Information Security

A track record on Bad Rabbit Ransomware

The_Shadow_Fiend

Badrabbit – Introduction

In October 2017,  World has seen another big series of unethical and one of the most dangerous cyber-security attacks. One of them is Badrabbit Ransomware which is found first spreading in Russia and Ukraine, then also appeared to be affecting Turkey and Germany. As per the latest report, It leverages a stolen NSA exploit released by the Shadow Brokers in April 2017. Please find below collected IOCs that hopefully help our cyber security researchers to produce ultimate protection against it.

A bit of Past

So far what i know it started in 2013, when a hacker group named “Shadow Brokers” stole the exploit tools from National Security Agency(NSA). Then, they remained silent for next three years until they published NSA exploit tools to world wide market to anyone who is willing to use them. The exploits were shared at the following URL:

https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation

The page was turned down after a while. But it was enough for “Mess Makers” around the world to hear the sound of this explosion. The exploit tools are now easily and freely available on internet nowdays including github:

https://github.com/misterch0c/shadowbroker

How does it look like?

I really like the new look given to this ransomware. A big ransom message in dark red text with obfuscated colored random lowercase word of more than 2 chars and It keeps on changing. To keep the victim more worried as the price of ransom gets high in a short while.

What does it do?

  1. It encrypts the following file extensions 
    .3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip
  2. creates C:\Windows\infpub.dat
  3. runs C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  4. runs cmd.exe /c schtasks /Delete /F /TN rhaegal
  5. runs cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR “C:\Windows\system32\cmd.exe /C Start \”\” \”C:\Windows\dispci.exe\” -id 457931954 && exit”
  6. runs cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR “C:\Windows\system32\shutdown.exe /r /t 0 /f” /ST 11:17:00
  7. runs “C:\Windows\AF93.tmp” \\.\pipe\{C8F7AD8E-D52E-44CB-9467-68B05E93BE5F}

IOCs

URLs:

hxxp://dynamic.ufanet.ru
hxxp://104.244.159.23:8080/i
hxxp://172.97.69.79/i/
hxxp://185.149.120.3/scholargoogle/
hxxp://185.149.120.3/scholasgoogle/
hxxp://38.84.134.15/Core/Engine/Index/default
hxxp://38.84.134.15/Core/Engine/Index/two
hxxp://46.20.1.98/scholargoogle/
hxxp://91.236.116.50/Core/Engine/Index/three
hxxp://91.236.116.50/Core/Engine/Index/two
hxxp://dfkiueswbgfreiwfsd.tk/i/
hxxps://bodum-online.gq/Core/Engine/Index/three

 

FileHash-SHA256:

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

FileHash-MD5:

0dd7141468e7e490a4ff3426c2da4a4f
1d724f95c61f1055f0d02c2154bbccd3
2fe32d2a6bfc72d215496b055e5a53ad
347ac3b6b791054de3e5720a7144a977
37945c44a897aa42a66adcab68f560e0
b14d8faf7f0cbcfad051cefe5f39645f
b4e6d97dafd9224ed9a547d52c26ce02
edb72f4a46c39452d1a5414f7d26454a
fbbdc39af1139aebba4da004475e8839

 

Hybrid-analysis Links:

https://www.hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
https://www.hybrid-analysis.com/sample/630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

IP Addresses:

62.16.112.103
62.76.185.12
62.76.185.120
66.167.124.163
66.48.81.155
77.234.200.226
77.234.200.236
77.234.201.99
77.239.190.205
77.244.222.74
77.247.16.171

Virustotal Links:

https://virustotal.com/it/file/2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035/analysis/
https://virustotal.com/it/file/301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c/analysis/
https://www.virustotal.com/en/file/630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da/analysis/
,

Related Posts

Information Security

A track record on Dridex Banking Trojan

The_Shadow_Fiend
Information Security

Amazon.co.uk Dispatch Confirmation – Phish or Malware?

The_Shadow_Fiend

Leave a Reply

Your email address will not be published.