- 126.96.36.199 – datsonsdaughter.com – Good Man gate
- 188.8.131.52 – see.letsown.com – RIG EK
- 184.108.40.206 – mbfce24rgn65bx3g.2kzm0f.com – POST requests to C2
- 220.127.116.11 – 7gie6ffnkrjykggd.2kzm0f.com – SAGE Decryption site
- 18.104.22.168 – 7gie6ffnkrjykggd.6t4u2p.net – SAGE Decryption site
- 22.214.171.124 – 7gie6ffnkrjykggd.jpo2z1.net – SAGE Decryption site
- Tor Browser – 7gie6ffnkrjykggd.onion/login/[personal key]
File name: RIG EK Flash Exploit.swf
File name: o32.tmp
File name: udxmr3hn.exe
This infection started off with me visiting a Good Man gate. For those of you who don’t know what that is you can read more about that HERE. The gate domain for this infection chain was datsonsdaughter[.]com. It contained an iframe that redirected the host to a RIG EK landing page at see.letsown.com.
You can tell by the traffic that the gate domain kept refreshing over and over again. This caused multiple GET requests for the gate, landing page, Flash exploit, and SAGE ransomware payload. Eventually I had to close IE to prevent the page from refreshing.
Once on the landing page we see o32.tmp dropped and executed in %Temp%:
The script downloads the payload which is dropped and executed in %Temp%:
The payload is copied to AppData:
- Schedules a task via schtasks.exe to be executed at a specific time and date
- Deletes volume snapshots via vssadmin.exe delete shadows /all /quiet command (often used by Ransomware)
- Disables startup repair
- Tries to suppress failures during boot (often used to hide system changes)
- Executes a VBScript via process wscript.exe with commandline “%Temp%f1.vbs”
The malware created .bat files in %Temp%. Each file has similar instructions:
The Desktop background is changed to the ransom note via a .bmp image found in %Temp%:
Encrypted files are appended with a .sage extension. An image of a lock is also used by the ransomware to signify that the file is encrypted:
Trying to open an encrypted file prompts the user with some instructions:
The ransom notes are called !HELP_SOS.hta. Users are pointed to three different domains hosted on various TLDs and an optional .onion domain for users needing to use the Tor browser/network.
Below are some images of the user login page and the decrypter page:
I’m attaching the .bmp image used on the Desktop and the .hta ransom note below:
Sorry for the late post on this infection. I was sick most of the week. Until next time!