GuidePoint Security Ranked Among the Top 3 Security Technology Companies in the Greater Washington Region by the Washington Business Journal

GuidePoint Security has been ranked No. 3 for two consecutive years by the Washington Business Journal in its Largest Security Technology Companies List. The rankings were published Friday, Oct. 27th. To view the list, click here.

The companies were ranked by 2016 metro-area revenue. To be eligible, companies had to have a presence in Washington D.C. metro region, including Herndon, Va.

Founded in 2011 by cybersecurity industry veterans, GuidePoint is a trusted security expert for security technologies and professional services. The company differentiates itself through its organizational structure, technological expertise, unrivaled customer service, and a vendor-agnostic approach.

“What an honor this is,” noted Michael Volk, GuidePoint Security’s Founder and Managing Partner. “Our continued success is possible because of the tremendous pool of highly skilled and talented individuals who make up our company team.”

“Customer services has always been number one for all of us. Our high placement on this list, for the second consecutive year, is a testament to our team’s hard work, innovation, and commitment to always providing the best solutions for our federal and commercial customers.”

In addition to the Washington Business Journal’s Largest Security Technologies List, GuidePoint was recently ranked #57 on the Washington Business Journal’s Private Companies list. To view the list, click here.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their missions. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at:

About the Washington Business Journal

The Washington Business Journal is the #1 print and online source for Greater Washington area business news and information on the most successful people, companies and transactions in the region. Every Friday, the Business Journal arrives with an in-depth lineup of breaking local news stories, business profiles and valuable industry rankings. From technology and sustainability to small business, biotech, hospitality, real estate and banking, the Business Journal covers the most relevant and timely topics for the local business community. takes the Washington Business Journal brand known for its insight, analysis and high journalistic standards and extends it to the Internet. Thousands of established and up and coming executives visit every day looking for the information they need to do business in the DC metro area.

BadRabbit Malware Analysis

Image Source:

Image Source

10.27.2017 UPDATE:  BadRabbit CnC Dormancy

Looks like the Threat Actors caged this “Killer Rabbit” for now.  Most of the servers and sites used by the hackers behind the ransomware appear to be taken out of service for no.[1]

Overview: On October 24, 2017, Bad Rabbit, a ransomware infection, a new variant of Petya, has hit a number of organizations in Russia and Ukraine.  First announced in a tweet, the Russian cybersecurity firm Group-IB said initially three media organizations in the country have been hit by file-encrypting malware. [2]

At the same time, Russian news agency Interfax said its systems have been affected by a “hacker attack”.

“Interfax Group’s servers have come under a hacker attack. The technical department is taking all measures to resume news services. We apologize for inconvenience,” [3]
This new strain of ransomware, actively being used in the wild and code-named “BadRabbit”, disguises itself as an Adobe Flash installer in order to gain the user’s trust.  It reportedly uses EternalBlue and Mimikatz to steal passwords and spread in a “worm-like” fashion.

Once executed, the ransomware modifies the bootloader and encrypts the files on the user’s machine.  After the infection is complete BadRabbit presents the user a UI demanding a Bitcoin ransom payment in order to have the files unlocked.

The malware also has the capability to spread throughout the local network via SMB or limited credential brute force over Windows Management Instrumentation Command-line (WMIC) and PSExec after infecting the user’s machine.

Initial reports indicated the ransomware was targeting multiple Eastern-European countries including Ukraine, Russia, Turkey, and Bulgaria, however, additional reports of the ransomware have surfaced in South Korea, Japan, and the United States. Reports surfaced of attacks to government institutions, news agencies, and transportation organizations. The ransomware is reportedly being delivered through compromised legitimate websites – mainly news and media sites at the time of this writing.

Ukrainian organizations have posted about systems failing: payment systems on the Kiev Metro appear to have fallen victim to the attack, while in a statement on its Facebook page, Odessa International Airport said its information system had been hit by hackers.[4]

“We inform that the information system of the International Airport “Odessa” suffered a hacker attack,” a translation of the post says. [5]

On 24 OCT 2017 – 05:20PM, ESET announced that their telemetry has detected hundreds of occurrences of Diskcoder.D. Most of the detections are in Russia and Ukraine, however, also there are reports of computers in Turkey, Bulgaria and other countries are affected. [6]

Bad Rabbit shares some similarities with Petya – the ransom note looks almost identical and it can also use SMB to propagate across the infected network. However, researchers say much of the code appears to have been rewritten in this case.

