Executive Summary

On 24 October, a large-scale campaign of ransomware attacks across Europe, in campaigns that closely mimicked the NotPetya attack from months ago. Just as was the case with NotPetya, the sample appeared to spread through traditional methods of making SMB connections within a corporate environment, such as using local administrative shares and a predefined list of user accounts and passwords.

Analysis

File Size       : 142,848

MD5             : b14d8faf7f0cbcfad051cefe5f39645f

SHA1            : afeee8b4acff87bc469a6f0364a81ae5d60a2add

SHA256          : 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

Fuzzy           : 3072:1keK/MwGT0834YW3pvyh8fcl/iL62iL6KK:Sn/MZd4YW3pvyxl/ini

Magic           : PE32 executable for MS Windows (console) Intel 80386 32-bit

Import Hash     : 94f57453c539227031b918edd52fc7f1

Compiled Time   : Sun Oct 22 02:33:09 2017 UTC

PE Sections (5) : Name       Size       MD5

                  .text      72,192     0fa851de532b3dd96e1578a1fe912cea

                  .rdata     16,896     e69552feb958791e5d7283cd1e9f0b0b

                  .data      6,656      dc53a4c1670b55450713e13adc573c51

                  .rsrc      39,936     538045e89d3956ece75779bbffedb57f

                  .reloc     6,144      664441acad88cda5370381c965d187ab

Analysis is forthcoming, but initial views show that it is a variant of the NotPetya sample. It is not known yet if there is actual code re-use or if simply the tactics and strings were copied from analyzed versions of NotPetya. Just as NotPetya dropped a file named perfc.dat, and called it by an export ordinal value, this BadRabbit will drop a similar file named infpub.dat and call it using an almost identical method.

For instance, in the screenshot below, one routine from this initial BadRabbit is compared to the respective routine in NotPetya, with BadRabbit displayed on the right. There are very striking similarities in code, but also large differences. Notably, there is also a very basic attempt at obfuscation by using a Unicode stack string that resolves to “shutdown /r /t 0”.

The malware also has the ability to clear Windows event logs by using the Windows wevtutil command. This is seen in action as:

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:

One major change seen in this malware, when being compared to NotPetya, is that the core Petya code is no longer present. Instead, the sample will drop the encryption system driver from the known legitimate DiskCryptor application. This sample will drop the encryption driver onto the local system as cscc.dat and then leverage it to perform disk encryption.

The final payment screen, shown over TOR, is insignificant to analysis but does highlight the added effort that adversaries place on making notable brands of malware:

Indicators of Compromise (IOCs)