by Alexandre Buirette-Carle, Reverse Engineer
This malware report aims at giving a technical analysis of the BadRabbit ransomware using the Orion Malware analysis platform. It gives a technical interpretation of the Orion Malware report and focuses on discussing the similarities and distinctions between BadRabbit and NotPetya’s design and behaviour.
What’s the Difference Between Bad Rabbit and NotPetya?
BadRabbit is made of a first stage payload, which ships the BadRabbit DLL and third-party utilities, making a substantial difference with the NotPetya infection process which was shipped through MeDoc updates (An Ukrainian accounting software). Moreover, BadRabbit differs from NotPetya in another point:
BadRabbit encrypts hard drives partitions with DiskCryptor utility, an open source disk encryption solution.
However, the analysis of the malicious DLL reveals relevant similarities between the two malware families, like the Master Boot Record (MBR) modification, the private network spreading and the use of the WebDAV protocol.
A Technical Analysis
The overall analysis of BadRabbit provided by Orion Malware highlights the malicious intent of the application. Indeed, many indicators in both static and dynamic analysis demonstrate ransomware abilities like file encryption or MBR modification. The analysis also reports network communications related the BadRabbit’s propagation capacity to spread across the victim’s private network.
This document will go deeper in the analysis of the different modules reports used by the Airbus CyberSecurity Malware Analysis platform and then reveal BadRabbit’s mechanisms.
BadRabbit ransomware is a Windows Executable. It embeds a third-party software called “DiskCryptor” and a packed DLL which contains most of the ransomware functionalities and another malicious application that interacts with the DiskCryptor’s driver.
The following Figure shows the payload tree automatically build by Orion Malware. It shows the dropper at the root level, the application responsible of the interaction with DiskCryptor, dispci.exe and also the DiskCryptor driver (cscc.dat).
The two following figures show Orion Malware overview of the static and dynamic analysis. They offer high-level reading of the program’s design and behaviour.
Static analysis is a technique used to understand sample’s functionalities without executing it. Orion Malware looks for samples properties statically and can raise warnings. However it can be time consuming and can be made harder by many obfuscation techniques (packing, dead code…).
The Import Table (IAT) is a list of Windows API referenced by the application and that may be used during its execution. The Static analysis overview Figure below shows warnings raised about some presupposed features deduced after the automated malware’s imports analysis. Functions declared by the application are used to perform various actions like file manipulations, network communications, crypto operations… Imports analysis of a program can gives an analyst some assumptions on the sample functionalities. Complete static analysis report interpretation will be performed in section “Static Analysis”.
In the overview, Orion Malware raised a warning because it spots some functions like:
GetProcAddress/LoadLibrary, used to dynamically resolve and import Windows API Functions. This technique is commonly used by malware authors in order to hide imports from the import table.
Dynamic analysis consists in the execution of the sample inside a controlled environment, a virtual machine. This virtual machine is instrumented and monitored in order to expose the application’s behaviour. This method can give the analyst a quick and automatic response about the nature of the submitted file. However dynamic analysis can be fooled by some “Anti-VM” tricks. Indeed, a malware can try to detect if it is executed inside a virtual machine and hence stop or perform a fake execution and thus lure the analyst. Fortunately, a major part of the Orion Malware development is to make the sandbox robust to anti-VM techniques. The Figure bellow shows the dynamic analysis overview of BadRabbit, it spotlights its ransomware capabilities, its persistence mechanisms, and the fact that the malware loads a Kernel driver, among other things. Detailed dynamic analysis report analysis is performed in the “Dynamic Analysis” section.
A Static Analysis
Dropper Static Analysis
A quick review of static analysis performed by the platform shows that BadRabbit tries to fool victims by impersonating an Adobe Flash update installer. Malware authors built their executable with exactly the same information than a legit Adobe Flash installer.
BADRABBIT DLL STATIC ANALYSIS
BadRabbit DLL’s static analysis provides more information than the dropper’s. Orion Malware shows that the DLL is able to verify whether it is being debugged, it can be an anti-analysis technique used to prevent an analyst to run the application under a debugger. It can also perform communication with a device driver. All these elements must be investigated by the analyst.
Orion Malware extracts strings embedded inside the malicious binary and shows those corresponding to a possible Indicator of compromise (IOC).
A quick look at strings inside the DLL exposes and email address service[at]caforssztxqzf2nm.onion. Orion Malware change @ in at to prevent automatic link creation. The .onion part of the address indicates that it can be a domain of the Tor network, the popular communication anonymization tool. Further investigations (not in the scope of this document) revealed that it is the domain used by the attackers to ask victims for the ransom payment.
