BadRabbit malware


Another day, another supposedly large scale malware attack. This time it’s called BadRabbit.


  • 2017-10-25 : Detection methods (Windows events)
  • 2017-10-25 : YARA rules
  • 2017-10-25 : Removed spreading via Eternalblue
  • 2017-10-25 : Removed Petya link


Based on the information from ESET the malware targets

  • transportation organizations
  • governmental organizations
  • media outlets
  • Russia
  • fewer attacks in Ukraine, Turkey and Germany

Delivery (detect and prevent)

The malware is delivered via a fake Adobe Flash update (drive-by attack)

  • hxxp:// (block this URL)
  • hxxp:// (block this URL)
  • afeee8b4acff87bc469a6f0364a81ae5d60a2add
  • de5c8d858e6e41da715dca1c019df0bfb92d32c0

According to Kaspersky you should block the execution of the files c:\windows\infpub.dat and c:\Windows\cscc.dat. Disable WMI service (if it’s possible in your environment) to prevent the malware from spreading over your network.

Prevention / vaccination tip : instead of blocking execution you can also preventively create the files (infpub.dat and cscc.dat) and remove all permissions (everyone: deny).

Because the malware will also clear the Windows event log and creates scheduled tasks you should look for the Windows events

  • 1106 (clear audit log)
  • 106 (new task created), with name drogon, rhaegal

Additional indicators are available via

There is a set of YARA rules available via


No exploit takes place, the user has to manually download the file (drive-by attack) and confirm execution.


The malware requires elevated privileges to run, and uses a Windows UAC prompt to obtain them.

Once installed via the fake Flash update, it will save C:\Windows\infpub.dat and launch it using rundll32. The malware uses Mimikatz to gather system credentials but also contains a set of hardcoded credentials (full list available via It will then use these credentials to spread further through the network (via WMIC).

infpub.dat encrypts the files (like typical ransomware), installs dispci.exe and launches it via a scheduled task. dispci.exe (DiskCryptor) is a disk encryptor that also modifies the bootloader, preventing a normal boot process after a restart.

According to Costin Raiu it targets similar file extensions but not entirely identical.

BadRabbit Mindmap

Source :


One thought on “BadRabbit malware

  1. There are so many malware, that can be solved if you have a proper solution for that. I really don’t have any idea about badrabbit malware. But I recently face malfunction in my Gmails, and I fix the problem. The thing is after fixing it my Canon printer doesn’t work. It says low ink level. For that issue, I hope you find a suitable solution.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.