TT Malware Log

マルウェア / サイバー攻撃 / 解析技術 に関する「個人」の調査・研究・参照ログ

トップ > Ransomware: Bad Rabbit > BadRabbit Malware Analysis

BadRabbit Malware Analysis

Ransomware: Bad Rabbit

【公開情報】

◆BadRabbit Malware Analysis (IBM, 2017/11/09)
https://exchange.xforce.ibmcloud.com/collection/BadRabbit-Malware-Analysis-78c57491593b05937e9adccd545d033b

【Yara Rules】

import "pe"
rule BadRabbit_dropper {
meta:
description = "Yara Rule for Bad Rabbit dropper identification"
author = "CSE CybSec Enterprise - Z-Lab"
last_updated = "2017-10-31"
tlp = "white"
category = "informational"
strings:
// Flash string
$flash = "Flash" wide
// File infpub extracted
$a = "C:\\Windows\\infpub.dat" wide
$b = "infpub.dat" wide
// Execution of infpub.dat
$c = "%ws C:\\Windows\\%ws,#1 %ws" wide
condition:
all of them and
pe.version_info["ProductName"] contains "Installer/Uninstaller"
}
rule BadRabbit_infpub {
meta:
description = "Yara Rule for Bad Rabbit infpub.dat file"
author = "CSE CybSec Enterprise - Z-Lab"
last_updated = "2017-10-31"
tlp = "white"
category = "informational"
strings:
// Task commands
$a = "schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR \"%ws /C Start \\\"\\\" \\\"%wsdispci.exe\\\" -id %u && exit" wide
//lateral movement instruction
$b = "%ws\\admin$\\%ws" wide
//part of public key
$key = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O" wide
condition:
all of them
}
rule BadRabbit_DiskCryptor_client {
meta:
description = "Yara Rule for Bad Rabbit dispci.exe file"
author = "CSE CybSec Enterprise - Z-Lab"
last_updated = "2017-10-31"
tlp = "white"
category = "informational"
strings:
// PhysicalDrive path
$a = ".\\PhysicalDrive%d" wide
// GameOfThrones Strings
$b = "viserion" wide
$c = "drogon" wide
$d = "rhaegal" wide
condition:
all of them and
pe.version_info["ProductName"] contains "GrayWorm" and
pe.version_info["LegalCopyright"] contains http://diskcryptor.net

出典: https://exchange.xforce.ibmcloud.com/collection/BadRabbit-Malware-Analysis-78c57491593b05937e9adccd545d033b


【インディケータ情報】

  • academicnet.ro
  • bizzzarttattoo.ro
  • ace-economiesociala.ro
  • brixongroup.ro
  • activedoctors.org
  • btfprotect.ro
  • adlibri.ro
  • memorialulrevolutiei.ro
  • adrianadanaila.com
  • sosta.ro
  • adventistbruxelles.org
  • stas2015.ro
  • aetm.ro
  • toppromotions.ro
  • afaceri-poligrafice.ro
  • alegedorna.ro
  • alinabercu.com
  • amenajari-locuinte.ro
  • amicos.ro
  • ampgrup.ro
  • andra-cretu.com
  • andreevents.ro
  • anvelopeiarna-autocenter.ro
  • anvelope-service.ro
  • anvelopevara-autocenter.ro
  • apimond.ro
  • aquamundus.ro
  • aquariusconsult.com
  • archivumka.ro
  • armoniacenter.com
  • artbodyspa.ro
  • arvar.ro
  • asatm.ro
  • aspirelo.ro
  • athenee-palace.ro
  • atv-funtrans.ro
  • avocatiinbraila.ro
  • avocatiinbrasov.ro
  • avocatiinbucuresti.ro
  • axiautoonline.ro
  • axiservice.ro
  • hxxp:// balcoane.ro
  • bbooster.ro
  • bcarhitectura.ro
  • birou-avocatura.com
  • bizo.ro

出典: https://exchange.xforce.ibmcloud.com/collection/BadRabbit-Malware-Analysis-78c57491593b05937e9adccd545d033b

Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 1997 - 2023