'Bad Rabbit' Ransomware Attack Hits Russia, Ukraine
- Thread starter silversurfer
- Start date
I got some stuff wrong on encryption too.Don't worry mate, I haven't noticed that Lol
We live and learn!! The DLL used by rundll32.exe will also create a file called cscc.dat in the Windows directory ("\\??\\Windows\\cscc.dat"). It will write to it to store executable code once again.
Another file will be created in the Windows directory straight afterwards called dispci.exe. Once again, the bytes are written to it from within the DLL code. The executable is ran once the bytes have been written to it.
You can monitor NtCreateNamedPipeFile, NtFsControlFile, NtDeviceIoControlFile and NtCreateUserProcess/NtResumeThread with break-points to intercept when analysing. You'll be able to keep track of the scheduled task operations with the NtCreateUserProcess break-point because it will use cmd.exe for it (which needs to be spawned) -> check the command line. NtDeviceIoControlFile because the sample uses IOCTL to communicate with a kernel-mode component used for encryption of partitions. Just make sure you are monitoring for other spawns (e.g. rundll32.exe -> child of the launcher).
The kernel-mode part explains why the DLL has code for searching for fixed drives; it will encrypt the partitions but is only interested if the drives are fixed. I hope this is correct info.
There is also functionality for hijacking the Master Boot Record it seems...
It is a pretty nasty threat.
Last edited by a moderator:
- Feb 11, 2017
- 264
Living up to his name "Opcode"... dissecting things to opcode level
May I ask how/where I can begin with to learn such dissecting? Or for example, yesterday's batch of samples consist of a .lnk which launches powershell. Just wonder how and steps to dissect this file for example.
I am no "professional" with malware analysis, far from it haha - look at all the mistakes I made today hahaha. enough about me nowLiving up to his name "Opcode"... dissecting things to opcode level
May I ask how/where I can begin with to learn such dissecting? Or for example, yesterday's batch of samples consist of a .lnk which launches powershell. Just wonder how and steps to dissect this file for example.
As for your question.... Some popular Anti-Virus vendors have written about LNK files and PowerShell, here are some links you might find useful for research:
A Rising Trend: How Attackers are Using LNK Files to Download Malware - TrendLabs Security Intelligence Blog
Improved scripts in .lnk files now deliver Kovter in addition to Locky
https://www.symantec.com/content/da...reased-use-of-powershell-in-attacks-16-en.pdf
Windows Shortcut File or .LNK Files Sneaking In Malware
I wish you luck my friend, and I am sure you will become a great malware analyst!!
Last edited by a moderator:
- May 9, 2017
- 159
What a sparkling write up and description right down to the fine details. Impressive!!!@Weebarra I couldn't agree more, passion and skill are a great combination for sure!!
- Feb 11, 2017
- 264
Thanks!!!!I am no "professional" with malware analysis, far from it haha - look at all the mistakes I made today hahaha. enough about me now
As for your question.... Some popular Anti-Virus vendors have written about LNK files and PowerShell, here are some links you might find useful for research:
A Rising Trend: How Attackers are Using LNK Files to Download Malware - TrendLabs Security Intelligence Blog
Improved scripts in .lnk files now deliver Kovter in addition to Locky
https://www.symantec.com/content/da...reased-use-of-powershell-in-attacks-16-en.pdf
Windows Shortcut File or .LNK Files Sneaking In Malware
I wish you luck my friend, and I am sure you will become a great malware analyst!!
Similar threads
-
- Locked
