Rig Exploit Kit delivers Bot Ransomware

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2019-11-30-RigEK-pcap.zip

ASSOCIATED DOMAINS:

52.45.49.150 – usa.lucretius-ada.com GET /zcvisitor/ – REDIRECT TO RIG EK
94.130.90.228 – atztds50.xyz GET /we5tf234td355gww62 – REDIRECT TO RIG EK
82.146.56.206 – GET /?NDg2MDgx&DRAmvmYE&gJUL=everyone – RIG EK
192.64.119.112 – blogserv27.com POST /blogpics17/ – SMOKE LOADER C2
198.54.117.216 – www.blogserv27.com GET /blogpics17/?from=@ – SMOKE LOADER C2
5.101.181.110 – blogserv279.club POST /blogpics17/ – SMOKE LOADER C2
192.64.119.111 – kxserv250.club POST /blogpics17/ – SMOKE LOADER C2
185.222.202.235 – dsmail94x.xyz POST /blogpics17/ – SMOKE LOADER C2
185.205.210.118 – rmailserv19fd.xyz GET /isb777amx.exe – PAYLOAD DELIVERY
185.205.210.118 – rmailserv19fd.xyz GET /ant/ant.exe – PAYLOAD DELIVERY
2.56.215.211 – POST /index.php – C2 CHECK-IN
185.205.210.118 – rmailserv19fd.xyz GET /atx555mx.exe – PAYLOAD DELIVERY
185.205.210.118 – rmailserv19fd.xyz GET /val/val.exe – PAYLOAD DELIVERY
35.246.108.168 – POST /gate/log.php – RACCOON STEALER C2
185.205.210.118 – rmailserv19fd.xyz GET /dmx777amx.exe – PAYLOAD DELIVERY
35.246.108.168 – GET /gate/sqlite3.dll – ASSOCIATED WITH RACCOON STEALER PAYLOAD
185.205.210.118 – rmailserv19fd.xyz GET /sky/dmx777.exe – PAYLOAD DELIVERY
35.246.108.168 – GET /gate/libs.zip – ASSOCIATED WITH RACCOON STEALER PAYLOAD
185.205.210.118 – rmailserv19fd.xyz GET /socks777amx.exe – PAYLOAD DELIVERY
45.147.229.195 – POST /api/check.get – PREDATOR THE THIEF C2
185.205.210.118 – rmailserv19fd.xyz GET /sky/ztx777.exe – PAYLOAD DELIVERY
45.125.66.19 – bestwalletapiandroid.world POST /wordpress/user/login/api.jsp – MEDUSAHTTP C2
45.147.229.186 – rstarserver17km.xyz GET /sky/atx999.exe – PAYLOAD DELIVERY
45.147.229.195 – POST /api/gate.get?p1=0 – PREDATOR THE THIEF C2

 

SOME ASSOCIATED PROCESS BEHAVIOR FOR HUNTING ENDPOINTS:

[Sysmon Event 1] – Vssadmin deleting shadow copies during ransomware infection
Image C:\Windows\System32\vssadmin.exe
CommandLine vssadmin delete shadows /all /quiet
CurrentDirectory C:\Users\Jack\AppData\Local\Temp\
Hashes MD5=6E248A3D528EDE43994457CF417BD665,SHA256=E09BF4D27555EC7567A598BA89CCC33667252CEF1FB0B604315EA7562D18AD10
ParentImage C:\Windows\System32\cmd.exe
ParentCommandLine “C:\Windows\system32\cmd.exe”

[Sysmon Event 1] – Mshta used to open and display ransom note within a hta file
Image C:\Windows\System32\mshta.exe
CommandLine “C:\Windows\System32\mshta.exe” “C:\Users\Jack\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta”
CurrentDirectory C:\Users\Jack\AppData\Local\Temp\
Hashes MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820
ParentImage C:\Users\Jack\AppData\Local\Temp\11EB.tmp.exe
ParentCommandLine C:\Users\Jack\AppData\Local\Temp\11EB.tmp.exe

[Sysmon Event 1] – Raccoon Stealer deleting self from compromised host
Image C:\Windows\System32\cmd.exe
CommandLine cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q “C:\Users\Jack\AppData\Local\Temp\4EE.tmp.exe”
CurrentDirectory C:\Users\Jack\AppData\Local\Temp\AdLibs\
Hashes MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE
ParentImage C:\Users\Jack\AppData\Local\Temp\4EE.tmp.exe
ParentCommandLine C:\Users\Jack\AppData\Local\Temp\4EE.tmp.exe

 

IMAGES AND DETAILS:


Shown above: Some of the network traffic associated with Rig Exploit Kit and follow-up malware

 


Shown above: Ransom note hta file associated with Bot Ransomware

 


Shown above: Ransom note dropped on infected host’s desktop

 

all your data has been locked us
You want to return?
write email admin@sectex.net or admin@sectex.world

 

EXTRACTING MALICIOUS FILES FROM PCAP FOR FURTHER ANALYSIS IN MALWARE LAB: