badrabbit

General

Target

Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe
Size

148KB
Sample

230720-23hkxaba64
MD5

3ce563e899291b59fa8c57c98cad9b4e
SHA1

7157cc9cf910735727b6601ad4d532cdd0fedc7e
SHA256

4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304
SHA512

827dc0e9f9212ec0d4c1e8c7180c33d387548f7de6d0b45a2eef01f22f69ee571d3f2f8b610b8f671f4b25abaa578431ce758a5e41740e7b8c63ca85ef953469
SSDEEP

3072:/UuL1hDewdkuaLYO/IBK2btFVL1xTevRUyZDDdnN5:/Ue1hyioVgBhnNPK5FZD5n

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\szj2bat4.aao\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Targets

- Target
  
  Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe
- Size
  
  148KB
- MD5
  
  3ce563e899291b59fa8c57c98cad9b4e
- SHA1
  
  7157cc9cf910735727b6601ad4d532cdd0fedc7e
- SHA256
  
  4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304
- SHA512
  
  827dc0e9f9212ec0d4c1e8c7180c33d387548f7de6d0b45a2eef01f22f69ee571d3f2f8b610b8f671f4b25abaa578431ce758a5e41740e7b8c63ca85ef953469
- SSDEEP
  
  3072:/UuL1hDewdkuaLYO/IBK2btFVL1xTevRUyZDDdnN5:/Ue1hyioVgBhnNPK5FZD5n
Score

10^/10

badrabbit mimikatz wannacry discovery evasion persistence ransomware upx worm
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- Modifies WinLogon for persistence
  persistence
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- mimikatz is an open source tool to dump credentials on Windows
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Modifies WinLogon
  persistence
behavioral1