Skip to content

Instantly share code, notes, and snippets.

Last active June 17, 2022 11:18
  • Star 24 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Rough summary of developing BadRabbit info
BadRabbit is locally-self-propagating ransomware (ransom: 0.05 BTC), spreading via SMB once inside.
Requires user interaction.
Mostly targeting Russia and Ukraine so far, with a few others (Germany, Turkey, Bulgaria, Montenegro ...)
Not globally self-propagating, but could be inflicted on selected targets on purpose.
May be part of same group targeting Ukraine generally (BACKSWING) (per FireEye)
Confirmed to use ETERNALROMANCE exploit, and same source code and build chain as NotPetya (per Talos)
Mitigations are similar to Petya/NotPetya resistance. An inoculation is also available (see below).
Supporting infrastructure shut down a few hours after starting (per Beaumont, Motherboard)
Very cool diagram of infection flow at Endgame by @malwareunicorn:
Initial infection:
Watering-hole attack, sourced from compromised media/news sites in selected regions.
Poses as fake Flash update.
Watering-hole-style / drive-by likely, but may also be selectively targeted.
Beaumont (GossiTheDog) suspects supply-chain tampering or injection (it appears to be self-limiting w/shutdown, etc.)
Mostly affecting .ru/.ua so far. Media outlets, transportation, gov may have been early targets.
Watering holes in Germany, Turkey, Bulgaria, Montenegro.
Avast says also Poland and South Korea?
Good summray thread of country coverage from @Steve3D and contributors (no US *infections* known)
Avast says some US have been detected (as @Steve3D notes, detected != infected)
McAfee says no US detected yet
Check Point says some US detections
Map (indirectly sourced from Avast PR?)
Better source, later in the timeline:
List of targeted file extensions:
Image Tweet:
Components and methods:
Using legit signed DiskCryptor binary to encrypt.
Encrypts using AES-128-CBC (per Kaspersky article)
Creates scheduled task to reboot the target system.
May be using EternalBlue (or at least triggers controls that are watching for its use?), Unit 42 sees no sign of this
Incorporates stripped-down Mimikatz to discover credentials for propagation.
Named "rabbitlib.dll"
Overwrites MBR to deliver ransom message.
Ransom message directs users to Tor-based (.onion) site
Gives a "please turn off antivirus" user message in some circumstances.
Also spreads via SMB and WebDAV - locally self-propagating
Also uses this hard-coded list of creds:
C:\WINDOWS\cscc.dat == DiskCryptor (block execution to inoculate?)
C:\Windows\infpub.dat == #BADRABBIT pushed laterally (block execution to inoculate?)
Creating a read-only version of this file may halt infection; more below
Analysis of flash_install.php component
Video of action:
Apparently clears Windows logs and the filesystem journal, per ESET and Carbon Black
Uses wevtutil cmdline
Appears to be McAfee-aware:
May incorporate copy-and-pasted Microsoft cert/signing?
@mattifestation PS script to search for other use:
Also installs a keylogger? [source?]
(The Register mentions this third-hand)
Wipes boot sector and puts kernel at the end of the drive?
C&C and payload domains were set up well in advance:
Unlike NotPetya, confirmed to be decrypt-ready: (Kaspersky)
13% code reuse of notpeyta
Good analysis from @bartblaze of similarities between NotPetya and BadRabbit:
May be a variant of Diskcoder, per ESET
LIVE SAMPLE (see tweet for password, use at your own risk):
Still contains link to external debugging symbols file (.pdb) [can this be manipulated?] (@malwareunicorn):
Shut down a few hours after starting:
Pop-culture references contained:
Game of Thrones dragons (Drogon, Rhaegal)
Hackers movie (bottom of list of hard-coded passwords)
Yara rule (from a McAfee lead engineer)
Another Yara, including Mimikatz:
IOCs (via ESET)
79116fe99f2b421c52ef64097f0f39b815b20907 infopub.dat Win32/Diskcoder.D Diskcoder
afeee8b4acff87bc469a6f0364a81ae5d60a2add dispci.exe Win32/Diskcoder.D Lockscreen
413eba3973a15c1a6429d9f170f3e8287f98c21c Win32/RiskWare.Mimikatz.X Mimikatz (32-bits)
16605a4a29a101208457c47ebfde788487be788d Win64/Riskware.Mimikatz.X Mimikatz (64-bits)
de5c8d858e6e41da715dca1c019df0bfb92d32c0 install_flash_player.exe Win32/Diskcoder.D Dropper
4f61e154230a64902ae035434690bf2b96b4e018 page-main.js JS/Agent.NWC JavaScript on compromised sites
(via @GossitheDog):
* block inbound SMB
* use Credential Guard in Windows
* control # of admins
* monitor scheduled tasks and service creation
** Create the following files c:\windows\infpub.dat && c:\windows\cscc.dat
** remove ALL PERMISSIONS (inheritance) and you are now vaccinated. :)
Carbon Black:
* Patch for MS17-010
* Use GPO to disable access to admin shares.
Other ideas:
* Disable WMI where feasible
Money trail
Bitcoin addresses (h/t: @Steve3D)
Only a few transactions (@ChristiaanBeek):
Coverage and news
ESET (very good tech coverage):
The Register (good tech summary):
Steve Ragan article (excellent, being updated rapidly)
Watch @GossiTheDog on Twitter for updates.
Palo Alto analysis (Unit 42):
... and Palo Alto protections:
Group-IB (first to alert/discover):
Microsoft malware entry
Carbon Black:
Motherboard articles:
BleepingComputer article:
AlienVault matrix:
US-CERT notice:
The Hacker News:
PC Magazine:
Cybereason (vaccine approach):
MIT Technology Review:
Malwarebytes (@hasherezade):
Endgame analysis (@malwareunicorn):
Intezer (code reuse analysis): (larger list of sites):
Hackplayers (Spanish - in fact, it looks like they translated an earlier version of my document!)
Copy link

DavidBuchanan314 commented Oct 24, 2017

ransom: $0.05 BTC

Is that BTC or USD?

[Royce: heh - BTC; good catch, fixed!]

Copy link

xl-tech commented Oct 25, 2017

Great, because of this I can't boot to my encrypted partition, Windows Defender deleted DiskCryptor bootloader. And now legit DiskCryptor detected as trojan...

[Royce: yikes, that's terrible. Could you post something independently (not in this thread) that demonstrates this problem, so that I can link to it? If verifiable, this is important for people to know.]

Copy link

snakems commented Oct 25, 2017

Unlike NetPetya, confirmed to be decrypt-ready:

May be NotPetya ?

[Royce: indeed, good catch - fixed!]

Copy link

xl-tech commented Oct 26, 2017

Copy link

ralf44 commented Oct 26, 2017

@roycewilliams Win 7 HP 64 SP1 with DiskCryptor - system rebooted yesterday (25th) and could not login to Windows again. Managed to launch in Safe Mode and checked to find the DiskCryptor Bootloader had been damaged or wiped from my Boot Drive MBR. Reinstalled a bootloader using DiskCryptor and rebooted.

Thanks to the comment above and your detailed resources on how to spot real BadRabbit, I found that Microsoft Security Essentials absolutely does have the wrong detection heuristics.

The two telltale files in C:Windows that BadRabbit drops were never there. MSE current version identifies legit DiskCryptor bootloaders as "Ransom:DOS/Tibbar.A" and removes them.


Since I am on Win7 and first report above is about a slightly different MS antivirus product, this is a major SNAFU which can render computers unusable. If my C: drive had been encrypted as well as my data drives, I don't think I could even have got as far as Safe Mode so the threat level of this hasty action by MS is severe.

Advise anyone using DiskCryptor to make a bootable CD or USB loader as backup and if you know how to contact anyone at MS Security directly or Tweet at the right folks, please do so!

PS - line 27 "summary".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment