Malware-Traffic-Analysis.net - Pcaps for Tutorial on Examining Ursnif Infections

Wireshark Tutorial: Examining Ursnif Infections

Ursnif-traffic-example-5.pcap

• For the initial Ursnif binary, which URL returned a Windows executable file?
  • Objects → find exe → follow stream
  • hxxp://ritalislum[.]com/obedle/zarref.php?l=sopopf8.cab
• After the initial Ursnif binary was sent, the infected Windows host contacted different domains for the HTTP GET requests. Which domain was the traffic successful and allowed the infection to proceed?
  • "Basic" filter → check each HTTP Host stream (ignore 404, 302...)
  • k55gaisi[.]com
• What domain was used in HTTPS traffic after Ursnif became persistent on the infected Windows host?
  • See where TLS traffic goes after prev question, double-check certificate
  • n9maryjanef[.]com
• What URL ending in .rar was used to send follow-up malware to the infected Windows host?
  • frame contains "rar"
  • hxxp://testedsolutionbe[.]com/wp-content/plugins/apikey/uaasdqweeeeqsd.rar
• What IP addresses were used for the Dridex post-infection traffic?
  • IPs directly after prev question in "basic"
  • 185[.]99[.]133[.]38 and 5[.]61[.]34[.]51