Bad Rabbit Ransomware | VTI by Category
Try VMRay Analyzer
VTI Information
VTI Score
100 / 100
VTI Database Version 2.6
VTI Rule Match Count 24
VTI Rule Type Default (PE, ...)
Detected Threats
Arrow Anti Analysis
Arrow
Dynamic API usage
Resolve above average number of APIs.
Arrow
Delay execution
One thread sleeps more than 5 minutes.
Arrow Device
Arrow
Control device
Control device "\\.\dcrypt" through API DeviceIOControl.
Control device "\\.\GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1)" through API DeviceIOControl.
Control device "\\.\PhysicalDrive0" through API DeviceIOControl.
Arrow
Access physical drive
Access physical drive "\device\harddisk0\dr0".
Arrow File System
Arrow
Encrypt content of user files
Encrypt the content of multiple user files. This is an indicator for ransomware.
Arrow
Modify operating system directory
Create file "C:\Windows\infpub.dat" in the OS directory.
Create file "C:\Windows\cscc.dat" in the OS directory.
Create file "C:\Windows\dispci.exe" in the OS directory.
Create file "C:\Windows\41D0.tmp" in the OS directory.
Arrow Kernel
Arrow
Execute code with kernel privileges
Execute code with kernel privileges.
Arrow PE
Arrow
Drop PE file
Drop file "c:\windows\infpub.dat".
Drop file "c:\windows\cscc.dat".
Drop file "c:\windows\dispci.exe".
Drop file "c:\windows\41d0.tmp".
Arrow
Execute dropped PE file
Execute dropped file "c:\windows\dispci.exe".
Execute dropped file "c:\windows\41d0.tmp".
Arrow Persistence
Arrow
Install kernel driver
Install signed kernel driver with service name "cscc".
Arrow Process
Arrow
Create process with hidden window
The process "C:\Windows\system32\rundll32.exe" starts with hidden window.
The process "C:\Windows\system32\cmd.exe" starts with hidden window.
The process "C:\Windows\41D0.tmp" starts with hidden window.
Arrow
Create system object
Create mutex with name "9A1966663AD6FDE5".
Arrow
Read from memory of another process
"c:\windows\41d0.tmp" reads from "c:\windows\system32\lsass.exe".
- Browser
- OS
- Hide Tracks
- Information Stealing
- Injection
- Masquerade
- Network
- User
- VBA Macro
- YARA
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image