69
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE