SAFE - BadRabbit Ransomware analysis

BadRabbit Ransomware analysis

BadRabbit is a ransomware used in a cyberattack which targeted eastern Europe and Russia in October 2017.

The name Bad Rabbit was given to this malware because of its presence on the ransom website. Just like NotPetya, BadRabbit uses EternalRomance to spread into networks and brute force access on computers based on a default credentials list.

 

BadRabbit Execution Flow

The diagram below represents an overview of how BadRabbit spreads and damages systems:

 

Infected Computer

The initial infection of BadRabbit is done in two ways.

The first way is a malicious file which pretends to be a new Flash Player update which was firstly found on the website “1dnscontrol[.]com”. In order to infect computers, this malware needs a complete user interaction (Download and Execute), no exploit is needed here.

The second way is an infection by lateral movement done by an infected computer on the same local network.

Filenameinstall_flash_player.exe
FiletypeExecutable
Size (Bytes)441 899
Compilation date22 October 2017
HashMD5: fbbdc39af1139aebba4da004475e8839
SHA1: de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SignatureFake "Symantec Corporation" Signature
Virus totalinstall_flash_player.exe
Information about install_flash_player.exe

When the file is executed the malicious payload is dropped and executed in the folder “C:\Windows” as “infpub.dat”.

SAFE Endpoint will block this step of the attack
The analysis engine will detect this file as malicious and the process will never be created.

 

Execute Infpub.dat

After being dropped, the malicious file “infpub.dat” will be loaded by rundll32 using the following command line:

<SystemFolder>\rundll32.exe C:\Windows\infpub.dat,#1 15

Where ‘#1′ is the ordinal of the function called and ’15’ the time in minutes before the reboot.

This file has two exported functions. The first (ordinal 1 or #1) is the main malicious function and the second (ordinal 2 or #2) launches itself with the first function.

Filenameinfpub.dat
FiletypeDLL
Size (Bytes)410 760
Compilation date31 October 2017
HashMD5: 1d724f95c61f1055f0d02c2154bbccd3
SHA1: 79116fe99f2b421c52ef64097f0f39b815b20907
SHA256: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SignatureFake "Symantec Corporation" Signature
Virus totalinfpub.dat
Information about infpub.dat

“infpub.dat” is executed by the installer and contains the malicious actions.

SAFE Endpoint will block this step of the attack
The analysis engine will detect this file as malicious and the process will never be created.

 

Check if already infected

To check if the computer is infected, the malware checks first if the file “cscc.dat” exists in the folder “C:\Windows”. If the file is present, the malware will stop itself.

<em>Vaccin Check</em>

Vaccin Check

This check can be used as a kill switch because the filename is hardcoded strings.

 

Install disks encryption driver

After checking if the machine is already infected, a resource is loaded, decrypted using XOR with the key “0xe9” and decompressed with Zlib 1.2.8 before saving it in “C:\Windows” as “cscc.dat”. This file is the DiskCryptor driver.

Decryption routine for resources

Filenamecscc.dat
FiletypeDLL
Size (Bytes)210 632
Compilation date9 July 2014
HashMD5: edb72f4a46c39452d1a5414f7d26454a
SHA1: 08f94684e83a27f2414f439975b7f8a6d61fc056
SHA256: 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6
SignatureExpired "ReactOS Foundation" Certificate
Virus totalcscc.dat
Information about cscc.dat

A service corresponding to the “cscc.dat” file is created with the following information:

Another resource is then extracted and saved in the folder “C:\Windows” as “dispci.exe”. This file is the client who tells the driver to encrypt the disks.

Filenamedispci.exe
FiletypeExecutable
Size (Bytes)142 848
Compilation date22 October 2017
HashMD5: b14d8faf7f0cbcfad051cefe5f39645f
SHA1: afeee8b4acff87bc469a6f0364a81ae5d60a2add
SHA256: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
SignatureNone
Virus totaldispci.exe
Information about dispci.exe

After that, a new task is scheduled to execute “dispci.exe” at the next machine startup. A disk encryption is then performed by the two files extracted below; the file “discpi.exe” asks the driver to “cscc.dat” to encrypt the disk:

cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id && exit

This action will make difficult the recovering task for forensics analysts. This is used to force the victim to pay the ransom.

SAFE Endpoint will block this step of the attack
The SAFE Agent limits access to Cmd and other administration tools to prevent malicious activities.

 

Handling shutdown event

A task is scheduled to reboot the computer within 15 minutes in order to trigger the disk encryption on the next startup.

cmd.exe \c schtasks /CREATE /SC once /TN drogon /RU SYSTEM /TR “c:\Windows\System32\shutdown.exe /r /t 0 /f” /ST %02d:%02d:00

The process then creates a thread which allows to detect when the computer is shutting down.
When the computer is shutting down the thread will delete logs on reboot like the “Events log deletion and reboot” section below.

This prevents the malware from leaving useful logs for forensics analysts.

SAFE Endpoint will block this step of the attack
The SAFE Agent limits access to Cmd and other administration tools to prevent malicious activities.

 

Network enumeration

Like WannaCry and Notpetya, BadRabbit tries to duplicate itself on computers on the same network.
To etablish a map of potential targets, this malware uses different Windows APIs:

  • DhcpEnumSubnetClients: Lists all Dhcp clients within the same Dhcp range.
  • WNetOpenEnum: Enumerates all network resources or existing connections.
  • NetServerEnum: Lists all servers of the specified type that are visible in a domain.
  • GetIpNetTable: Enumerates all IP addresses listed in the ARP table of the local system.
  • GetExtendedTcpTable: Lists active TCP connections of the local system.

The malware tries to reach all IP addresses listed before and performs the lateral movement operation if the IP address replies.

Network scan of BadRabbit

SAFE Endpoint will block this step of the attack
Thanks to the security policies, applications and programs have a limited access to the network.

 

Credential theft

BadRabbit will steal some credentials to be able to connect remotely to the accessible machines listed before.

To steal credentials, the malware uses a minimal implementation of Mimikatz stored in one of its resources. Two versions are stored (32/64 bits). The malware checks the architecture type before choosing the appropriate version of mimikatz. Mimikatz is extracted to a TMP file and executed with a parameter (created named pipe string) to send back the created process output to the main process.

Filename%random%.tmp
FiletypeExecutable
Size (Bytes)53 624
HashMD5: 37945c44a897aa42a66adcab68f560e0
SHA1: 16605a4a29a101208457c47ebfde788487be788d
SHA256: 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035
Virus totalMini-Mimikatz x86
Information about the x86 minimal implementation of mimikatz

 

Filename%random%.tmp
FiletypeExecutable
Size (Bytes)62 328
HashMD5: 347ac3b6b791054de3e5720a7144a977
SHA1: 413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256: 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
Virus totalMini-Mimikatz x64
Information about the x64 minimal implementation of mimikatz

As NotPetya, the CredEnumerateW API is used to steal other credentials stored in the credential store. If a credential starts with “TERMSRV/” and if it is a generic credential, then it is used to spread across the network.

SAFE Endpoint will block this step of the attack
The analysis engine will detect this file as malicious and the process will never be created.

 

Lateral Movement

To spread itself, BadRabbit tries to duplicate itself in the admin shares of accessible computers listed before. The target folder is \\[IP]\\admin$. To perform this action, the process needs the admin rights of the remote computers, that’s why the Mimikatz output has been saved to try to connect with all stolen credentials.
Before duplicating itself, the malware tests if the file “cscc.dat” already exists in the target folder.

Then if the file doesn’t exist, the malware tries to copy the file “infpub.dat” to the remote computer, and executes it via wmic with the following command:

<System Folder>\wbem\wmic.exe /node:<target_machine> /user:<username> /password:<password> process call create "C:\Windows\System32\rundll32.exe "C:\Windows\" #1"

Or by a remote service creation with the OpenSCManager API which allows us to open a handle to the Service Control Manager on a remote computer:

<System Folder>\rundll32.exe C:\Windows\infpub.dat, #2 15 "Login:Password"

Spreading with remote service creation

If the operation is not successfully done, the file “infpub.dat” is removed from the remote computer.

The malware also tries to spread itself using EternalRomance.

SAFE Endpoint will block this step of the attack
Thanks to the security policies, applications and programs have a limited access to the network.

 

Data encryption

The malware browses every folder and subfolder excluding these directories:

  • “\Windows”
  • “\Program Files”
  • “\ProgramData”
  • “\AppData”

Affected files extensions:
.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip

The encrypted files keep the same name and only the content is modified.
The string “encrypted” is visible at the end of each encrypted file.

Encrypted file

SAFE Endpoint will block this step of the attack
The data protection provided by the SAFE Agent allows to protect data files against malicious access.

 

Events log deletion

When the shutingdown handler is triggered or when the encryption routine is done, events log is deleted including Setup, System, Security, Application logs and USN journal for anti-forensics reasons.

Here is the command line used to perform this action.
cmd /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D <DISK>

Log deletion routine

After all the cleaning steps, the malware requests a system reboot to force the execution of the DiskCryptor driver and client.

SAFE Endpoint will block this step of the attack
The SAFE Agent limits access to Cmd and other administration tools to prevent malicious activities.

 

Reboot event

After the reboot, the DiskCryptor driver encrypts the disks and the victim keeps an access to the machine during the encryption.

After that, The “dispci.exe” replaces the MBR with a new MBR stored in the malware resources. When the disks are encrypted and the MBR replaced, the malware requests a second system reboot with the following command:

cmd.exe /c <System_Dir>/shutdown.exe /r /t 0 /f

New MBR loaded

 

Ransom

When the reboot is performed, we can see a ransom message at the startup with a Tor url.

MBR ransom page

The TOR url gives us the detail of the payment but no bitcoin wallet is shown.

Web ransom/payment page

Even if the reboot isn’t performed or if the MBR has not been rewrited, a ransom file “README.txt” will be found on each disk.

Ransom dropped on each disk

Conclusion

Unlike WannaCry and Petya/NotPetya, BadRabbit didn’t use the EternalBlue exploit to spread, even though it caused severe disruptions primarily by affecting countries in Eastern Europe.

Sometimes, users education isn’t efficient enough to face advanced threats. That’s why companies should complete that with an endpoint solution able to block this type of threats to stay safe.

Thanks to the multi-layered security protection provided by the SAFE product, BadRabbit was easily caught and blocked by our Agent. The association of our multiple technologies allows us to provide the best protection against ransomwares and other cyberattacks.