Rig EK drops Pony, leads to Philadelphia Ransomware


It’s always interesting to find different malwares from Rig EK. This campaign was found from malvertising. There did not appear to be a compromised site as such so it could be a possible TDS. The landing page and flash/payload appeared to be hosted on different IP addresses which is unusual.

The initial payload was Pony loader which loaded a ransomware known as Philadelphia ransomware. This ransomware is created from a builder. The instructions are here.


It encrypted files with a .locked extension and demanded a 0.3 Bitcoin ransom. It is not known to be a particularly sophisticated malware.

I requested the help of @Antelox again who quickly identified it as Pony/Philadelphia just from my description.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:


  • Articles regarding Philadelphia ransomware.




(in password protected zip: (infected))

Details of infection chain:

(click to enlarge!)


Rig EK drops Pony loader which loads Philadelphia Ransomware

Full Details:

A malvertising chain (possible Keitaro TDS) leads to a 302 to Rig EK.

The Rig Landing Page is however the Flash file and Payload comes from which also appears to have no domain. The landing page displayed the text “Hehe nuclear” in the browser.


The payload dropped was Pony loader which made a POST request to

SHA256: 82a363d6e60ec002b7d76f05970292b993f9ef72192e1db552b1f32b907cd466
File name: oeloatd4.exe
Detection ratio: 22 / 61

Pony downloads a large executable which is a Philadelphia ransomware variant.

SHA256: 661133c3848e57c4541a54b094c1b7124986872c4ce475ceda02440b48c823c1
File name: 2223607.exe
Detection ratio: 41 / 61

The ransomware appeared to be very noisy. The CnC used the user agent string “AutoIt” and the URL’s were self explanatory such as “de/de.php?p=Ping&id=5918651572eb6&s=Encrypting+%280+files%29”. The ransomware is written in the AutoIT scripting language.


Finally a window is created with a red ransom demand. A ransom note is created and all files are encrypted using the .locked extension. It also appeared to lock me out of accessing common folders such as Pictures. The ransomware demands 0.3 Bitcoin.





This is a list of files that were dropped (You can download these):


One thought on “Rig EK drops Pony, leads to Philadelphia Ransomware

  1. Pingback: Rig EK via TDS drops Smoke Loader, leads to TeamViewer. | Zerophage Malware

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s