BadRabbit Technical Analysis

On October 12th, Ukraine’s SBU security service warned of an imminent attack against government and private institutions similar to the NotPetya attack in June. Two months earlier, the SBU made a similar warning, noting that a second wave of attacks could follow if attackers maintained covert, unauthorized privileged access. These warnings seemed to bear fruit yesterday, as a new ransomware variant called BadRabbit struck. Named after the dark web-based site where the attackers demand the ransom, BadRabbit first hit three Russian media outlets, including Interfax, as well as the Kiev metro system and Odessa airport. Subsequently, BadRabbit has hit hundreds of organizations, largely in Ukraine and Russia, but it also has spread within Europe, including Turkey and Germany, and US-CERT notes discoveries in the United States as well. The impact and research into BadRabbit remains ongoing, but already there are useful insights and missteps that have occurred. To help separate the facts from rumors, this post provides a technical deep dive into BadRabbit.

Similar, But Different

Similar to NotPetya, BadRabbit encrypts files using DiskCryptor and demands a ransom in Bitcoin. However, there are some key differences. There were initial reports that BadRabbit leveraged the EternalBlue SMB exploit to traverse, similar to WannaCry and NotPetya, but my research and that of others has since refuted this. Instead, BadRabbit uses two methods for lateral movement: WMIC and open SMB shares. Also, while NotPetya contained a wiper component, BadRabbit interestingly includes the capability of a wiper, but I haven’t seen any evidence of its use. Finally, while WannaCry and NotPetya compromised through more passive victim behavior, BadRabbit requires the victim to actively execute the malicious file. This may be why BadRabbit is - at least initially - seemingly more contained than WannaCry or NotPetya. A vaccine for BadRabbit was also identified relatively early in the community’s analysis of the malware. By placing any file at C:\windows\cscc.dat, the dropper will fail. The BadRabbit execution flow graphic below summarizes the technical details of the subsequent sections.

FILES

Chasing Down the Rabbit Hole

As the graphic illustrates, there are a series of steps that take place from compromise through encryption to ransom demand. I’ll walk through each of these steps below.

INITIAL MODE OF COMPROMISE & PROPAGATION

The BadRabbit attack first begins when the victim receives and installs a fake Adobe Flash update.

DROPPER MALWARE DETAILS

Original Name: install_flash_player.exe

SHA-256: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

Version 1.2.8

Main EntryPoint

1. Get command line arguments
2. If the number of arguments do not equal 1:
   1. Store the argument
3. If the argument equals 1
   1. Load the string “15”
   2. Get System Directory C:\\windows\\system32\\rundll32.exe
   3. Create and decrypt the payload (install_flash_player.exe:0x4010C0)
      1. Store the encrypted data located at an offset within itself
      2. Allocate space on the heap for the size of that file
      3. Copy 0x5ABA3 bytes starting at offset 0xDE00
      4. Allocate new space on heap
      5. Decrypts DLL into memory of size 0x64488
   4. Create and save DLL as C:\\Windows\\infpub.dat (install_flash_player.exe:0x401260)
   5. Launch new process "C:\\Windows\\system32\\rundll32.exe C:\\Windows\\infpub.dat,#1 15”

DLL PAYLOAD

Original Name: infpub.dat

SHA-256: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

EntryPoint Function #1 (infpub.dat:infpub_1)

