1. Home
  2. Software
  3. Bad Rabbit

Bad Rabbit

Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia. [1][2][3]

ID: S0606
Associated Software: Win32/Diskcoder.D
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 09 February 2021
Last Modified: 17 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Bad Rabbit has attempted to bypass UAC and gain elevated administrative privileges.[1]
Enterprise T1110 .003 Brute Force: Password Spraying

Bad Rabbit’s infpub.dat file uses NTLM login credentials to brute force Windows machines.[1]
Enterprise T1486 Data Encrypted for Impact

Bad Rabbit has encrypted files and disks using AES-128-CBC and RSA-2048.[1]
Enterprise T1189 Drive-by Compromise

Bad Rabbit spread through watering holes on popular sites by injecting JavaScript into the HTML body or a .js file.[2][1]
Enterprise T1210 Exploitation of Remote Services

Bad Rabbit used the EternalRomance SMB exploit to spread through victim networks.[1]
Enterprise T1495 Firmware Corruption

Bad Rabbit has used an executable that installs a modified bootloader to prevent normal boot-up.[1]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Bad Rabbit has masqueraded as a Flash Player installer through the executable file install_flash_player.exe.[2][1]
Enterprise T1106 Native API

Bad Rabbit has used various Windows API calls.[2]
Enterprise T1135 Network Share Discovery

Bad Rabbit enumerates open SMB shares on internal victim networks.[2]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Bad Rabbit has used Mimikatz to harvest credentials from the victim's machine.[2]
Enterprise T1057 Process Discovery

Bad Rabbit can enumerate all running processes to compare hashes.[1]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Bad Rabbit’s infpub.dat file creates a scheduled task to launch a malicious executable.[1]
Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

Bad Rabbit has used rundll32 to launch a malicious DLL as C:Windowsinfpub.dat.[1]
Enterprise T1569 .002 System Services: Service Execution

Bad Rabbit drops a file named infpub.datinto the Windows directory and is executed through SCManager and rundll.exe.
Enterprise T1204 .002 User Execution: Malicious File

Bad Rabbit has been executed through user installation of an executable disguised as a flash installer.[2][1]

References

  1. Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.
  2. M.Léveille, M-E.. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved January 28, 2021.
  1. Slowik, J.. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved January 28, 2021.