BACKSWING - Pulling a BADRABBIT Out of a Hat | Mandiant
Tags
cmtmf-attack-pattern: Masquerading
country: Czechia Germany Japan Montenegro Turkey
maec-delivery-vectors: Watering Hole
attack-pattern: Direct Credentials - T1589.001 Domains - T1583.001 Domains - T1584.001 Javascript - T1059.007 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Network Devices - T1584.008 Rundll32 - T1218.011 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Masquerading - T1036 Rundll32 - T1085 Scheduled Task - T1053 Masquerading
Show in Graph
Common Information
Type Value
UUID b201c1c8-f795-40e7-921e-900a12499da8
Fingerprint d09199f181fb2663
Analysis status DONE
Considered CTI value 2
Text language
Published Oct. 26, 2017, midnight
Added to db Nov. 6, 2023, 7:03 p.m.
Last updated Nov. 17, 2024, 6:54 p.m.
Headline BACKSWING - Pulling a BADRABBIT Out of a Hat
Title BACKSWING - Pulling a BADRABBIT Out of a Hat | Mandiant
Detected Hints/Tags/Attributes 96/4/144
Source URLs
Redirection Url
Details Source https://www.mandiant.com/resources/blog/backswing-pulling-a-badrabbit-out-of-a-hat
URL Provider
Details Provider Source level domain
Details mandiant.com www.mandiant.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 330 Threat Intelligence https://www.mandiant.com/resources/blog/rss.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 4 
www.mediaport.ua
Details Domain 13 
1dnscontrol.com
Details Domain 3 
blog.fontanka.ru
Details Domain 3 
www.aica.co.jp
Details Domain 5 
www.fontanka.ru
Details Domain 1 
www.smetkoplan.com
Details Domain 2 
akvadom.kiev.ua
Details Domain 2 
bahmut.com.ua
Details Domain 1 
dfkiueswbgfreiwfsd.tk
Details Domain 2 
bitte.net.ua
Details Domain 1 
bon-vivasan.com.ua
Details Domain 1 
bonitka.com.ua
Details Domain 1 
camp.mrt.gov.me
Details Domain 1 
evrosmazki.ua
Details Domain 1 
forum.andronova.net
Details Domain 2 
grandua.ua
Details Domain 5 
grupovo.bg
Details Domain 1 
hr.pensionhotel.com
Details Domain 4 
i24.com.ua
Details Domain 1 
icase.lg.ua
Details Domain 2 
montenegro-today.com
Details Domain 1 
montenegro-today.ru
Details Domain 3 
most-dnepr.info
Details Domain 1 
obereg-t.com
Details Domain 1 
sarktur.com
Details Domain 1 
school12.cn.ua
Details Domain 1 
sinematurk.com
Details Domain 1 
vgoru.org
Details Domain 1 
www.2000.ua
Details Domain 1 
www.444android.com
Details Domain 1 
www.alapli.bel.tr
Details Domain 1 
www.ambilet.ro
Details Domain 2 
www.andronova.net
Details Domain 2 
www.chnu.edu.ua
Details Domain 2 
www.dermavieskin.com
Details Domain 1 
bodum-online.gq
Details Domain 1 
www.evrosmazki.ua
Details Domain 1 
www.hercegnovi.me
Details Domain 1 
www.len.ru
Details Domain 2 
www.montenegro-today.com
Details Domain 4 
www.otbrana.com
Details Domain 1 
www.pensionhotel.be
Details Domain 3 
www.pensionhotel.cz
Details Domain 1 
www.pensionhotel.de
Details Domain 1 
www.pensionhotel.dk
Details Domain 1 
www.pensionhotel.nl
Details Domain 1 
www.pensionhotel.pl