1. Adjust token to add SeShutdownPrivilege, SeDebugPrivileges, SeTcbPrivilege (infpub.dat:0x7897)
2. Allocate an executable memory space using VirtualProtect
3. Create Mutex "%08X%08X"
   • I haven’t seen the mutex trigger so its purpose is unknown.
4. Load Resource “7” File and save as cscc.dat (infpub.dat:0x7E8E). This is the DiskCryptor driver.
5. Load DiskCryptor Client and Start Service (infpub.dat:0x10A7)
   1. Load Resource “9” File and save as dispci.exe (infpub.dat:0x8313). This is the DiskCryptor client
   2. Start up schtasks (infpub.dat:0x1000)
      1. Run command “schtasks /Delete /F /TN rhaegal” - This deletes any existing scheduled task named “rhaegal”
      2. The -id parameter is the random generated key. Run command “/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3127978853 && exit". This causes the DiskCryptor client to launch on startup of the system.
   3. Create Service “cscc” for the DiskCryptor Driver (infpub.dat:0x1531).
      1. Call OpenSCManagerW
      2. Binary path name “cscc.dat”
      3. Service Name “Windows Client Side Caching DDriver”
      4. Set Regkey = SYSTEM\\CurrentControlSet\\services\\cdfs
         • Imagepath “cscc.dat”
      5. LowerFilters: SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
      6. UpperFilters: SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}
      7. DumpFilters: SYSTEM\CurrentControlSet\Control\CrashControl\csccdumpfve.sys
6. Start the socket connection with WSAStartup
7. Get Command Line Arguments from options [ -h, -f ] (infpub.dat:0x652F)
8. Get Server Info (infpub.dat:0x7DD0)
9. Schedule Shutdown with persistence (infpub.dat:0x8192)
   1. Run command “shutdown.exe /r /t 0 /f”. This causes a forced reboot with no delay and forces running applications to close.
   2. Run Command “/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:29:00”. This causes a task to be created which schedules a shutdown for 09:29 for the local system. The system needs to reboot in order to install the DiskCryptor driver.
10. Create an Event and Start Thread (infpub.dat:0x8A6F)
    1. Run command “schtasks /Delete /F /TN drogon” which deletes the previously scheduled shutdown/reboot task.
11. Route 1: File Encryption
    1. Derive and setup symmetric encryption key from the hardcoded public key (infpub.dat:0x554A, 0x636B)
       1. Generate AES key with CryptGenRandom
       2. Public key (See Appendix)
    2. Create a thread to start encryption (infpub.dat:0x6299)
       1. Create the Readme.txt ransom note file. (See Appendix)
       2. Ignored paths:
          • \\Windows
          • \\Program Files
          • \\ProgramData
          • \\AppData
       3. Start encrypting files which have a targeted file extension (See Appendix)
       4. Uses "encrypted" as a part of the encryption header
       5. Display ransom note
12. Route 2: Lateral Movement
    1. Start thread to connect to the service (infpub.dat:0x77D1)
       1. Get localhost address
       2. Create Thread
          • GetAdaptersInfo
          • CreateThread
       3. Iphlpapi.dll and call GetExtendedTcpTable to retrieve a table that contains a list of TCP endpoints available to the application
       4. Get IP address
       5. Get Domain and Server
       6. Duplicate process token
       7. Thread: Connect to the service
    2. Create Mimikatz and pipe (infpub.dat:0x7146)
       1. Load Resource and save as temp file xxxx.tmp based on architecture (x86/x64)
       2. Create process from temp file with pipe: C:\\WINDOWS\\xxxx.tmp \\\\.\\pipe\\{GUID}
          • Example: “C:\Windows\E287.tmp" \\.\pipe\{FA577FE2-92A2-47EF-8EAF-1016B5B22B72}”
       3. Setup Co task memory
    3. EstablishConnection to admin$
       1. Duplicate Process Token and Set thread tokens (infpub.dat:0xA3B1)
       2. Get network resource from server
       3. Enumerate credentials for "TERMSRV/" (infpub.dat:0xA016)
       4. Setup connection via "wbem\\wmic.exe" with username and password (infpub.dat:0x9F7A)
       5. Open Service to \\\\%s\\admin$ to access a remote machine via admin shares, calls NetAddConnection2, and connects to server (infpub.dat:0x9534)
       6. Set the binary path for cscc.dat and copy binary to remote system
          • http:///admin$/infpub.dat
          • http:///admin$/cscc.dat
       7. Run remote command C:\Windows\System32\rundll32.exe "C:\Windows\infpub.dat,#2 “ (infpub.dat:0x944F)
    4. Traverse SMB Shares (infpub.dat:0xA420)
       1. Connect to shares via socket connection
       2. Test hardcoded username and passwords against $IPC services
       3. Copy files over via ADMIN$
    5. Continue back to Route 1: File Encryption.

EntryPoint Function #2 (F infpub_2)

