I have been investigating RigEK for about 4 months, but its analysis is very troublesome. In particular, it is my most time consuming to find out what malware comes down from RigEK.
Because I don't have a dynamic analysis environment. I tried to make it before, but I stopped making it because of problems such as cost and lack of knowledge... So, I only do static analysis on DbD and EK.
So, I created a tool to retrieve malware from RigEK just by static analysis. The way to do it is simple, RigEK just keeps track of the process of dropping malware to users. By using this tool, I can now get malware in 1/100 of the previous time.
I named the tool mal_getter. The code is here.
I briefly explain how to use it.
1. This tool uses PHP 7 and Composer. Install them.
2. Clone mal_getter
3. Prepare necessary files using Composer
4. Give the necessary information to main.php and get the malware
Please read the README for details ;)
I skip the explanation about the code. That is because it is meaningless. mal_getter depends heavily on RigEK and Campaign code. It will stop working soon. I do not feel the future with this tool. So I will make it public. Although I intend to fix it each time, I think that in the future I will reimplement it by using a browser sandbox etc.
Have a good analysis day😉