Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- BadRabbit IOCs
- Onion site for payment : hXXp://caforssztxqzf2nm[.]onion
- Payload Delivery URL : hXXp://1dnscontrol[.]com/flash_install.php
- Following are the compromised sites
- hxxp://argumentiru[.]com
- hxxp://www.fontanka[.]ru
- hxxp://grupovo[.]bg
- hxxp://www.sinematurk[.]com
- hxxp://www.aica.co[.]jp
- hxxp://spbvoditel[.]ru
- hxxp://argumenti[.]ru
- hxxp://www.mediaport[.]ua
- hxxp://blog.fontanka[.]ru
- hxxp://an-crimea[.]ru
- hxxp://www.t.ks[.]ua
- hxxp://most-dnepr[.]info
- hxxp://osvitaportal.com[.]ua
- hxxp://www.otbrana[.]com
- hxxp://calendar.fontanka[.]ru
- hxxp://www.grupovo[.]bg
- hxxp://www.pensionhotel[.]cz
- hxxp://www.online812[.]ru
- hxxp://www.imer[.]ro
- hxxp://novayagazeta.spb[.]ru
- hxxp://i24.com[.]ua
- hxxp://bg.pensionhotel[.]com
- hxxp://ankerch-crimea[.]ru
- Hashes:
- - de5c8d858e6e41da715dca1c019df0bfb92d32c0 (installflashplayer.exe)
- - 79116fe99f2b421c52ef64097f0f39b815b20907 (infpub.dat) - Possible Vaccination similar to Petya (perfc.dat) - this file can be created on the system to (likely) stop the infection - https://twitter.com/0xAmit/status/922911491694694401
- - 2d963fcd2c6bcba05735a88ea4cbf6fd5f89a21c (infpub.dat)
- - afeee8b4acff87bc469a6f0364a81ae5d60a2add (dispci.exe)
- Uses its own SMB discovery and mimikatz alike modules
- - https://www.hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93?environmentId=100
- Vendor Detections :
- - https://success.trendmicro.com/solution/1118637
- Blogs:
- - https://www.hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93?environmentId=100
- - http://blog.talosintelligence.com/2017/10/bad-rabbit.html
- - https://blog.malwarebytes.com/threat-analysis/2017/10/badrabbit-closer-look-new-version-petyanotpetya/
- HA analysis:
- - https://www.hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement