Trojan.BadRabbit in virus library:

SHA1:

• afeee8b4acff87bc469a6f0364a81ae5d60a2add (Trojan.BadRabbit.1) — a disk encoder / decoder
• de5c8d858e6e41da715dca1c019df0bfb92d32c0 (Trojan.BadRabbit.2) — a dropper
• 79116fe99f2b421c52ef64097f0f39b815b20907 (Trojan.BadRabbit.3) — an encryption worm

Encryption worm. Contains three components: a dropper, a disk encoder (capable of decoding) and an encryption worm.

Dropper

After its launch, entirely loads itself to the memory. Then it uses ZLib library to extract its own overlay, which contains the encryption worm. This component is saved to C:\Windows\infpub.dat and launched using rundll32.exe:

C:\WINDOWS\system32\rundll32.exe C:\Windows\infpub.dat,#1 NN

where NN — a parameter obtained from the command line or a value 15 by default.

Then the dropper shuts down.

Disk encoder (decoder)

Using a driver DiskCryptor, the disk encoder (decoder) obtains information on all disks used by the system. It executes a command “schtasks /Delete /F /TN rhaegal” in the a command interpreter cmd.exe. Then the encoder checks a number of process arguments. If the process is launched without arguments, the component operates as the decoder.

To launch the encryption process, the encoder checks whether it has two parameters, whilst one of them has a designation “-id”.

On the Desktop, it creates an icon “DECRYPT.lnk”, which points to this Trojan’s binary file. It executes a command “schtasks /Delete /F /TN drogon” in the the command interpreter cmd.exe.

In the Task Manager, the Trojan creates a task for a computer’s restart “shutdown.exe /r /t 0 /f” with a specified time interval of 3 minutes. Then every 30 seconds the Trojan deletes the previous task and creates a new one, thus shifting the time for the task’s execution. Perhaps, this is done in the event the computer’s user deletes the Trojan before disk encryption is complete.

It generates a 32-symbol password for the disk encryption using the following alphabet:

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz

It collects the following information about the infected computer and generates the following structure:

struct __declspec(align(1)) st_pcinfo
{
  _DWORD id;
  _DWORD lcid;
  _DWORD timezone_bias;
  char RndBuf[33];
  wchar_t langroup[];
  wchar_t computername[];
};

where id — a parameter obtained via the command line. The structure has a fixed size of 0xF0. If values langroup or computername are too long, they are skipped. This structure is encrypted with the public key, then a new structure is generated, which looks the following way:

struct __declspec(align(1)) st_encrypted
{
  _BYTE byte0;
  _DWORD id;
  _BYTE enc_data[240];
  _DWORD crc32;
};

where value byte0 == 100, id — a parameter obtained via the command line, enc_data — data encrypted with the public key, crc32 — a control sum of all previous fields. This structure is encrypted using the Base64 algorithm and written to MBR.

The disk encryption algorithm and a bootloader were taken from the Diskcryptor project with an open source code with minor changes. The Trojan searches for the first system disk and installs its loader there. Then contents of this disk are encrypted. After the encryption, it shuts down the OS via “shutdown.exe /r /t 0 /f”.

Encryption worm

Code fraction of the encryption worm is adopted from Trojan.Encoder.12544. It has two exports — #1 and #2. It can receive parameters of the command line: if a number is not indicated in these parameters, it uses a value 45 by default. It understands a parameter -h, which, presumably, is used to add a host to a list for the following infection. A parameter -f is used for modification of flags detected in the process system.

Export #1

Launched from the dropper. Tries to obtain the following privileges:

• SeShutdownPrivilege
• SeDebugPrivilege
• SeTcbPrivilege

Uses hashes to search for the following launched processes:

0x4A241C3E dwwatcher.exe
0x923CA517 McTray.exe
0x966D0415 dwarkdaemon.exe
0xAA331620 dwservice.exe
0xC8F10976 mfevtps.exe
0xE2517A14 dwengine.exe
0xE5A05A00 mcshield.exe

If such processes are detected, the first stage of encryption is skipped. Loads its file to the memory, makes preparations to launch it from the memory and sends controls there. Frees its library from the memory using a function FreeLibrary. Rewrites its file with trash data, deletes it, and then again passes control to the first export but with an installed flag “launched from the memory”.

The preventive control of the restart is performed only using Mutex, whose name is calculated on the basis of the name of the infected computer and hash of the malicious program image in the memory.

Checks the availability of a file C:\Windows\cscc.dat. If it is detected, the Trojan shuts down.

If SeDebugPrivilege is present, extracts from compressed sources a driver, which complies with the system bitness:

• 59cd4907a438b8300a467cee1c6fc31135757039 for a 32-bit Windows version;
• 08f94684e83a27f2414f439975b7f8a6d61fc056 for a 64-bit Windows version;

The extracted driver is saved in a file to C:\Windows\cscc.dat.

Then the encoder tries to shut down the running process rundll32.exe. Extracts from the sources a file with SHA1 afeee8b4acff87bc469a6f0364a81ae5d60a2add and saves it to C:\Windows\dispci.exe or %ALLUSERSPROFILE%\dispci.exe depending on the processes launched in the system. In the Task Manager, deletes a task “rhaegal” by executing the command “schtasks /Delete /F /TN rhaegal” and once again creates a task with the same name in order to launch dispci.exe with command-line parameters “-id %randomNumber%”. After that it registers a system service with a name “cscc”, a description “Windows Client Side Caching DDriver” to launch cscc.dat via execution of CreateService. If the Trojan fails to register this service, it attempts to create a service with a name “cdfs” by modifying the system registry. After that, the Trojan creates a task called “drogon” to restart the computer.

The Trojan runs two threads: the first one is used to wait for the session completion via GetSystemMetrics and to clear logs Setup, System, Security and Application via wevtutil, it also clears the USN log of the disk C via fsutil usn deletejournal. It also deletes the task “drogon”. The second thread collects IP addresses of network servers for the following spreading of the worm.

The Trojan extracts the Mimikatz tools to intercept passwords of open Windows sessions. Depending on an operating system’s capacity, the Trojan unpacks the respective version of the tool.

• 16605a4a29a101208457c47ebfde788487be788d (Tool.Mimikatz.231) for a 32-bit Windows version;
• 413eba3973a15c1a6429d9f170f3e8287f98c21c (Tool.Mimikatz.232) for a 64-bit Windows version.

The respective tool is saved with an arbitrary name to the C:\Windows folder, and then it is launched. Then the malicious program searches for network folders available for writing, tries to open them using the obtained account data and saves its copy there.

File encryption

The Trojan generates 0x21 bites of arbitrary data, transcribes them to 0x20 of printed symbols, and on the basis of the resulting string forms a key for AES. One key is used to encrypt all files. This key along with the system information is encrypted with the public RSA key stored in the Trojan and saved to a file with a ransom demands. At the present moment, decryption of files is impossible.

News about the Trojan