Rig Exploit Kit delivers SmokeLoader and additional malware

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2018-08-26-Rig-EK-pcap.zip

ASSOCIATED DOMAINS AND IP ADDRESSES

176.57.215.9 – Rig Exploit Kit Landing Page
31.148.99.136 – lionoi.adygeya.su – POST / – SmokeLoader Post Infection Traffic
37.143.8.149 – mioei4.adygeya.su – GET /padnd78s.exe – Payload Delivery
31.148.99.111 – zzpe4ork.ashgabad.su – GET /vncnv.exe – Payload Delivery
217.182.208.91 – Port 81 – Post Infection C2
93.170.123.68 – uiaoduiiej.chimkent.su – Post Infection C2

DNS QUERIES:

milliaoin.info – Domain associated with SmokeLoader

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with the Rig Exploit Kit (EK) and post infection traffic

 

Shown above: DNS traffic associated with SmokeLoader infection

 

Shown above: SmokeLoader using Task Scheduler to remain persistent

 

Shown above: Sysmon logs showing taskeng.exe assisting SmokeLoader to remain persistent on the infected host

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EK:

2018-08-26-padnd78s.exe – Original Payload
Persistence: Persistence: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\vcjgdstc\
SHA-256: 701ef262057d19a931def7c6519c1e03581038eb1277d1b312d8515447725351
VirusTotal Link

2018-08-26-vncnv.exe – Secondary Payload
Persistence: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AdobeService.exe
SHA-256: 065b9ffb8d3e0c276cb0bc5124270cb919eb2ee4756259a176cab17388397547
VirusTotal Link