badrabbit

General

Target

BobaFett 8.zip
Size

153.9MB
Sample

241203-m83qpssnfy
MD5

ba5192dc7247a7a8c2d790dad5d34fa4
SHA1

5f3ff87e021e1e68f7e00fdd7ae92cbf0ae5796d
SHA256

e85198201b19cdd32291f5fe1a969058d9cdbe6e6621b28ae3a985db45fae71e
SHA512

c62e4fdd56e246ec5199eae0759b9cf45bd123efaf5dc67d2ccd57b7c339cf70a64a2b833a0ab0b50b402dd0ba04369e40af55899fd48aef2b40939a5a77098e
SSDEEP

3145728:q6b/eDKL1opqRh/rzI7LAQDCFeWL2aCKoyo7u044aJ5Zu6MNUvwwO+CPV7XN:OKL12qvr0AQDAeE2XKtoC044Gz/O+CRN

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___5BMJ2W_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/2435-6248-F759-0098-BADA Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/2435-6248-F759-0098-BADA 2. http://xpcx6erilkjced3j.19kdeh.top/2435-6248-F759-0098-BADA 3. http://xpcx6erilkjced3j.1mpsnr.top/2435-6248-F759-0098-BADA 4. http://xpcx6erilkjced3j.18ey8e.top/2435-6248-F759-0098-BADA 5. http://xpcx6erilkjced3j.17gcun.top/2435-6248-F759-0098-BADA ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/2435-6248-F759-0098-BADA

http://xpcx6erilkjced3j.1n5mod.top/2435-6248-F759-0098-BADA

http://xpcx6erilkjced3j.19kdeh.top/2435-6248-F759-0098-BADA

http://xpcx6erilkjced3j.1mpsnr.top/2435-6248-F759-0098-BADA

http://xpcx6erilkjced3j.18ey8e.top/2435-6248-F759-0098-BADA

http://xpcx6erilkjced3j.17gcun.top/2435-6248-F759-0098-BADA

Targets

- Target
  
  BobaFett/data/21
- Size
  
  72KB
- MD5
  
  6427a151bf58d55a2d2206becaa6c828
- SHA1
  
  7503d61ce2d978e8a13896b77fee81f76a096e8b
- SHA256
  
  0215d2b283a12a5a545cc99256c42d963f6c379392bc89242f54dd5e66d61fc3
- SHA512
  
  582eaac5621eafe8c4ee5111108633b4199f23b21c6476b3a4e58d40453d57e187d3abaedd151658604d874e679eaa76b0200fb471f4cab91f2cdaa7b227d8b7
- SSDEEP
  
  1536:edKS8RJA67OK1jlLfXso8Z6rD/EFD32/2fWt4DnqPOvwETg:2KDTzjNko8Z6H/4zVK4lv70
Score

10^/10

badrabbit cerber mimikatz bootkit discovery evasion execution persistence privilege_escalation ransomware
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Badrabbit family
  badrabbit
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Cerber family
  cerber
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- Mimikatz family
  mimikatz
- mimikatz is an open source tool to dump credentials on Windows
- Blocklisted process makes network request
- Contacts a large (1143) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Windows Firewall
  evasion
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1