Skip to content
List of tools to assist in analyzing samples of ISFB/Gozi/Ursnif
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

ISFB Analysis Tools

Extracts embedded executable/configuration inside a sample of ISFB. Relies on "JJ" joiner structure being present in binary underneath section table, so if the sample you have does not have the structure, you probably have the first stage. Unpack that and dump the second stage from memory. After using PEBear or a similar tool to unmap the dumped stage, you should be able to use this tool to extract either a third stage payload from inside, or a configuration file - provided that the joiner structure is present.

Tested with ISFB Version 2.17 - Should work with other Version 2.xx

Example: python unpacked_isfb.exe

Requires PEfile

Decrypts BSS section from unpacked ISFB executable - simply requires the campaign date and will decrypt the section, outputting the raw data after decryption, plus an array of integers for easy importing into IDA Pro for overwriting the BSS section.

Requires PEfile

Pass a C2 response to this and it will Base64 decode the data, RSA decrypt the last block, Serpent decrypt the executable, make sure the MD5 hashes match, and dump out the binary. Make sure that the RSA public key is correct, otherwise it will not decrypt the data correctly.

Example: python received_data.bin

Requires Crypto

You can’t perform that action at this time.