# White Rabbit Continued: Sardonic and F5

**[lodestone.com/insight/white-rabbit-continued-sardonic-and-f5/](https://lodestone.com/insight/white-rabbit-continued-sardonic-and-f5/)**

[By Jason Daza](https://lodestone.com/bio/jason-daza/)

Key Contributors: [Manoj Khatiwada,](https://lodestone.com/bio/manoj-khatiwada/) [Paul Brunney,](https://lodestone.com/bio/paul-brunney/) [Michael Wirtz, and](https://lodestone.com/bio/mike-wirtz/) [Group-IB](https://www.group-ib.com/)


February 1, 2022


In December 2021, Lodestone published an article linking a previously unknown ransomware
group, White Rabbit, to the threat actor group FIN8 after observing striking similarities
between the two during an investigation. The subsequent efforts by the cybersecurity
community have brought together experts from around the world to “follow the White Rabbit,”
so to speak, and gain more insight into an emerging threat.

Since the time the last article was published, Lodestone has observed evidence that a new
version of FIN8’s BadHatch backdoor malware, Sardonic, has been deployed and seen in
use by White Rabbit. Lodestone experts have identified strong overlap between Sardonic
and this new backdoor malware, dubbed F5 and encountered as part of the investigation that
initially resulted in the discovery of the White Rabbit group.

## Sardonic vs F5


-----

Overall, the functionality of the Sardonic .NET assembly ( MDAC.dll ) and the F5 assembly
(“Default.dll”) have strong similarities. They both contain Rivest Cipher 4 (RC4) encrypted
shellcode, with the decryption key contained in the DLL, and both are compressed using
Gzip. In the samples recovered by Lodestone, the decryption key for the “MDAC.dll”
shellcode was 802d8B9Fe13f576163DEab429754cA0C, while the key for “Default.dll” was
15e280Ea9d63270Fb89763514cDCABf4. As reflected in the screen snippets below, the
decryption algorithms remained essentially unchanged.

_Sardonic Shellcode Decryption Routine_

F5 Shellcode Decryption Routine
Although the F5 and Sardonic backdoors appear to function nearly identically to each other,
some features of the PowerShell script and the .NET DLL mentioned in the Bitdefender
paper appear to have been removed; the PowerShell script no longer has an option to kill an
existing process, and the “4BMARC2WKL” marker prepending the shellcode in “MDAC.dll”
does not exist in “Default.dll”. Since these were minor features of the malware, Lodestone
could not determine why they may have been explicitly removed by the author.


-----

Sardonic PowerShell Script with Process Killing Functionality

F5 PowerShell Script without Process Killing Functionaliity
Another observation Lodestone made during the investigation was a change in the method
name executed by the PowerShell script. In Sardonic, the method used was
“MSDAC.PerfOSChecker::StartCheck”; however, in F5, the name was changed to
“o5518470.kfC09272::p65E1a71”. Lodestone did not observe evidence of threat actors
creating a new Windows Management Instrumentation (WMI) consumer for the F5
PowerShell script. It is possible that efforts to configure F5 to establish this persistence were
abandoned once a decision was made deploy ransomware.


-----

Program Database PDB

Paths for MDAC.dll and Default.dll
Lodestone encountered some difficulties in the analysis of “Default.dll” which hampered
progress. What Lodestone has determined thus far, however, is that, like the shellcode in
“MDAC.dll”, the “Default.dll” shellcode first checks the name of its parent process. If the
parent process is “powershell.exe”, the shellcode will open “lsass.exe” with
SeDebugPrivilege and copies its system token. Then, it creates a child process,
“WmiPrvSE.exe”, with system privileges to enable it to inject its own code and run with
elevated privileges. The malware then generates a 32-byte hardware ID based on the
computer name and C volume serial number. The system time and hardware ID are then
encrypted with a custom algorithm and placed into a 64-byte buffer before an attempt is
made to connect to the C2 server. If the malware is unable to reach the C2 server after five
attempts, it will terminate itself.

