BRabbit Lab

Level: Medium

Challenge: BRabbit Lab

In this challenge, we were provided with a .eml file, accompanied by a compelling warning—this case is based on a real ransomware incident.

A .eml file is an email message saved in plain text format. It contains the email’s content, including the sender, recipient, subject, body, and attachments.

Q1: The phishing email used to deliver the malicious attachment showed several indicators of a potential social engineering attempt. Recognizing these indicators can help identify similar threats in the future. What is the suspicious email address that sent the attachment?

By analyzing the email header, we can identify both the sender and receiver of the email, providing key insights into its origin and delivery path.

Q2: The ransomware was identified as part of a known malware family. Determining its family name can provide critical insights into its behavior and remediation strategies. What is the family name of the ransomware identified during the investigation?

By uploading the provided file to VirusTotal, we can observe that it is classified under specific malware family labels, as shown in the image below.

Q3: Upon execution, the ransomware dropped a file onto the compromised system to initiate its payload. Identifying this file is essential for understanding its infection process. What is the name of the first file dropped by the ransomware?

Since the key question revolves around execution, our next step is to analyze the email attachment to identify the file dropped by the malware. Upon examining the email, we can see that it includes an .exe file, as shown in the image below.

By using a Base64 to file conversion tool, we can extract the attachment and analyze it further. After extraction, the downloaded file is named application.bin, which is another alias for the attached executable. We then upload this file to VirusTotal for further inspection.

By analyzing the dropped files section and considering the provided clue, a character resembling the letter ‘i’, we can swiftly pinpoint the relevant file. Additionally, another method I used was leveraging Any.Run to analyze the attached file for further insights.

Q4: Inside the dropped file, the malware contained hardcoded artifacts, including usernames and passwords that could provide clues about its origins or configuration. What is the only person's username found within the dropped file?

To extract strings from the dropped file, we first need to obtain the sample. For this, I used Any.Run. In the process rundll32.exe, under the modules section, we can retrieve the sample infpub.dat for further analysis.

After obtaining the sample, I used the strings command to extract readable characters. To refine the results based on the provided clue, I applied regex to filter and limit the output, making the analysis more efficient.

Q5: After execution, the ransomware communicated with a C2 server. Recognizing its communication techniques can assist in mitigation. What MITRE ATT&CK sub-technique describes the ransomware’s use of web protocols for sending and receiving data?

Following the MITRE ATT&CK framework, we can identify the technique used in this attack. To pinpoint the sub-technique, I searched within MITRE ATT&CK under the Application Layer Protocol category, using the keyword web protocols to refine the results.

Q6: Persistence mechanisms are a hallmark of sophisticated ransomware. Identifying how persistence was achieved can aid in recovery and prevention of reinfection. What is the MITRE ATT&CK Sub-Technique ID associated with the ransomware’s persistence technique?

Using the above method, we can uncover the persistence mechanisms employed by the malware, helping us understand how it maintains access to the system.

Q7: As part of its infection chain, the ransomware created specific tasks to ensure its continued operation. Recognizing these tasks is crucial for system restoration. What are the names of the tasks created by the ransomware during execution?

By using Any.Run to monitor the processes created by the malware, we can see that it generates two new scheduled tasks. These tasks are designed to execute the malware’s behavior, ensuring its persistence and continued activity on the system.

Q8: the malicious binary `dispci.exe` displayed a suspicious message upon execution, urging users to disable their defenses. This tactic aimed to evade detection and enable the ransomware's full execution. What suspicious message was displayed in the Console upon executing this binary?

By checking the dropped file on VirusTotal, we can obtain its hash. Using this hash in Any.Run, we can analyze its execution and observe what appears in the command prompt (cmd) during the malware's activity.

Q9: To modify the Master Boot Record (MBR) and encrypt the victim’s hard drive, the ransomware utilized a specific driver. Recognizing this driver is essential for understanding the encryption mechanism. What is the name of the driver used to encrypt the hard drive and modify the MBR?

