Badrabbit – Introduction
In October 2017, World has seen another big series of unethical and one of the most dangerous cyber-security attacks. One of them is Badrabbit Ransomware which is found first spreading in Russia and Ukraine, then also appeared to be affecting Turkey and Germany. As per the latest report, It leverages a stolen NSA exploit released by the Shadow Brokers in April 2017. Please find below collected IOCs that hopefully help our cyber security researchers to produce ultimate protection against it.
A bit of Past
So far what i know it started in 2013, when a hacker group named “Shadow Brokers” stole the exploit tools from National Security Agency(NSA). Then, they remained silent for next three years until they published NSA exploit tools to world wide market to anyone who is willing to use them. The exploits were shared at the following URL:
https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
The page was turned down after a while. But it was enough for “Mess Makers” around the world to hear the sound of this explosion. The exploit tools are now easily and freely available on internet nowdays including github:
https://github.com/misterch0c/shadowbroker
How does it look like?
I really like the new look given to this ransomware. A big ransom message in dark red text with obfuscated colored random lowercase word of more than 2 chars and It keeps on changing. To keep the victim more worried as the price of ransom gets high in a short while.
What does it do?
- It encrypts the following file extensions
.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip
- creates C:\Windows\infpub.dat
- runs C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
- runs cmd.exe /c schtasks /Delete /F /TN rhaegal
- runs cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR “C:\Windows\system32\cmd.exe /C Start \”\” \”C:\Windows\dispci.exe\” -id 457931954 && exit”
- runs cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR “C:\Windows\system32\shutdown.exe /r /t 0 /f” /ST 11:17:00
- runs “C:\Windows\AF93.tmp” \\.\pipe\{C8F7AD8E-D52E-44CB-9467-68B05E93BE5F}
IOCs
URLs:
hxxp://dynamic.ufanet.ru hxxp://104.244.159.23:8080/i hxxp://172.97.69.79/i/ hxxp://185.149.120.3/scholargoogle/ hxxp://185.149.120.3/scholasgoogle/ hxxp://38.84.134.15/Core/Engine/Index/default hxxp://38.84.134.15/Core/Engine/Index/two hxxp://46.20.1.98/scholargoogle/ hxxp://91.236.116.50/Core/Engine/Index/three hxxp://91.236.116.50/Core/Engine/Index/two hxxp://dfkiueswbgfreiwfsd.tk/i/ hxxps://bodum-online.gq/Core/Engine/Index/three
FileHash-SHA256:
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
FileHash-MD5:
0dd7141468e7e490a4ff3426c2da4a4f
1d724f95c61f1055f0d02c2154bbccd3
2fe32d2a6bfc72d215496b055e5a53ad
347ac3b6b791054de3e5720a7144a977
37945c44a897aa42a66adcab68f560e0
b14d8faf7f0cbcfad051cefe5f39645f
b4e6d97dafd9224ed9a547d52c26ce02
edb72f4a46c39452d1a5414f7d26454a
fbbdc39af1139aebba4da004475e8839
Hybrid-analysis Links:
https://www.hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
https://www.hybrid-analysis.com/sample/630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
IP Addresses:
62.16.112.103 62.76.185.12 62.76.185.120 66.167.124.163 66.48.81.155 77.234.200.226 77.234.200.236 77.234.201.99 77.239.190.205 77.244.222.74 77.247.16.171
Virustotal Links:
https://virustotal.com/it/file/2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035/analysis/ https://virustotal.com/it/file/301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c/analysis/ https://www.virustotal.com/en/file/630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da/analysis/