badrabbit

General

Target

Dual_Keres_Prime
Size

780KB
Sample

240705-yaa4kstfrp
MD5

bce9179b0a24eae8fddb8ff9d6a0e210
SHA1

74b17a58bc1847c42ada876191f7435fe4317ff9
SHA256

08920d5fa03dd4c0d63aaa30be026c00d8b5f56c7ebb2852f2c5f021f06ec8f1
SHA512

57d8da2c4fc1d09b6a483f66da8cfb52d5c782b0658018a55ba8e001c5256bd0d4f144b705ce13fa3adcc5116b2a207fd4c03a21a0df75eb1010d514b6e9eb0a
SSDEEP

3072:9+78i5tlGXgRf25KirmhEZlhneOjcF8rdg78kgHH4J:g78iUKiyhEZlhnK8pWhgHG

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

- Target
  
  Dual_Keres_Prime
- Size
  
  780KB
- MD5
  
  bce9179b0a24eae8fddb8ff9d6a0e210
- SHA1
  
  74b17a58bc1847c42ada876191f7435fe4317ff9
- SHA256
  
  08920d5fa03dd4c0d63aaa30be026c00d8b5f56c7ebb2852f2c5f021f06ec8f1
- SHA512
  
  57d8da2c4fc1d09b6a483f66da8cfb52d5c782b0658018a55ba8e001c5256bd0d4f144b705ce13fa3adcc5116b2a207fd4c03a21a0df75eb1010d514b6e9eb0a
- SSDEEP
  
  3072:9+78i5tlGXgRf25KirmhEZlhneOjcF8rdg78kgHH4J:g78iUKiyhEZlhnK8pWhgHG
Score

10^/10

badrabbit dharma wannacry defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer trojan upx worm
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Contacts a large (1273) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Disables Task Manager via registry modification
  evasion
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Drops startup file
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1