To solve this challenge, I referred to an analysis blog about this malware, gaining insights that helped in understanding its behavior and techniques.

Q10: Investigators identified a driver file used by the ransomware for encryption. The hash of this file is a vital artifact for correlation with threat intelligence databases. What is the SHA256 hash of the critical driver file?

As shown in the provided image, we can identify the installation path of the driver file. To further analyze it, we retrieve its hash and check it on VirusTotal for additional threat intelligence.

Q11: Attribution is key to understanding the threat landscape. The ransomware was tied to a known attack group through its tactics, techniques, and procedures (TTPs). What is the name of the threat actor responsible for this ransomware campaign?

I leveraged MITRE ATT&CK to gather more insights about this malware and its associated threat actor.

Q12: The ransomware rendered the system unbootable by corrupting critical system components. Identifying the technique used provides insight into its destructive capabilities. What is the MITRE ATT&CK ID for the technique used to corrupt the system firmware and prevent booting?

By utilizing information from MITRE ATT&CK, we can identify the techniques used by the malware.

Resources

Urget Contract Action.eml

Bad Rabbit ransomware

MITRE ATT&CK

dispci.exe.bin

Urgent Contract Action.pdf.exe

PreviousCyberDefenders NextSilent Breach Lab

Last updated 12 months ago

hashtagChallenge: BRabbit Labarrow-up-right

hashtagQ1: The phishing email used to deliver the malicious attachment showed several indicators of a potential social engineering attempt. Recognizing these indicators can help identify similar threats in the future. What is the suspicious email address that sent the attachment?

hashtagQ2: The ransomware was identified as part of a known malware family. Determining its family name can provide critical insights into its behavior and remediation strategies. What is the family name of the ransomware identified during the investigation?

hashtagQ3: Upon execution, the ransomware dropped a file onto the compromised system to initiate its payload. Identifying this file is essential for understanding its infection process. What is the name of the first file dropped by the ransomware?

hashtagQ4: Inside the dropped file, the malware contained hardcoded artifacts, including usernames and passwords that could provide clues about its origins or configuration. What is the only person's username found within the dropped file?

hashtagQ5: After execution, the ransomware communicated with a C2 server. Recognizing its communication techniques can assist in mitigation. What MITRE ATT&CK sub-technique describes the ransomware’s use of web protocols for sending and receiving data?

hashtagQ6: Persistence mechanisms are a hallmark of sophisticated ransomware. Identifying how persistence was achieved can aid in recovery and prevention of reinfection. What is the MITRE ATT&CK Sub-Technique ID associated with the ransomware’s persistence technique?

hashtagQ7: As part of its infection chain, the ransomware created specific tasks to ensure its continued operation. Recognizing these tasks is crucial for system restoration. What are the names of the tasks created by the ransomware during execution?

hashtagQ8: the malicious binary dispci.exe displayed a suspicious message upon execution, urging users to disable their defenses. This tactic aimed to evade detection and enable the ransomware's full execution. What suspicious message was displayed in the Console upon executing this binary?

hashtagQ9: To modify the Master Boot Record (MBR) and encrypt the victim’s hard drive, the ransomware utilized a specific driver. Recognizing this driver is essential for understanding the encryption mechanism. What is the name of the driver used to encrypt the hard drive and modify the MBR?

hashtagQ10: Investigators identified a driver file used by the ransomware for encryption. The hash of this file is a vital artifact for correlation with threat intelligence databases. What is the SHA256 hash of the critical driver file?

hashtagQ11: Attribution is key to understanding the threat landscape. The ransomware was tied to a known attack group through its tactics, techniques, and procedures (TTPs). What is the name of the threat actor responsible for this ransomware campaign?

hashtagQ12: The ransomware rendered the system unbootable by corrupting critical system components. Identifying the technique used provides insight into its destructive capabilities. What is the MITRE ATT&CK ID for the technique used to corrupt the system firmware and prevent booting?