Ursnif Malware — Reconstructing a 6-Stage Infection Chain from a PCAP

date: 2026-03-20 description: A walkthrough of my first real malware PCAP investigation — how Ursnif used .avi file extensions to disguise DLL payloads, TLS C2 beaconing, and how I mapped the full attack to MITRE ATT&CK with Splunk detection rules. One of the most powerful skills a SOC analyst can develop is the ability to look at a packet capture and reconstruct exactly what an attacker did — step by step, packet by packet. This write-up walks through my first real PCAP investigation using a controlled Ursnif/Gozi banking trojan dataset from malware-traffic-analysis.net — a site widely used in the security community for analyst training. Result: 6-stage infection chain reconstructed · 10 IOCs extracted · 5 Splunk detection rules written — from 2,180 packets. What is Ursnif? Ursnif (also known as Gozi or ISFB) is one of the oldest banking trojans documented in the wild. Key characteristics: Delivered via malicious Office document macros Multi-stage payload delivery using disguised file