Details Domain 1 
www.pensionhotel.ro
Details Domain 1 
www.pensionhotel.sk
Details Domain 5 
www.sinematurk.com
Details Domain 4 
ks.ua
Details Domain 2 
www.teknolojihaber.net
Details Domain 2 
www.uscc.ua
Details Domain 2 
www.vertizontal.ro
Details Domain 1 
www.visa3777.com
Details Domain 1 
www.www.pensionhotel.de
Details File 15 
install_flash_player.exe
Details File 1 
page-main.js
Details File 66 
www.ai
Details File 3 
install_flashplayer.exe
Details File 12 
infpub.dat
Details File 1 
c:\windows directory and executes it using rundll32.exe
Details File 10 
c:\windows\infpub.dat
Details File 6 
3ds.7z
Details File 6 
accdb.ai
Details File 3 
asm.asp
Details File 6 
back.bak
Details File 3 
c.cab
Details File 3 
cc.cer
Details File 6 
conf.cpp
Details File 3 
crt.cs
Details File 3 
cxx.dbf
Details File 3 
der.dib
Details File 6 
disk.djvu
Details File 12 
doc.docx
Details File 6 
dwg.eml
Details File 5 
fdb.gz
Details File 3 
hxx.iso
Details File 3 
jfif.jpe
Details File 3 
jpeg.jpg
Details File 3 
kdbx.key
Details File 5 
mail.mdb
Details File 3 
nrg.odc
Details File 3 
odi.odm
Details File 3 
odp.ods
Details File 3 
ovf.p12
Details File 5 
p7b.p7c
Details File 4 
pem.pfx
Details File 3 
pmf.png
Details File 3 
ppt.pptx
Details File 3 
ps1.pst
Details File 5 
pvi.py
Details File 3 
pyc.py
Details File 3 
qcow2.rar
Details File 3 
rb.rtf
Details File 3 
scm.sln
Details File 6 
sql.tar
Details File 3 
tib.tif
Details File 2 
tiff.vb
Details File 3 
vbox.vbs
Details File 5 
vcb.vdi
Details File 5 
vmc.vmdk
Details File 5 
work.xls
Details File 3 
xlsx.xml
Details File 4 
xvd.zip
Details File 367 
readme.txt
Details File 11 
dispci.exe
Details File 11 
cscc.dat
Details File 1 
651d.tmp
Details File 240 
wmic.exe
Details File 17 
malware.bin
Details File 10 
ary.exe
Details File 1018 
rundll32.exe
Details File 2 
%windir%\system32\shutdown.exe
Details md5 2 
FBBDC39AF1139AEBBA4DA004475E8839
Details md5 1 
C4F26ED277B51EF45FA180BE597D96E8
Details md5 1 
1D724F95C61F1055F0D02C2154BBCCD3
Details md5 1 
B14D8FAF7F0CBCFAD051CEFE5F39645F
Details md5 1 
B4E6D97DAFD9224ED9A547D52C26CE02
Details md5 1 
EDB72F4A46C39452D1A5414F7D26454A
Details md5 1 
37945C44A897AA42A66ADCAB68F560E0
Details md5 1 
347AC3B6B791054DE3E5720A7144A977
Details IPv4 7 
185.149.120.3
Details IPv4 2 
172.97.69.79
Details IPv4 2 
38.84.134.15
Details IPv4 2 
91.236.116.50
Details IPv4 1 
104.244.159.23
Details IPv4 1 
46.20.1.98
Details Url 1 
http://www.mediaport.ua/sites/default/files/page-main.js
Details Url 2 
http://185.149.120.3/scholargoogle
Details Url 1 
http://172.97.69.79/i
Details Url 1 
http://38.84.134.15/core/engine/index/default
Details Url 1 
http://dfkiueswbgfreiwfsd.tk/i
Details Url 1 
http://38.84.134.15/core/engine/index/two
Details Url 1 
http://91.236.116.50/core/engine/index/two
Details Url 1 
http://104.244.159.23:8080/i
Details Url 1 
https://bodum-online.gq/core/engine/index/three
Details Url 1 
