Source: kaspersky.com

Here is my growing collection of intel collected on the BadRabbit Ransonware currently spreading.

 

GIT Repohttps://github.com/infoskirmish/BadRabbit

includes source code for onion site (with plain text js payload)

BadRabbit .onion payment site: caforssztxqzf2nm.onion

In-depth Analysishttps://securelist.com/bad-rabbit-ransomware/82851/

Windows “Vaccine”https://www.cybereason.com/blog/cybereason-researcher-discovers-vaccine-for-badrabbit-ransomware

Public Key:

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ
+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83
hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpR
hV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdw
H1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW
9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWf
SBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB
source: https://blog.malwarebytes.com/threat-analysis/2017/10/badrabbit-closer-look-new-version-petyanotpetya/

Exempted directories from being encrypted:
\\Windows
\\Program Files
\\ProgramData
\\AppData

File types that will be encrypted:
3ds 7z accdb ai asm asp aspx avhd back bak bmp brw c cab cc cer cfg conf cpp crt cs ctl cxx dbf der dib disk djvu doc docx dwg eml fdb gz h hdd hpp hxx iso java jfif jpe jpeg jpg js kdbx key mail mdb msg nrg odc odf odg odi odm odp ods odt ora ost ova ovf p12 p7b p7c pdf pem pfx php pmf png ppt pptx ps1 pst pvi py pyc pyw qcow qcow2 rar rb rtf scm sln sql tar tib tif tiff vb vbox vbs vcb vdi vfd vhd vhdx vmc vmdk vmsd vmtm vmx vsdx vsv work xls xlsx xml xvd zip

Spreading via SMB
Win32/Diskcoder.D has the ability to spread via SMB. As opposed to some public claims, it does not use the EthernalBlue vulnerability like the Win32/Diskcoder.C (Not-Petya) outbreak. First, it scans internal network for open SMB shares. It looks for the following shares: admin atsvc browser eventlog lsarpc netlogon ntsvcs spoolss samr srvsvc scerpc svcctl wkssvc
source: https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/

News Sample:
BadRabbit ransomware attacks multiple media outlets
Bad Rabbit Ransomware Outbreak Hits Eastern Europe
Bad Rabbit – A new Petya ransomware variant
Bad Rabbit: A new ransomware epidemic is on the rise

File Size : 142,848
MD5 : b14d8faf7f0cbcfad051cefe5f39645f
SHA1 : afeee8b4acff87bc469a6f0364a81ae5d60a2add
SHA256 : 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
Fuzzy : 3072:1keK/MwGT0834YW3pvyh8fcl/iL62iL6KK:Sn/MZd4YW3pvyxl/ini
Magic : PE32 executable for MS Windows (console) Intel 80386 32-bit
Import Hash : 94f57453c539227031b918edd52fc7f1
Compiled Time : Sun Oct 22 02:33:09 2017 UTC

PE Sections (5):
Name    Size       MD5
.text      72,192  0fa851de532b3dd96e1578a1fe912cea
.rdata    16,896  e69552feb958791e5d7283cd1e9f0b0b
.data      6,656    dc53a4c1670b55450713e13adc573c51
.rsrc       39,936  538045e89d3956ece75779bbffedb57f
.reloc     6,144    664441acad88cda5370381c965d187ab

Source: https://www.carbonblack.com/2017/10/24/threat-advisory-analysis-bad-rabbit-ransomware/