This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • BadRabbit With the RSA NetWitness Suite

BadRabbit With the RSA NetWitness Suite

HalimAbouzeid
Respected Contributor HalimAbouzeid Respected Contributor
Respected Contributor
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
‎2017-10-25 11:18 AM

BadRabbit is a new ransomware that has been targeting unsuspecting victims across Eastern Europe.  Upon infection, the malware tries to spread laterally via SMB and by trying to dump passwords using mimikatz.  It will then encrypt documents on the local machine, modify the MBR and reboot the machine making it impossible to boot without paying the ransom.

 

The following are examples of the visibility an enterprise that has RSA NetWitness Endpoint and Packets would have when a machine gets infected.

 

1st, from the perspective of RSA NetWitness packets, it is possible to see the SMB traffic generated by the infected machine, trying to login using a set of hard coded usernames and passwords (full list available here: BadRabbit credential dictionary - Pastebin.com ).

netwitness-smb.PNG

 

From the perspective of RSA NetWitness Endpoint, we can see the following:

 

We can identify the modules part of the attack.

modules.PNG

- B4DD.tmp is a version of mimikatz to dump passwords using lsass.exe

- cscc.dat is a valid tool used for the encryption

- shutdown.exe is used by the malware to restart the machine

 

By analyzing those modules we can get bit more details.

For example, by analyzing dispci.exe we can see the extensions it looks for encryption:

extensions.PNG

 

As well as some of the encryption/decryption messages that would eventually popup to the user:

messages-discpci.PNG

 

If we then look  at the triggered IIOCs and behaviors:

iiocs.PNG

1- The malware is reading a large number of documents in a short period of time (typical ransomware behavior)

2- Reported as malicious by the reputation service (Reversing Labs)

 

If we want to look at more details for what has happened, we can look at the tracking data:

tracking1.PNG

1- the different modules needed by the malware are dropped to disk

2- it removes any previous tasks installed by the malware (notice the name of the tasks referencing the names of the dragons in Game of Thrones)

3- new scheduled tasks are added to run the encryption with the victim's ID and then shutdown the machine

4- we then see B4DD.tmp (mimikatz) accessing lsass.exe to try and dump credentials

5- it then access all the documents with extensions that matches to get encrypted

 

tracking2.PNG

6- it then deletes logs and events

7- and finally removes/adds scheduled tasks to restart the machine

 

Once the machine gets restarted, the victim is not able to boot to Windows and gets the following message:

Capture.PNG 

 

This shows how RSA NetWitness Packets and Endpoint can help get early notification and detection for new breeds of malware without relying on known signatures, and how they can be used to easily look for IOCs and indicators to quickly respond and identify compromised machines.

 

Some Indicators that can be used

File Hashes:

de5c8d858e6e41da715dca1c019df0bfb92d32c0 (install_flash_player.exe)
afeee8b4acff87bc469a6f0364a81ae5d60a2add (dispci.exe)
79116fe99f2b421c52ef64097f0f39b815b20907 (infopub.dat)
413eba3973a15c1a6429d9f170f3e8287f98c21c (Mimikatz 32bit)
16605a4a29a101208457c47ebfde788487be788d (Mimikatz 64bit)

 

Domains:

1dnscontrol[.]com/flash_install.php
1dnscontrol[.]com/install_flash_player.exe

 

Usernames/Passwords (SMB):

BadRabbit credential dictionary - Pastebin.com 

  • badrabbit
  • ECAT
  • Endpoint
  • Malware
  • netwithess
  • NetWitness
  • NW
  • NWP
  • packets
  • ransomware
  • RSA NetWitness
  • RSA NetWitness Platform
5 Likes
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
  • Exotic Lily: Global Activity Analysis
  • Threat Research Data Hygiene Exercise: Retirement of Threat Research Intelligence Content and Report...
  • Netwitness Orchestrator Dashboarding Overview
  • Highlights from Recent Releases - Here's What's New in NetWitness Platform 11.7 and 11.7.1
  • NetWitness News Bytes: Improved Broker Query Experience
  • NetWitness News Bytes: Meta Only Event Reconstruction
  • NetWitness News - Press Releases
  • Endpoint Bundle Tuning
Labels
  • Announcements 52
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 56
  • Tutorials 21
  • Use Cases 20
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.