http://185.149.120.3/scholasgoogle
Details Url 1 
http://46.20.1.98/scholargoogle
Details Url 1 
http://91.236.116.50/core/engine/index/three
Details Yara rule 1 
rule FE_Trojan_BADRABBIT_DROPPER {
	meta:
		author = "muhammad.umair"
		md5 = "fbbdc39af1139aebba4da004475e8839"
		rev = 1
	strings:
		$api1 = "GetSystemDirectoryW" fullword
		$api2 = "GetModuleFileNameW" fullword
		$dropped_dll = "infpub.dat" ascii wide fullword
		$exec_fmt_str = "%ws C:\\Windows\\%ws,#1 %ws" ascii wide fullword
		$extract_seq = { 68 ?? ?? ?? ?? 8D 95 E4 F9 FF FF 52 FF 15 ?? ?? ?? ?? 85 C0 0F 84 C4 00 00 00 8D 85 A8 ED FF FF 50 8D 8D AC ED FF FF E8 ?? ?? ?? ?? 85 C0 0F 84 AA 00 00 00 }
	condition:
		(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB and all of them
}
Details Yara rule 1 
rule FE_Worm_BADRABBIT {
	meta:
		author = "muhammad.umair"
		md5 = "1d724f95c61f1055f0d02c2154bbccd3"
		rev = 1
	strings:
		$api1 = "WNetAddConnection2W" fullword
		$api2 = "CredEnumerateW" fullword
		$api3 = "DuplicateTokenEx" fullword
		$api4 = "GetIpNetTable"
		$del_tasks = "schtasks /Delete /F /TN drogon" ascii wide fullword
		$dropped_driver = "cscc.dat" ascii wide fullword
		$exec_fmt_str = "%ws C:\\Windows\\%ws,#1 %ws" ascii wide fullword
		$iter_encrypt = { 8D 44 24 3C 50 FF 15 ?? ?? ?? ?? 8D 4C 24 3C 8D 51 02 66 8B 31 83 C1 02 66 3B F7 75 F5 2B CA D1 F9 8D 4C 4C 3C 3B C1 74 07 E8 ?? ?? ?? ?? }
		$share_fmt_str = "\\\\%ws\\admin$\\%ws" ascii wide fullword
	condition:
		(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB and all of them
}
Details Yara rule 1 
rule FE_Trojan_BADRABBIT_MIMIKATZ {
	meta:
		author = "muhammad.umair"
		md5 = "37945c44a897aa42a66adcab68f560e0"
		rev = 1
	strings:
		$api1 = "WriteProcessMemory" fullword
		$api2 = "SetSecurityDescriptorDacl" fullword
		$api_str1 = "BCryptDecrypt" ascii wide fullword
		$mimi_str = "CredentialKeys" ascii wide fullword
		$wait_pipe_seq = { FF 15 ?? ?? ?? ?? 85 C0 74 63 55 BD B8 0B 00 00 57 57 6A 03 8D 44 24 1C 50 57 68 00 00 00 C0 FF 74 24 38 4B FF 15 ?? ?? ?? ?? 8B F0 83 FE FF 75 3B }
	condition:
		(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB and all of them
}
Details Yara rule 1 
rule FE_Trojan_BADRABBIT_DISKENCRYPTOR {
	meta:
		author = "muhammad.umair"
		md5 = "b14d8faf7f0cbcfad051cefe5f39645f"
		rev = 1
	strings:
		$api1 = "CryptAcquireContextW" fullword
		$api2 = "CryptEncrypt" fullword
		$api3 = "NetWkstaGetInfo" fullword
		$decrypt_seq = { 89 5D EC 78 10 7F 07 3D 00 00 00 01 76 07 B8 00 00 00 01 EB 07 C7 45 EC 01 00 00 00 53 50 53 6A 04 53 8B F8 56 89 45 FC 89 7D E8 FF 15 ?? ?? ?? ?? 8B D8 85 DB 74 5F }
		$msg1 = "Disk decryption progress..." ascii wide fullword
		$task_fmt_str = "schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR \"%ws\" /ST d:d:00" ascii wide fullword
		$tok1 = "\\\\.\\dcrypt" ascii wide fullword
		$tok2 = "C:\\Windows\\cscc.dat" ascii wide fullword
	condition:
		(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 150KB and all of them
}