Unsuccessful attempts to reach the C2 server

## Evidence of a Human Operator

Interestingly, Lodestone may have found evidence supporting Bitdefender’s belief that the
Sardonic or F5 loader is copied to the victim’s machine via a manual process instead of
automation. The logs Lodestone analyzed during the course of its investigation show that the
filename of the URL hosting the malware was always a random, 6-character alphanumeric
string that changed nearly every time the command was run. In one of the events, however,
Lodestone noticed that the filename contained seven characters. The PowerShell log in the
image below shows a command to download a file from hxxps://104-168-20126.sslip[.]io/36d851e. Roughly one minute later, another command was run to download a


-----

file from hxxps://104-168-201-26.sslip[.]io/6d851e. Lodestone believes that the command
was likely tasked or ran interactively; following the failure, the command was likely re-tasked
to fit the aforementioned 6-character URL target.

PowerShell with a Typo

PowerShell with the Typo Corrected

## White Rabbit

When Lodestone first acquired a sample of the ransomware, its experts observed that it was
highly obfuscated, had strange file extensions (.physiat and .uderro), and used an invalid
digital certificate. Additionally, Lodestone determined that the malware checked the
command line arguments using “-f”, “-l”, “-p”, and “-t” flags.


-----

Manually Decrypted Ransomware Strings
Lodestone’s theory that the “-p” flag was for the password used to decrypt the payload was
confirmed by a Trend Micro article on White Rabbit, as Lodestone’s sample used the same
passphrase as the sample analyzed by Trend Micro. The other flags allow an operator to
specify which files (-f) to encrypt, an output (-l) for a log file, and a start time (-t) to begin
encryption (if no time is specified the ransomware executes immediately). Once the malware
completes its encryption function it executes a self-deletion function using the command:

cmd /c choice /t 9 /d y & attrib -h \”[fname]\” & del \”[fname]\”

Certificate Used by White Rabbit


-----

Lodestone continues to monitor the situation for any further developments and would like to
thank its partners at Group-IB for their contributions to this investigation. To learn more about
[Group-IB, visit the following link: https://www.group-ib.com/.](https://www.group-ib.com/)

## Indicators of Compromise

 IP Addresses

64.44.131[.]34
91.90.194[.]30
104.168.132[.]128
170.130.55[.]120

## Domains

91-90-194-30.sslip[.]io
104-168.132[.]128.nip[.]io

## URLs

 Filenames

“default.dll”
“l.exe”
“z.exe”

## Hash Values

655c3c304a2fe76d178f7878d6748439 (“default.dll”)
6ffa106ac8d923ca32bc6162374f488b (Sardonic PowerShell script)
fb3de0512d1ee5f615edee5ef3206a95 (Sardonic x86 DLL)
4a03238e31e3e90b38870ffc0a3ceb3b (Sardonic x64 DLL)
Beffdd959b1f7e11e1c2b31af2804a07 (F5 PowerShell script)
d9f5a846726f11ae2f785f55842c630f (F5 x86 DLL)
087f82581b65e3d4af6f74c8400be00e (F5 x64 DLL)
e49fe89435297f1bca1377053eaa6ded (White Rabbit ransomware)

## YARA Rules

rule fin8_powershell_dll_loader

{


-----

meta:

author = “Dmitry Kupin”

company = “Group-IB”

date = “2021-12-28

description = “Powershell .NET DLL Loader”

sample_private =
“adac9106216e6d2eb2a6d1a0a01d7286dddd6bafdab9eb1cd182dd49924663a2”

strings:

/* if([IntPtr]::size -eq 4){ */

$s0 = { 3D 69 66 28 5B 49 6E 74 50 74 72 5D 3A 3A 73 69 7A 65 20 2D 65 71 20 34 29 7B
}

/* [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String( */

$s1 = { 5B 53 79 73 74 65 6D 2E 52 65 66 6C 65 63 74 69

6F 6E 2E 41 73 73 65 6D 62 6C 79 5D 3A 3A 4C 6F

61 64 28 5B 53 79 73 74 65 6D 2E 43 6F 6E 76 65

72 74 5D 3A 3A 46 72 6F 6D 42 61 73 65 36 34 53

74 72 69 6E 67 28 }

condition:

all of them

}

rule fin8_dotnet_shellcode_loader

{

meta:

author = “Dmitry Kupin”

company = “Group-IB”

date = “2021-12-28


-----

description = Sardonic Shellcode Loader

sample = “03e8b29ad5055f1dda1b0e9353dc2c1421974eb3d0a115d0bb35c7d76f50de20” /*
Default.dll (x86) */

sample = “4ee21b5fd8597e494ae9510f440a1d5bbcdb01bc653226e938df4610ee691f3a” /*
Default.dll (x64) */

strings:

