 
                    The recent Bad Rabbit ransomware outbreak is currently making headlines. This post outlines the analysis of the ransomware by Quick Heal Security Labs.
According to our telemetry, we have not seen any Bad Rabbit ransomware infection on our customer’s machines so far.
Propagation technique
Bad Rabbit is distributed via a drive-by-download attack from the below URL
hxxp://1dnscontrol[.]com/flash_install.php
The payload is pretending to be a bogus Adobe Flash Player update named as “install_flash_player.exe”. The ransomware escalates itself to the administrative privilege using UAC prompt. Further, it drops ‘C:\Windows\infpub.dat’ which is actually a DLL file executed through ‘rundll32.exe’ as seen in the execution flow below.
Execution flow

Fig 1. Execution flow
Dropped artifacts
Bad Rabbit ransomware drops multiple artifacts which are named after the dragons in the popular TV series called Game of Thrones.
Below is the screenshot of the code from the ransomware to use ‘rundll32.exe’ to execute ‘infpub.dat’.

Fig 2. Infpub.dat creation code snippet
The ‘infpub.dat’ drops a malicious executable ‘dispci.exe’ at ‘C:\Windows’ which is responsible for Disk Encryption.
The ‘infpub.dat’ creates two tasks with names ‘drogon’ which is used to force restart the system and ‘rhaegal’ which is used to start a program at startup.

Fig 3. Drogon task properties

Fig 4: Rhaegal task properties
Infpub.dat is also responsible for file encryption using a shared public RSA-2048 key of the attacker for the list of file extensions as seen below.

Fig 5. RSA Key and file extensions
The dropped file ‘dispci.exe’ uses version information from a genuine DiskCryptor utility which is responsible for MBR infection which stops the boot-up process of the affected system until the ransom is paid as shown in the image below.

Fig 6. Ransom note
How it spreads in the network
The ‘infpub.dat’ tries to brute-forces login credentials using hard-coded credentials and also uses Mimikatz module to extract NTLM credentials from the system memory. These credentials are used to access other network workstations and server on the same network via SMB and WebDAV.

Fig 7. SMB share enumeration

Fig 8: SMB login – Brute force
Similarities between Bad Rabbit ransomware and NotPetya ransomware
Although both the ransomware share quite a lot of similarities, Bad Rabbit is not a wiper.
Indicators of compromise
| SHA256 | Filename | 
| 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da | install_flash_player.exe | 
| 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 | dispci.exe | 
| 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 | infpub.dat | 
Malicious URLs
Quick Heal Detection
 
 
How to stay safe
Subject Matter Experts
Anita Ladkat, Shantanu Vichare, Prashil Moon, Shriram Munde, Prakash Galande | Quick Heal Security Labs
1 Comment
Good read. thnx