Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!

Bad Rabbit

From Malware Wiki
Jump to: navigation, search
Bad Rabbit
CreatorFancy Bear
DateOctober 2017
Programming LanguageC++, Assembly
PlatformMicrosoft Windows
File TypePE EXE (Dropper), DLL (Trojan)
Alias(es)BadRabbit, DiskCoder.D, Petya (confused)
This box: view  talk  edit

Bad Rabbit is a ransomware family closely related to NotPetya, but despite using the original code of Petya, the authors used the open-source DiskCryptor utility instead. Bad Rabbit has EternalRomance spreading capabilities, similar to NotPetya (by 27% of its code). It pretends to be a Adobe Flash update, and it requests Administrator privileges. The main BadRabbit executable is signed with a Symantec certificate, and has Adobe Systems Incorporated as Publisher, with Adobe® Flash® Player Installer/Uninstaller 27.0 r0 as Program, as description.


If the malware gets wanted privileges, it will adjust its own privileges (by using the AdjustTokenPrivileges function) and it will check for debugging (by using the IsDebuggerPresent function,also will check for debugging flags on the PEB of the current process). If the malware detects a common user typical environment, it will launch a spreading thread (that searches for vulnerable computers to the EternalBlue exploit, on 445 and 139 LSASS ports.

It will then search also for connected computers to bruteforce by SMB means, with a list of hard-coded passwords and users; it will use also calls to CredEnumerateW function, in a manner that will help the virus to spread), and it creates the infpub.dat file in the WINDOWS folder, the BadRabbit main DLL. The rundll32.exe file is run against the BadRabbit DLL, with the #1 15 string as parameter.

WMI will be also used to spread. It also creates the files cscc.dat and dispci.exe. dispci.exe is scheduled by the DLL using chtasks, as SYSTEM privileged task, called rhaegal, and with a -id command passed to it as argument. Is a EXE file that sends precise IOCTL commands to cscc.dat (by using DeviceIoControl function), and that will encrypt the disk. dispci.exe will have Microsoft Display Class Installer as description, http://diskcryptor.com as Legal Copyright and GrayWorm as Product Name.

cscc.dat is then launched as SYSTEM-privileged service, by using the function CreateServiceW, as Windows Client Side Caching DDriver; if the function fails, Registry editing will be used instead. It is the disk encryption component of the malware, which is legitimate and part of the utility DiskCryptor, like part of the dispci.exe file.

Another two tasks will be created, viserion, that will shutdown the machine (created by dispci.exe), and the task drogon, that will shutdown the machine as well. The viserion task is actually a sequence of tasks (like viserion_0, viserion_1), created for unknown reasons by the malware, that contain istructions that will shutdown the PC, and created after the another in a sequential manner (viserion_0, viserion_1, viserion_2...).

The DLL will then run the fsutil command and the wevutil command in a manner that will erase the USN journal of the disk, will clear security and application logs and will clear Setup logs (the cmd /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: command will be run). drogon, viserion and rhaegal are Game Of Thrones references.

The file xxxx.tmp will be also created, a Mimikatz module that will be used to steal credentials from the machine and to spread into the network, used as NotPetya uses its Mimikatz module. dispci.exe will then send some IOCTL commands, that will make DiskCryptor encrypt the hard disk, thus the bootloader willl not be a Petya one, will be a DiskCryptor legitimate but, modified one, that will run the BadRabbit kernel (a Petya modified kernel, with a different message, and different Tor C&C links; also, different encryption master keys).

dispci.exe will then restart the system, after a while. The malware, then, will encrypt every file present on every disk connected to the machine, probably AES in CBC mode (128 used), with RSA-2048, making them undecryptable. The file Readme.txt will be present in every encrypted disk and folder, and it will contain the same message that is displayed on the screen after, in the MBR payload. The malware will skip the Windows folder, the Program Files folder, the Program Data folder and the AppData folder. The key will be randomly generated, using the ADVAPI32.DLL API CryptGenRandom.

The following extensions will be encrypted and turned into encrypted files (the .encrypted extension will be added to encrypted files):

.3ds, .7z, .accdb, .ai, .asmm, .asp, .aspx, .avhd, .back, .bak, .bmp, .brw, .c, .cab,
.cc, .cer, .cfg, .conf, .cpp, .crt, .cs, .ctl, .cxx, .dbf, .der, .dib, .disk, .djvu,
.doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .hpp, .hxx, .iso, .java, .jfif, .jpe, 
.jpeg, .jpg, .js, .kdbx, .key, .mail, .mdb, .msg, .nrg, .odc, .odf, .odg, .odi, .odm,
.odpm, .ods, .odt, .ora, .ost, .ova, .ovf, .p12, .p7b, .p7c, .pdf, .pem, .pfx, .php, 
.pmf, .png, .ppt, .pptx, .ps1, .pst, .pvi, .py, .pyc, .pyw, .qcow, .qcow2, .rar, .rb,
.rtf, .scm, .sln, .sql, .tar, .tib, .tif, .tiff, .vb, .vbox, .vbs, .vcb, .vdi, .vfd,
.vhd, .vhdx, .vmc, .vmdk, .vmsd, .vmtm, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .x,
.ml, .xvd, .zip

There will not be any fake CHKDSK screen, no skull payload (like NotPetya) and a message similar to the NotPetya one is displayed on the screen. The shutdown command will be used, in the same way as NotPetya uses it, instead of the NtRaiseHardError function.

Affected Organizations

  • Odessa airport (Ukraine)
  • Kiev Metro (Ukraine)
  • Interfax (Russia)