$pdb1 = “C:\\Users\\dev_win10_00\\Documents\\f5\\F5Utility\\LoaderAssembly\\obj\\ ” nocase
ascii

$s0 = “Default.dll” fullword wide

$s1 = “12F9333185494642C1587A546D2287C1A4C01A2A” fullword ascii

$s2 = “05F6DF120FF54415A6B75A4B1894A83C6D865030” fullword ascii

$s3 = “78893E31FF10BDE2CBCB8A51664788D7DC0FC194” fullword ascii

$s4 = “15e280Ea9d63270Fb89763514cDCABf4” fullword ascii

condition:

2 of them

}

rule fin8_shellcode_memory

{

meta:

author = “Dmitry Kupin”

company = “Group-IB”

date = “2021-12-28

description = “Sardonic Shellcode(in the memory)”

strings:

$h_x86 = { E8 00 00 00 00 5F B9 [2] 00 00 [2] 30 ?? 0F 17 00 00 00 02 ?? 0F 17 00 00 00
E2 F0 }


-----

/

*a1 = ((*a1 ^ (*a1 << 6)) >> 13) ^ (*a1 << 18) & 0xFFF80000;

*a2 = (4 * *a2) & 0xFFFFFFE0 ^ (((4 * *a2) ^ *a2) >> 27);

*a3 = ((*a3 ^ (*a3 << 13)) >> 21) ^ (*a3 << 7) & 0xFFFFF800;

v4 = (*a4 << 13) & 0xFFF00000 ^ ((*a4 ^ (8 * *a4)) >> 12);

*/

$chunk_x86 = { 89 3A 8B 03 8D 3C 85 ?? ?? ?? ?? 31 F8 83 E7 E0

C1 E8 1B 31 F8 89 03 8B 39 89 F8 C1 E0 0D 31 F8

C1 E7 07 C1 E8 15 81 E7 00 F8 FF FF 31 C7 89 39

8B 3E 8D 04 FD ?? ?? ?? ?? 31 F8 C1 E7 0D 81 E7

00 00 F0 FF C1 E8 0C 31 F8 }

$h_x64 = { 41 [2] 48 C7 C1 [2] 00 00 4C 8D [2] 00 00 00 45 30 }

/*

*a1 = (*a1 << 18) & 0xFFF80000 ^ ((*a1 ^ (*a1 << 6)) >> 13);

*a2 = (4 * *a2) & 0xFFFFFFE0 ^ (((4 * *a2) ^ *a2) >> 27);

*a3 = (*a3 << 7) & 0xFFFFF800 ^ ((*a3 ^ (*a3 << 13)) >> 21);

v4 = (*a4 << 13) & 0xFFF00000 ^ ((*a4 ^ (8 * *a4)) >> 12);

*/

$chunk_x64 = { 89 01 8B 02 44 8D 14 85 ?? ?? ?? ?? 44 31 D0 41

83 E2 E0 C1 E8 1B 44 31 D0 89 02 45 8B 10 44 89

D0 C1 E0 0D 44 31 D0 41 C1 E2 07 41 81 E2 00 F8

FF FF C1 E8 15 44 31 D0 41 89 00 45 8B 11 42 8D

04 D5 ?? ?? ?? ?? 44 31 D0 41 C1 E2 0D C1 E8 0C

41 81 E2 00 00 F0 FF 44 31 D0 }

condition:


-----

any of them

}

## Additional Information and References

Michael Gillespie’s White Rabbit announcement on Twitter:

[https://twitter.com/demonslay335/status/1470823608725475334](https://twitter.com/demonslay335/status/1470823608725475334)

[DOWNLOAD PDF](https://lodestone.com/wp-content/uploads/2022/02/White-Rabbit-Continued-Sardonic-and-F5-copy.pdf)


-----