Executive Summary
On 24 October, a large-scale campaign of ransomware attacks across Europe, in campaigns that closely mimicked the NotPetya attack from months ago. Just as was the case with NotPetya, the sample appeared to spread through traditional methods of making SMB connections within a corporate environment, such as using local administrative shares and a predefined list of user accounts and passwords.
Analysis
File Size : 142,848
MD5 : b14d8faf7f0cbcfad051cefe5f39645f
SHA1 : afeee8b4acff87bc469a6f0364a81ae5d60a2add
SHA256 : 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
Fuzzy : 3072:1keK/MwGT0834YW3pvyh8fcl/iL62iL6KK:Sn/MZd4YW3pvyxl/ini
Magic : PE32 executable for MS Windows (console) Intel 80386 32-bit
Import Hash : 94f57453c539227031b918edd52fc7f1
Compiled Time : Sun Oct 22 02:33:09 2017 UTC
PE Sections (5) : Name Size MD5
.text 72,192 0fa851de532b3dd96e1578a1fe912cea
.rdata 16,896 e69552feb958791e5d7283cd1e9f0b0b
.data 6,656 dc53a4c1670b55450713e13adc573c51
.rsrc 39,936 538045e89d3956ece75779bbffedb57f
.reloc 6,144 664441acad88cda5370381c965d187ab
Analysis is forthcoming, but initial views show that it is a variant of the NotPetya sample. It is not known yet if there is actual code re-use or if simply the tactics and strings were copied from analyzed versions of NotPetya. Just as NotPetya dropped a file named perfc.dat, and called it by an export ordinal value, this BadRabbit will drop a similar file named infpub.dat and call it using an almost identical method.
For instance, in the screenshot below, one routine from this initial BadRabbit is compared to the respective routine in NotPetya, with BadRabbit displayed on the right. There are very striking similarities in code, but also large differences. Notably, there is also a very basic attempt at obfuscation by using a Unicode stack string that resolves to “shutdown /r /t 0”.
The malware also has the ability to clear Windows event logs by using the Windows wevtutil command. This is seen in action as:
wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
One major change seen in this malware, when being compared to NotPetya, is that the core Petya code is no longer present. Instead, the sample will drop the encryption system driver from the known legitimate DiskCryptor application. This sample will drop the encryption driver onto the local system as cscc.dat and then leverage it to perform disk encryption.
The final payment screen, shown over TOR, is insignificant to analysis but does highlight the added effort that adversaries place on making notable brands of malware:
Indicator |
Type |
Context |
8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 b14d8faf7f0cbcfad051cefe5f39645f |
SHA256/MD5 |
dispci.exe |
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 1d724f95c61f1055f0d02c2154bbccd3 |
SHA256/MD5 |
infpub.dat |
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da fbbdc39af1139aebba4da004475e8839 |
SHA256/MD5 |
FlashUtil.exe |
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.