The Figure below shows version information of the BadRabbit DLL. Malware authors intentionally refer to the DiskCryptor open source utility in the “LocalCopyright” field. They also claim that the application product name is “GrayWorm”, the file name is “dispci.exe” and as file description “Microsoft Display Class Installer”. An analyst with some prior knowledge of the BadRabbit ransomware can spot the ransomware with the OriginalFilename field and also understand that the version information contains some weird information, like the product name or the fact that the copyright refers to the DiskCryptor utility, a disk partition encryption tool, but the file description refers to a Microsoft Display Class Installer.
The next figure shows the sections of the BadRabbit DLL. Resources analysis is an important step for an analyst because it can reveal additional malware, configuration file or any other important information.
Interesting thing to note from the resources analysis is the presence of a x86 Boot Sector file at the address 319832. This file may be used to replace the original computer’s MBR.
DLL imports analysis shows that BadRabbit is able to perform:
• File Encryption
• Device Driver Manipulation
• Files and Volumes Manipulation
• Many possible anti-analysis features (GetTickCount, IsDebuggerPresent)
• Processes Creation
• May perform hooks manipulations
This section details BadRabbit behaviour in the controlled environment of the Orion Malware sandbox. The malware’s actions are analysed sequentially from the application initiation phase to the machine reboot initiated by the malware.
FIRST STEPS: UNPACKING AND MAIN PAYLOAD EXECUTION.
Once the fake Adobe Updater application starts, it creates the “inpub.dat” file, namely the BadRabbit DLL, in the C:\Windows folder.
Then the dropper calls infpub.dat’s DllMain() function with the argument ‘15’. Note that since a DLL cannot be executed directly, the launched application is the (legitimate) Windows loader rundll32.exe that will load and execute BadRabbit’s DLL.
SECOND STEP: SECONDARY PAYLOADS AND THIRD PARTIES EXTRACTION
Right after its creation, the BadRabbit DLL process creates a file named “cscc.dat.”
Investigations revealed that this file corresponds to the DiskCryptor’s dcrypt.sys kernel module used to perform the encryption of the victim’s disks partitions.
Then BadRabbit creates the following file: C:\Windows\dispci.exe.
Dispci.exe is the part of BadRabbit ransomware that performs victim’s disk encryption after the computer reboots.
THIRD STEP: PERSISTENCE, DRIVER INSTALLATION, AND REBOOT SCHEDULING
To ensure that all the persistence mechanisms of the BadRabbit ransomware come into effect, the malware’s authors have opted for the Windows Task Scheduler, a Windows application commonly used in malware’s persistence mechanism.
Two scheduled tasks are created throughout the infection:
The first one, named “rhaegal” (/TN rhaegal) is executed under the SYSTEM privilege (/RU SYSTEM) level as the computer starts (/SC ONSTART), and ensures that the dispci.exe file is launched. The executable is called with the argument -id 3893254752 while analysing the malware. This ID refers to the victim identifier.
The second one named “drogon”, also executed under the SYSTEM privilege level, will be executed only one time (/SC once) in order to force the victim’s computer restart and then conducts the victim to see the ransom note. The same technique was used by the NotPetya malware in order to force the computer’s restart.
Finally, the DiskCryptor kernel driver is installed and is controlled by dispci.exe with the aim of encrypting the user’s disks partitions.
The Figure below displays information related to the installed driver.
An analyst can confirm from the previous information warnings raises by the Dynamic Overview.
– installed driver is named “Client Side Caching DDriver” (DisplayName field),
– The driver file is cscc.dat/ the DiskCryptor driver (ImagePath field).
– It is a kernel mode driver (Type: 1),
– And is started automatically by the kernel loader (Start: 0).
FOURTH STEP: FILES ENCRYPTION AND PROPAGATION
BadRabbit encrypts the user’s files and creates a scheduled task to shut down the computer.
During the analysis, the BadRabbit DLL, as NotPetya, performs a network discovery by establishing a connection with all possible IP addresses in the victim’s subnet. Once the malware finds a new victim, it tries to spread itself by copying cscc.dat and infpub.dat on network shares with the WebDAV protocol. It also tries to connect to Server Message Block (SMB) servers and uses stolen or some hard-coded credentials.
The previous figure shows successive connections attempts to various internal network addresses on the SMB port.
Orion Malware analysis capabilities have helped security researchers flag BadRabbit as an IT threat for a company. Thanks to a complementary analysis, static and dynamic, it revealed some BadRabbit’s features.
Orion Malware does not only raise alerts on an infection at its early stage but also enables security analysts to easily interpret and collect many indicators of compromise (IOC), such as network artefacts, created files or registry activity.
About Orion Malware Analysis
Developed by our experts here at Airbus CyberSecurity to quickly analyse any type of file, provide an automated and complete analysis of each file and help decision making at all levels, if you would like to learn more about how you can use Orion Malware as a day-to-day tool, please get in touch.