GPS Huntmasters

GuidePoint’s Forensic Intelligence Division, GPS Huntmasters, has had the opportunity to analyze a couple variants of the BadRabbit malware/ransomware.  Through this analysis this elite GuidePoint team was able to confirm additional (unannounced) IOCs [7] as well as documenting the software’s [8] behavior within our testing environments.

Technical Overview

BadRabbit has been distributed through malicious websites with fake Adobe Flash updates with popup (decision) boxes that the end user must execute.  After the user clicks on the malicious popup, the ransomware is downloaded (via http/https) to the victim in the form of a malicious windows binary (e.g., install_flash_player.exe). After execution, the file will require the user to accept a Windows User Account Control (UAC) popup granting the malware escalated rights to the system.

Once executed, the malware deploys the ransomware onto the user’s machine completely compromising the end-user.

Image: Group-IB [9]


The malware drops the file Infpub.dat, which is then executed by a rundll32 command. Infpub.dat will then create the files cscc.dat and dispci.exe within the C:\Windows directory. The file cscc.dat is actually a renamed file from the legitimate DiskCryptor program. These files are used to encrypt the disk and modify the bootloader preventing a normal bootup of Windows. A scheduled task is also created to ensure the dispci.exe file is run at bootup. Upon reboot, the user is presented with the Ransomware message demanding payment.

Landfall: BadRabbit

Although the USA and other western countries were not specifically targeted by this campaign, it is only a matter of time before BadRabbit will make US “Landfall”. In fact, according to cybersecurity and antivirus vendor Avast, BadRabbit has now been detected in the USA [10](2:44 PM – 24 Oct 2017).

Remember, BadRabbit attempts to spread through SMB. [11] It does this with account information stolen from the victim using Mimikatz or by trying an embedded list of common account names and passwords that is hard coded in the actual malware.

GuidePoint Forensic Analysis

On October 24, 2017 GuidePoint’s Forensic Intelligence team obtained and analyzed two samples of BadRabbit. The GuidePoint team has included a summary of our findings that may help future identification and of upcoming variants.

It should be noted that with each variant, file names and hash values may change depending on software variants and Threat Actor activity and strategy.

Analyst Note:  Although the tested samples were done in a forensically pure fashion BadRabbit did exhibit anti-forensic features and file deletion capabilities as noted in some “zero-byte file size” noted during our analysis and testing.

Samples Analyzed

File name: 9y6VPA4OK.exe
File size: 441899
MD5: fbbdc39af1139aebba4da004475e8839
SHA1: de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

File name: infpu.dll
File size: 410760
MD5: 1d724f95c61f1055f0d02c2154bbccd3
SHA1: 79116fe99f2b421c52ef64097f0f39b815b20907
SHA256: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

File name: 6CQZJL6EH.exe
File size: 142848
MD5: b14d8faf7f0cbcfad051cefe5f39645f
SHA1: afeee8b4acff87bc469a6f0364a81ae5d60a2add
SHA256: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

Forensic Overview

This malware has multiple elements. Execution starts in the binary file that is responsible for dropping and installing other elements.

During testing, once launched initial malware dropped files and conducted the following;
• Clears the windows event log
• Clears the journal log
• Drops executables to the windows directory (C:\Windows) and starts them
• Shows the ability to spread by using its contained functionality to enumerate network
shares of other (attached) devices
• Uses shutdown.exe to shut down or reboot the system
• Contacts additional CnC servers
• Contains functionality to register a low-level keyboard hook
• Contains functionality to infect the boot sector
• File names are dynamically generated
**NOTE: Dropped files appear to be kernel level key loggers

Sample Analysis: fbbdc39af1139aebba4da004475e8839

Memory Analysis

Analysis of volatile memory (RAM) disclosed that there were URLs that were forensically resident during testing that are attributed to the binaries tested;

Noted Binary Activity

Uses schtasks.exe or at.exe to add and modify task schedules
C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal

Contains functionality which may be used to detect a debugger (GetProcessHeap)

CnC Connection Attempts:

Drops PE Files

Path:  C:\Windows\infpub.dat (zero byte file size)
MD5: D41D8CD98F00B204E9800998ECF8427E
SHA1: 79116FE99F2B421C52EF64097F0F39B815B20907
SHA-256: 579FD8A0385482FB4C789561A30B09F25671E86422F40EF5CCA2036B28F99648

Binary Startup Activity

Test System is Windows 7 sp1

  • 9y6VPA4OKL.exe (PID: 3424 cmdline: ‘C:\Users\user\Desktop\9y6VPA4OKL.exe’ MD5: FBBDC39AF1139AEBBA4DA004475E8839)
  • rundll32.exe (PID: 3452 cmdline: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cmd.exe (PID: 3464 cmdline: /c schtasks /Delete /F /TN rhaegal MD5: AD7B9C14083B52BC532FBA5948342B98)
  • schtasks.exe (PID: 3484 cmdline: schtasks /Delete /F /TN rhaegal MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
  • cmd.exe (PID: 3500 cmdline: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR ‘C:\Windows\system32\cmd.exe /C Start \’\’ \’C:\Windows\dispci.exe\’ -id 4038216979 && exit’ MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cmd.exe (PID: 3520 cmdline: /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR ‘C:\Windows\system32\shutdown.exe /r /t 0 /f’ /ST 15:25:00 MD5: AD7B9C14083B52BC532FBA5948342B98)

 cleanup

Windows Behavior

– read attributes and synchronize and generic read
– read data or list directory and execute or traverse and synchronize

– read attributes and synchronize and generic read

– read data or list directory and execute or traverse and synchronize

Sample Analysis: 1d724f95c61f1055f0d02c2154bbccd3

Memory Analysis

Noted Binary Activity

Boot Survival:
Uses schtasks.exe or at.exe to add and modify task schedules
– C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN Rhaegal

Spawns processes
– C:\Windows\System32\cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR
‘C:\Windows\system32\shutdown.exe /r /t 0 /f’ /ST
– C:\Windows\System32\cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR ‘C:\Windows\system32\cmd.exe /C Start \’\’ \’C:\Windows\dispci.exe\’ -id 2835140717 && exit’
– C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal

Drops PE Files

(Zero byte File Size)
MD5: D41D8CD98F00B204E9800998ECF8427E
SHA1: B4D371272FE9C5A7C7936D32DEE609019CC24C31
SHA-256: FA6FE917BCB4F9CE5FE03B71F5E4AF392FB63A4DA4E142C691CCAF9042AB4DCE

Binary Startup Activity

 Test System is Windows 7 sp1

  • loaddll32.exe (PID: 3276 cmdline: loaddll32.exe ‘C:\Users\user\Desktop\infpub.dll’ MD5: D2792A55032CFE825F07DCD4BEC5F40F)
  • rundll32.exe (PID: 3284 cmdline: rundll32.exe C:\Users\user\Desktop\infpub.dll,#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cmd.exe (PID: 3296 cmdline: /c schtasks /Delete /F /TN rhaegal MD5: AD7B9C14083B52BC532FBA5948342B98)
  • schtasks.exe (PID: 3316 cmdline: schtasks /Delete /F /TN rhaegal MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
  • cmd.exe (PID: 3328 cmdline: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR ‘C:\Windows\system32\cmd.exe /C Start \’\’ \’C:\Windows\dispci.exe\’ -id 2835140717 && exit’ MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cmd.exe (PID: 3340 cmdline: /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR ‘C:\Windows\system32\shutdown.exe /r /t 0 /f’ /ST 16:03:00 MD5: AD7B9C14083B52BC532FBA5948342B98)

 cleanup

Windows Behavior


Sample Analysis: b14d8faf7f0cbcfad051cefe5f39645f

Memory Analysis

Analysis of volatile memory (RAM) disclosed that there were URLs that were forensically resident during testing that are attributed to the binaries tested;


