- 18.104.22.168 – serene.rushpcb.co.uk – GET /usde.php
- 22.214.171.124 – add.venicebeachsurflodge.com – RIG exploit kit
- VirusTotal report showing URLs resolving to that IP
- 126.96.36.199 – POST /ppp/gate.php – Pony callback traffic
- 188.8.131.52 – GET /degate/de.exe – Philadelphia ransomware
- 184.108.40.206 – GET /de/de.php? – Philadelphia ransomware callback traffic
File name: serene.rushpcb.co.ukusde.php.txt
File name: add.venicebeachsurflodge.com RigEK landing page.txt
File name: add.venicebeachsurflodge.com RigEK Flash Exploit.swf
File name: o32.tmp
File name: d0x936yo.exe
File name: de.exe, 103900378.exe, 103899520.exe
This infection chain began with me making a GET request for usde.php at serene.rushpcb.co.uk. Inspection of the file shows that the domain it is acting as a gate. However, due to lack of resources (i.e. no packets and logs), I don’t know how the user was redirected to this page. It could’ve been from malvertising, from a malicious link (in an email or otherwise), or it could have been from a compromised website. At this point I’m really not sure.
Viewing the source shows the following injected script:
Some people might have noticed that the injected script returned by usde.php is identical to those used by previous Good Man gates as well as compromised websites that had been redirecting users to Good Man gates. For example, below is an image taken from a Good Man gate, which was documented by Brad at malware-traffic-analysis.net.
The script is designed to redirect traffic to exploit kit landing pages. The landing page will then determine if your host is exploitable. Successful exploits will result in the malware payload being sent to your host.
During my investigation I did two runs, back to back, so RIG dropped d0x936yo.exe (1st run) and 3efgsu69.exe (2nd run) in %Temp%. Both files were 223 KB in size and produced the same hash value, making them identical payloads. The malware payload delivered by RIG EK is Pony (thanks to @Antelox for the ID).
Immediately following the initial RIG EK payloads being dropped and executed in %Temp% the host checked-in via an HTTP POST requests to the CnC at 220.127.116.11/ppp/gate.php.
Below is an image of the Pony login panel:
Those POST requests were followed by GET requests for de.exe, aka “103900378.exe” (1st run) and “103899520.exe” (2nd run) located at 18.104.22.168/degate/. De.exe is 1,073 KB in size and was the Philadelphia ransomware payload. To read more about Philadelphia ransomware check out this article from BleepingComputer.com:
Follow up post-infection traffic shows information about my host being sent back to the CnC:
The server’s initial response returns the victim ID (13 characters, alphanumeric), followed by a BTC wallet address and then by the ransom amount (0.3). You will also notice the continuous status updates throughout the encryption process. For example:
s=Encrypting+%280+files%29 = Encrypting+(0+files)
s=Encrypting+%282+files%29 = Encrypting+(2+files)
Once completed the host will check-in with the status update “Ransom+window”:
If you’re looking at Figure 1 you will likely notice that there were duplicate POST and GET requests. This is due to the fact that I had received two identical payloads from RIG EK. Normally a user would only receive one, which would have resulted in only one GET and POST request.
Below is an image of my %Temp% folder after the infection:
Apart from the malware payloads being dropped in %Temp% you will notice various other files being created during the infection. The website zeta-two.com recently published a detailed write-up on reversing Philadelphia ransomware. That analysis describes the contents of many of these same files. To read more about that click HERE.
Another thing to note is that executables dropped in %Temp% were appended with .locked, even though they weren’t actually encrypted.
We also find that the malware is copied to %AppData% and runs under the name winword.exe:
Additional files in %AppData%:
Startup menu and lnk file:
Registry entries used for persistence:
Ransom note (LOCKED.txt) dropped on Desktop:
Image of Desktop and ransom window:
The ransom window shows a “Deadline” to pay the ransom and as well as a “Russian Roulette” timer that counts down to when a random file will be deleted. The bitcoin amount being asked is 0.3.
My encrypted files are renamed with 16 numbers and the extension is changed to .locked:
Malicious Artifacts (password is “infected”)
Below is a link a free Decrypter offered by Emsisoft:
Until next time!