1. Run the command "C:\\Windows\\system32\\rundll32.exe C:\\Windows\\infpub.dat,#1 %ws”

DISKCRYPTOR CLIENT

Original Name: dispci.exe

SHA-256: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

Main Entry Point

1. Check for C:\\Windows\\cscc.dat (dispci.exe:0x4052D0)
   1. Set up buffer to connect to DiskCryptor driver \\.\dcrypt
      1. Set up hooks with callback functions
         • SetWindowsHookEx
         • function fn(int code, WPARAM wParam, LPARAM lParam)
         • function sub_403FC0(int code, WPARAM wParam, LPARAM lParam)
      2. Get raw disk access
         • \\.\GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1)
      3. Call to Driver DeviceIOControl Code 0x220040 (DC_CTL_RESOLVE)
2. Run command “schtasks /Delete /F /TN rhaegal”
3. Take 2 routes: start disk decryption, if not do setup and encryption.
4. Route1: Disk Encryption
   1. Set a control handler that allows the writer to be shut down SetConsoleCtrlHandler
      1. Create a COM connection
      2. Get the “DECRYPT” to run the console for decryption
      3. Use \\Desktop\\DECRYPT.lnk
   2. Create Scheduled Tasks
      1. First run command “schtasks /Delete /F /TN drogon”
      2. Loop in new thread: schedule shutdown with persistence
         • “shutdown.exe /r /t 0 /f”
         • Run command “schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR %ws" /ST %02d:%02d:00”
         • Run command “schtasks /Delete /F /TN viserion”
   3. Access driver communication buffer and encrypt (dispci.exe:0x405370)
      1. Communication buffer (dispci.exe:0x402020)
         • Access physical device \\.\dcrypt
         • DeviceIOControl Control code 0x220060 (DC_CTL_LOCK_MEM)
      2. Generate AES key with CryptGenRandom (dispci.exe:0x4012A0)
      3. Encrypt files with public key (dispci.exe:0x4015A0)
         • Public Key (See Appendix)
         • Encrypt data from server buffer
      4. Encrypt raw disk and open resource file
         • Send DeviceIOControl Control code 0x220058 (DC_CTL_GET_FLAGS)
         • Get raw disk access \\.\GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1)
         • Access raw disk routine: Send DeviceIOControl Control codes:
           • 0x70048 (IOCTL_DISK_GET_PARTITION_INFO_EX)
           • 0x74004 (IOCTL_DISK_GET_PARTITION_INFO)
           • 0x7405C (IOCTL_DISK_GET_LENGTH_INFO)
           • 0x2D1080 (IOCTL_STORAGE_GET_DEVICE_NUMBER)
           • 0x560000 (IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS)
         • Open \\\\.\\PhysicalDrive0 and DeviceIOControl Control code 0x70000 (IOCTL_DISK_GET_DRIVE_GEOMETRY)
         • Send DeviceIOControl Control code 0x700A0 (IOCTL_DISK_GET_DRIVE_GEOMETRY_EX)
         • Read from handle of device in 0x200 byte chunks
      5. Open Resource Files Ransom notes (dispci.exe:0x402800)
         • Open resource files as EXEFILE
           • 0x8B (bootloader)
           • 0x8C (Kernel Component) or 0x8D (Kernel Component)
         • Load resource in memory
         • Open and Read Raw disk and Send DeviceIOControl Control code 0x700A0 (IOCTL_DISK_GET_DRIVE_GEOMETRY_EX)
         • Check the filesystem type [NTFS,FAT12,FAT16,FAT32,EXFAT]
         • Read and write to file
      6. Send DeviceIOControl Control code 0x220064 (DC_CTL_UNLOCK_MEM) to driver
      7. Send DeviceIOControl Control codes:
         • 0x22003C(DC_CTL_SYNC_STATE)
         • 0x22001C (DC_CTL_STATUS)
         • 0x220034 (DC_CTL_ENCRYPT_STEP)
         • 0x220008 (DC_CTL_CLEAR_PASS)
      8. DeviceIOControl Control codes:
         • 0x220060 (DC_CTL_LOCK_MEM)
         • 0x220028 (DC_CTL_ENCRYPT_START)
         • 0x220064 (DC_CTL_UNLOCK_MEM)
   4. Send DeviceIOControl Control code 0x220008 (DC_CTL_CLEAR_PASS)to driver
   5. Wait for the encryption to finish with WaitForSingleObject and Sleep
   6. Shutdown (dispci.exe:0x405BF0)
      1. Run command “shutdown.exe /r /t 0 /f”
5. Route 2: Disk Decryption
   1. Start Disk Decryption Logging (dispci.exe:0x405510)
      1. DeviceIOControl Control codes:
         • 0x22003C (DC_CTL_SYNC_STATE)
         • 0x220038 (DC_CTL_DECRYPT_STEP)
   2. Access Raw Disk Routine: Send DeviceIOControl Control codes:
      1. 0x70048 (IOCTL_DISK_GET_PARTITION_INFO_EX)
      2. 0x74004 (IOCTL_DISK_GET_PARTITION_INFO)
      3. 0x7405C (IOCTL_DISK_GET_LENGTH_INFO)
      4. 0x2D1080 (IOCTL_STORAGE_GET_DEVICE_NUMBER)
      5. 0x560000 (IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS)
   3. Send DeviceIOControl Control codes:
      1. 0x220058 (DC_CTL_GET_FLAGS)
      2. 0x220060 (DC_CTL_LOCK_MEM)
      3. 0x22002C (DC_CTL_DECRYPT_START)
      4. 0x220064 (DC_CTL_UNLOCK_MEM)
   4. Check for AntiVirus and initiate decryption with provided password
      1. Send DeviceIOControl control code 0x220020 (DC_CTL_ADD_SEED)
      2. Asks “Disable your anti-virus and anti-malware programs”
      3. Drops Readme.txt in rootpath “C:\Readme.txt”
      4. Create the readme.txt file from resources
6. After both routes are complete, run the DECRYPT console
   1. Call CoInitialize
   2. Get the “DECRYPT” to run the console for decryption
   3. Use \\Desktop\\DECRYPT.lnk

DISKCRYPTOR DRIVER

Original Name: cscc.dat

SHA-256: 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6

The code is verbatim from https://diskcryptor.net and https://github.com/smartinm/diskcryptor. This is not malware, it is yet another example of legitimate software being used for nefarious means in a malware attack.

