Let’s Learn: Pushdo Loader Analysis from RIG EK

Goal: Reverse the Pushdo Trojan, delivered from the RIG Exploit Kit on June 22, 2017.
Source@Zerophage1337

Pushdo execution flow:

Registry persistence: 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Self-kill routine: 

:repeat
del %s
if exist %s
goto :repeat
del %

Random C2 domains:

ex-olive[.]com;pb-games[.]com;fink[.]com;stnic[.]co[.]uk;netcr[.]com;findbc[.]com;tyrns[.]com;medius[.]si;ora[.]ecnet[.]jp;c9dd[.]com;sclover3[.]com;spanesi[.]com;fcwcvt[.]org;h-f[.]net;2print[.]com;nunomira[.]com;x0c[.]com;owsports[.]ca;cokocoko[.]com;evcpa[.]com;sjbs[.]org;depalo[.]com;wifi4all[.]nl;abdg[.]com;holleman[.]us;domon[.]com;fe-bauer[.]de;cel-cpa[.]com;alteor[.]cl;ottospm[.]com;transsib[.]com;com-sit[.]com;ka-mo-me[.]com;pr-park[.]com;mqs[.]com[.]br;yoruksut[.]com;rs-ag[.]com;ora-ito[.]com;iamdirt[.]com;wnsavoy[.]com;elpro[.]si;myropcb[.]com;fnw[.]us;photo4b[.]com;koz1[.]net;pupi[.]cz;snugpak[.]com;item-pr[.]com;pdqhomes[.]com;valdal[.]com;mobilnic[.]net;nqks[.]com;quadlock[.]com;waldi[.]pl;abart[.]pl;vexcom[.]com;hummer[.]hu;synetik[.]net;baijaku[.]com;valselit[.]com;crcsi[.]org;udesign[.]biz;credo[.]edu[.]pl;11tochi[.]net;otena[.]com;vitaindu[.]com;edimart[.]hu;olras[.]com;wkhk[.]net;naoi-a[.]com;pohlfood[.]com;jenco[.]co[.]uk;pcgrate[.]com;petsfan[.]com;tc17[.]com;vazir[.]se;aevga[.]com;lrsuk[.]com;xaicom[.]es;pwd[.]org;nelipak[.]nl;speelhal[.]net;dgmna[.]com;ftchat[.]com;tvtools[.]fi;gpthink[.]com;maktraxx[.]com;kernsafe[.]com;jacomfg[.]com;dayvo[.]com;reglera[.]com;yocinc[.]org;jchysk[.]com;railbook[.]net;yumgiskor[.]kz;t-tre[.]com;fnsds[.]org;stajum[.]com;medisa[.]info;jroy[.]net

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: