Rig EK delivers Predator the Thief, MedusaHTTP, and Smoke Loader downloader

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2019-11-20-RigEK-pcap.zip

 

ASSOCIATED DOMAINS:

52.202.53.245 – usa.lupus-bra.com GET /zcvisitor/ – Redirect to Rig EK
148.251.72.21 – lendsblog.com – Redirect to Rig EK
94.130.90.228 – atztds25.world GET /vsrgq4gse43t4tw – Redirect to Rig EK
176.53.162.185 – Rig Exploit Kit
45.125.66.19 – greenboolinfo.com POST /admin/users/login/api/api.jsp – MedusaHTTP C2
185.205.210.118 – pmailadvert15dx.xyz GET /pred777amx.exe – Predator the Thief Payload
67.43.224.142 – nadvexmail19mn.xyz POST /api/check.get – Predator the Thief C2
67.43.224.142 – nadvexmail19mn.xyz POST /api/gate.get?p1= – Predator the Thief C2
192.64.119.112 – blogserv27.com POST /blogpics17/ – Smoke Loader downloader
185.222.202.235 – blogserv279.club POST /blogpics17/ – Smoke Loader downloader

ASSOCIATED PROCESS BEHAVIOR FOR HUNTING ENDPOINTS:

[Sysmon Event 1] – Malware creating persistence in Scheduled Task
Image C:\Windows\System32\taskeng.exe
CommandLine taskeng.exe {661C6111-0731-49CB-823F-81194ADA43B4} S-1-5-21-2754747757-4057292107-7765635498-1000:Jimmy-PC\Jimmy:Interactive:LUA[1]
CurrentDirectory C:\Windows\system32\
Hashes MD5=4F2659160AFCCA990305816946F69407,SHA256=9E70685B73B3EAB78C55863BABCEECC7CCA89475B508B2A9C651ADE6FDE0751AParentImage C:\Windows\System32\svchost.exe
ParentCommandLine C:\Windows\system32\svchost.exe -k netsvcs

[Sysmon Event 1] – Malware creating persistence in Registry
Image C:\Windows\System32\regsvr32.exe
CommandLine C:\Windows\system32\regsvr32.EXE /s /n /u /i:”C:\Users\Jimmy\AppData\Roaming\tuvragt” scrobj
CurrentDirectory C:\Windows\system32\
Hashes MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B
ParentImage C:\Windows\System32\taskeng.exe
ParentCommandLine taskeng.exe {661C6111-0731-49CB-823F-81194ADA43B4} S-1-5-21-2754747757-4057292107-7765635498-1000:Jimmy-PC\Jimmy:Interactive:LUA[1]

 


Shown above: Malware creating persistence using Windows Scheduled Task

 


Shown above: Malware creating persistence using Windows Registry

 


Shown above: Network traffic associated with Rig Exploit Kit and dropped malware

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EK:

rad2F90A.tmp.exe – Original Payload
SHA256: 7c90dc2041ddd1d456220e50695dcaa310d1cb06b404a247f265eecfbba3e669
VirusTotal Link