Bad Rabbit

Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia. [1][2][3]

ID: S0606
Associated Software: Win32/Diskcoder.D
Platforms: Windows
Version: 1.0
Created: 09 February 2021
Last Modified: 17 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Bad Rabbit has attempted to bypass UAC and gain elevated administrative privileges.[1]

Enterprise T1110 .003 Brute Force: Password Spraying

Bad Rabbit’s infpub.dat file uses NTLM login credentials to brute force Windows machines.[1]

Enterprise T1486 Data Encrypted for Impact

Bad Rabbit has encrypted files and disks using AES-128-CBC and RSA-2048.[1]

Enterprise T1189 Drive-by Compromise

Bad Rabbit spread through watering holes on popular sites by injecting JavaScript into the HTML body or a .js file.[2][1]

Enterprise T1210 Exploitation of Remote Services

Bad Rabbit used the EternalRomance SMB exploit to spread through victim networks.[1]

Enterprise T1495 Firmware Corruption

Bad Rabbit has used an executable that installs a modified bootloader to prevent normal boot-up.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Bad Rabbit has masqueraded as a Flash Player installer through the executable file install_flash_player.exe.[2][1]

Enterprise T1106 Native API

Bad Rabbit has used various Windows API calls.[2]

Enterprise T1135 Network Share Discovery

Bad Rabbit enumerates open SMB shares on internal victim networks.[2]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Bad Rabbit has used Mimikatz to harvest credentials from the victim's machine.[2]

Enterprise T1057 Process Discovery

Bad Rabbit can enumerate all running processes to compare hashes.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Bad Rabbit’s infpub.dat file creates a scheduled task to launch a malicious executable.[1]

Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

Bad Rabbit has used rundll32 to launch a malicious DLL as C:Windowsinfpub.dat.[1]

Enterprise T1569 .002 System Services: Service Execution

Bad Rabbit drops a file named infpub.datinto the Windows directory and is executed through SCManager and rundll.exe.

Enterprise T1204 .002 User Execution: Malicious File

Bad Rabbit has been executed through user installation of an executable disguised as a flash installer.[2][1]