DeviceIOControl Codes

The Countdown Clock Begins

Acquiring the decryption key from the onion server caforssztxqzf2nm[.]onion

Summary

BadRabbit joins WannaCry and NotPetya among the list of global ransomware attacks in 2017. However, there are many differences between BadRabbit and the other attacks that are missed when simply lumping them all together. BadRabbit does not use the EternalBlue exploit, but demonstrates yet again how these attacks continue to evolve and innovate their evasive techniques. I’ll be keeping an eye on BadRabbit, and future variants, as these attacks evolve. The Appendix below provides additional information, including those GoT and Hackers references that are making headlines. And as always, be wary of pop-up updates, which are an incredibly popular mode of compromise.

Appendix

PUBLIC KEY

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ +feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83 hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpR hV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdw H1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW 9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWf SBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB

FILE EXTENSIONS

3ds, 7z, accdb, ai, asm, asp, aspx, avhd, back, bak, bmp, brw, c, cab, cc, cer, cfg, conf, cpp, crt, cs, ctl, cxx, dbf, der, dib, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, hpp, hxx, iso, java, jfif, jpe, jpeg, jpg, js, kdbx, key, mail, mdb, msg, nrg, odc, odf, odg, odi, odm, odp, ods, odt, ora, ost, ova, ovf, p12, p7b, p7c, pdf, pem, pfx, php, pmf, png, ppt, pptx, ps1, pst, pvi, py, pyc, pyw, qcow, qcow2, rar, rb, rtf, scm, sln, sql, tar, tib, tif, tiff, vb, vbox, vbs, vcb, vdi, vfd, vhd, vhdx, vmc, vmdk, vmsd, vmtm, vmx, vsdx, vsv, work, xls, xlsx, xml, xvd, zip

README.TXT CONTENTS EXAMPLE

Oops! Your files have been encrypted. If you see this text, your files are no longer accessible. You might have been looking for a way to recover your files. Don't waste your time. No one will be able to recover them without our decryption service. We guarantee that you can recover all your files safely. All you need to do is submit the payment and get the decryption password. Visit our web service at caforssztxqzf2nm.onion Your personal installation key#2: Zu3T6///6gTViRsNAWpMUmUAvuseFAhcG/ppEt4WiB+OwqRtZjNJvPbCDn2r20V5 Wn70lrtUES38dabDQMDhLp6ZjSWeCSOk4ek6FL0qF+CwhM9i2mxLsa4DAlxIFunp QatuxDD6AQTsl7OiheHy1/FG9gXQ10+aeXj8B7PIT51T2Iuw/UWNN2iGzvnCMOhZ /DXTL66SfbtyxWfHd9Pvo4S7p5HDlv4SWiQdPHkOidRQqccHHEDD6urvBxQJuSwe tqCBxPwx+B6uwQ/Znco9f+nRxOiX3a0OG/c6xg4+W6qbRqden+4fL1VUsPQSmhod fMt0iuW2ACJ2BFgfvkpZ2MchA8OS7+mGKw==

USERNAMES

"Administrator"

"Admin"

"Guest"

"User"

"User1"

"user-1"

"Test"

"root"

"buh"

"boss"

"ftp"

"rdp"

"rdpuser"

"rdpadmin"

"manager"

"support"

"work"

"other user"

"operator"

"backup"

"asus"

"ftpuser"

"ftpadmin"

"nas"

"nasuser"

"nasadmin"

"superuser"

"netguest"

"alex"

PASSWORDS

"Administrator"

"administrator"

"Guest"

"guest"

"User"

"user"

"Admin"

"adminTest"

"test"

"root"

"123"

"1234"

"12345"

"123456"

"1234567"

"12345678"

"123456789"

"1234567890"

"Administrator123"

"administrator123"

"Guest123"

"guest123"

"User123"

"user123"

"Admin123"

"admin123Test123"

"test123"

"password"

"111111"

"55555"

"77777"

"777"

"qwe"

"qwe123"

"qwe321"

"qwer"

"qwert"

"qwerty"

"qwerty123"

"zxc"

"zxc123"

"zxc321"

"zxcv"

"uiop"

"123321"

"321"

"love"

"secret"

"sex"

"god"

SERVICE NAMES

"atsvc"

"browser"

"eventlog"

"lsarpc"

"netlogon"

"ntsvcs"

"spoolss"

"samr"

"srvsvc"

"scerpc"

"svcctl"

"wkssvc"