ID	X0022
Type	Trojan (banking trojan)
Aliases	Dreambot, Gozi
Platforms	Windows
Year	2016
Associated ATT&CK Software	Ursnif

Ursnif

Ursnif is a variant of Gozi. It is a banking trojan that uses malware macros to evade sandbox detection.

ATT&CK Techniques

Name	Use
Discovery::System Location Discovery::System Language Discovery (T1614.001)	Ursnif gets keyboard layouts. [6]

See ATT&CK: Ursnif - Techniques Used.

Enhanced ATT&CK Techniques

Name	Use
Persistance::Registry Run Keys / Startup Folder (F0012)	The malware adds registry entries to ensure automatic execution at system startup. [4]
Defense Evasion::Hijack Execution Flow (F0015)	The malware hooks various DLL exported functions when the DLL component is loaded into their respective browser application to monitor network traffic. [4]
Discovery::System Information Discovery (E1082)	The malware uses Window's command prompt commands to gather system info, task list, installed drivers, and installed programs. [4]
Collection::Input Capture (E1056)	The malware injects HTML into a browser session to collect sensitive online banking information when the victim performs their online banking. [5]
Defense Evasion::Obfuscated Files or Information (E1027)	The malware creates an encrypted Registry key called TorClient to store its data. [2]
Impact::Exploit Kit (E1190)	Ursnif is sometimes delivered via exploit kit. [7]
Collection::Keylogging::Polling (F0002.002)	Ursnif logs keystrokes via polling. [6]

MBC Behaviors

Name	Use
Anti-Behavioral Analysis::Sandbox Detection::Self Check (B0007.007)	Ursnif uses malware macros to evade sandbox detection - checking whether the filename contains only hexadecimal characters before the extension. [1]
Execution::Conditional Execution (B0025.004)	Macros check if there are at least 50 running processes with a graphical interface, check if a list of blacklisted processes are running, and checks if the application is running in Australia and is NOT affiliated with a select group of networks (Security Research, Hospitals, Universities, Veterans, etc.). [1]
Anti-Behavioral Analysis::Virtual Machine Detection::Check Processes (B0009.004)	The malware checks if there are virtual machine processes running (Vbox, vmware, etc). [1]
Command and Control::Domain Name Generation (B0031)	Previous interations of Ursnif have used a Domain Name Generation algorithm. [2]
Command and Control::C2 Communication::Authenticate (B0030.011)	Ursnif variant Dreambot authenticates and encrypts traffic to the C2 server using TOR. [2]
Anti-Behavioral Analysis::Debugger Detection::TLS Callbacks (B0001.028)	The malware manipulates TLS Callbacks while injecting into a child process. [3]
Memory::Change Memory Protection (C0008)	The malware changes the PE header of the child process to enable write access to that page and writes 18 bytes of buffer at offset 0x40 from the start of svchost.exe in the target child process. The region protection is changed back to "read only" to avoid suspicion. [3]
Execution::Remote Commands (B0011)	The malware commands sent by a remote user can archive/upload files, capture screenshots, clear cookies, download and execute other files, list running processes, reboot the affected system, steal certificates and cookies, update/download a configuration file, and upload a log file which contains stolen information. [5]
Discovery::Code Discovery::Enumerate PE Sections (B0046.001)	Ursnif enumerates PE sections. [6]