Noted Binary Activity

Contains functionality to register a low-level keyboard hook
– SetWindowsHookExW 00000002,Function_00003FC0,00000000,00000000
Contains functionality for read data from the clipboard
Contains functionality to infect the boot sector
Detected the Windows Explorer process (often used for injection)
Connects to many different private IPs via SMB (likely to spread or exploit)

Drops PE Files

This file has been seen in most BadRabbit samples analyzed
C:\Windows\dispci.exe (zero byte file size)
File Type: PE32 executable (console) Intel 80386, for MS Windows
MD5: D41D8CD98F00B204E9800998ECF8427E
SHA-256: 8EBC97E05C8E1073BDA2EFB6F4D00AD7E789260AFA2C276F0C72740B838A0A93
File name: cscc.dat
File size: 181448
MD5: b4e6d97dafd9224ed9a547d52c26ce02SHA1: 59cd4907a438b8300a467cee1c6fc31135757039SHA256: 682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806

Binary Startup Activity

 Test System is Windows 7 sp1

• 6CQZJL6EHc.exe (PID: 3464 cmdline: ‘C:\Users\user\Desktop\6CQZJL6EHc.exe’ MD5: B14D8FAF7F0CBCFAD051CEFE5F39645F)• cmd.exe (PID: 3492 cmdline: /c schtasks /Delete /F /TN rhaegal MD5: AD7B9C14083B52BC532FBA5948342B98)• schtasks.exe (PID: 3512 cmdline: schtasks /Delete /F /TN rhaegal MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

 cleanup

Windows Behavior

– read attributes and synchronize and generic read
– read attributes and synchronize and generic read
– read data or list directory and execute or traverse and synchronize
– File attributes queried
– Return Compare (GetFileAttributesW) executed

BadRabbit Vaccine

According to Cyberreason, users can “vaccinate” their computers against BadRabbit. Note: GuidePoint has not tested this “vaccine” and all changes to any systems should be approved by your network administration teams and proper change control procedures should be followed before they are implemented.

An overview of the process contains two primary steps;
1. Create a file “C:\Windows\infpub.dat & C:\Windows\cscc.dat”
2. Go into the each of the files properties and remove all permissions to both files. When doing this, remove the inheritance so the files do not inherit the perms of the C:\Windows folder.

Detailed guide on setting up files with no permissions or a “BadRabbit Vaccine”.

BadRabbit IOCs

GuidePoint has identified additional IOCs during the course of the testing that should be incorporated into organizational defenses. These IOCs are provided below:



“*” Not previously identified and discovered by GuidePoint

HASH Values

– de5c8d858e6e41da715dca1c019df0bfb92d32c0
o install_flash_player.exe
– afeee8b4acff87bc469a6f0364a81ae5d60a2add
– fbbdc39af1139aebba4da004475e8839
o Dropper
– 1d724f95c61f1055f0d02c2154bbccd3
o infpub.dat
 the main DLL
– b4e6d97dafd9224ed9a547d52c26ce02
o cscc.dat
 legitimate driver used for the disk encryption (
– b14d8faf7f0cbcfad051cefe5f39645fo dispci.exe
 installs the bootlocker, communicates with the driver (cscc.dat)
– d41d8cd98f00b204e9800998ecf8427e (zero byte file size)



Tor Payment URL:- caforssztxqzf2nm[.]onion

Additional References warn-researchers/ ransomware/

Bad Rabbit ransomware

BadRabbit malware

Image Source:

Cited Resources







[7] IOCs were identified exclusively in the GuidePoint vSOC Spot Report; “Bad Rabbit Ransomware”, Update 1, October 25, 2017

[8] Malware is software that is designed to do malicious or unauthorized activity or have unauthorized functionality





Bill Corbitt, National Practice Director for Digital Forensics Incident Response & Forensic Intelligence, is a seasoned, results-oriented leader with extensive corporate, federal, and international experience, dealing with cybersecurity, forensic, and Incident Response dilemmas. In addition to his demonstrated success in aligning security results with business requirements, Bill is recognized for his abilities in implementing accurate cyber-countermeasures to protect intellectual property, reduce cybersecurity risk, and protect intellectual property on a global scale. A respected strategist within the forensic and incident response communities, Bill holds a Bachelor of Science degree in Criminal Justice from Valdosta State University.