SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.babuk (Back to overview)

Babuk


ESX and NAS modules for Babuk ransomware.

References
2022-09-28vmwareGiovanni Vigna
@online{vigna:20220928:esxitargeting:bd1ce9a, author = {Giovanni Vigna}, title = {{ESXi-Targeting Ransomware: The Threats That Are After Your Virtual Machines (Part 1)}}, date = {2022-09-28}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html}, language = {English}, urldate = {2022-10-10} } ESXi-Targeting Ransomware: The Threats That Are After Your Virtual Machines (Part 1)
Avoslocker Babuk Black Basta BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit Luna RansomEXX RedAlert Ransomware REvil
2022-03-24SentinelOneAntonio Cocomazzi
@techreport{cocomazzi:20220324:ransomware:be706fa, author = {Antonio Cocomazzi}, title = {{Ransomware Encryption Internals: A Behavioral Characterization}}, date = {2022-03-24}, institution = {SentinelOne}, url = {https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf}, language = {English}, urldate = {2022-03-25} } Ransomware Encryption Internals: A Behavioral Characterization
Babuk Babuk BlackMatter
2021-10-12CrowdStrikeCrowdStrike Intelligence Team
@online{team:20211012:ecx:5540ee9, author = {CrowdStrike Intelligence Team}, title = {{ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity}}, date = {2021-10-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/}, language = {English}, urldate = {2021-11-02} } ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
Babuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil
2021-09-10S2W LAB Inc.S2W TALON
@online{talon:20210910:groove:3dab88b, author = {S2W TALON}, title = {{Groove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter}}, date = {2021-09-10}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d}, language = {English}, urldate = {2021-09-14} } Groove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter
Babuk BlackMatter Babuk BlackMatter
2021-09-09Advanced IntelligenceYelisey Boguslavskiy, Anastasia Sentsova
@online{boguslavskiy:20210909:groove:f678f6d, author = {Yelisey Boguslavskiy and Anastasia Sentsova}, title = {{Groove VS Babuk; Groove Ransom Manifesto & RAMP Underground Platform Secret Inner Workings}}, date = {2021-09-09}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings}, language = {English}, urldate = {2021-09-12} } Groove VS Babuk; Groove Ransom Manifesto & RAMP Underground Platform Secret Inner Workings
Babuk Babuk
2021-09-08Medium s2wlabS2W TALON
@online{talon:20210908:grooves:64ea498, author = {S2W TALON}, title = {{Groove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands}}, date = {2021-09-08}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2}, language = {English}, urldate = {2021-09-12} } Groove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands
Babuk BlackMatter Babuk BlackMatter
2021-09-08McAfeeMax Kersten, John Fokker, Thibault Seret
@online{kersten:20210908:how:5c39aac, author = {Max Kersten and John Fokker and Thibault Seret}, title = {{How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates}}, date = {2021-09-08}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/}, language = {English}, urldate = {2021-09-12} } How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates
Babuk BlackMatter Babuk BlackMatter CTB Locker
2021-09-01Medium s2wlabS2W LAB INTELLIGENCE TEAM, Denise Dasom Kim, Jungyeon Lim, Yeonghyeon Jeong, Sujin Lim, Chaewon Moon
@online{team:20210901:blackmatter:6a2a025, author = {S2W LAB INTELLIGENCE TEAM and Denise Dasom Kim and Jungyeon Lim and Yeonghyeon Jeong and Sujin Lim and Chaewon Moon}, title = {{BlackMatter x Babuk : Using the same web server for sharing leaked files}}, date = {2021-09-01}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751}, language = {English}, urldate = {2021-09-06} } BlackMatter x Babuk : Using the same web server for sharing leaked files
Babuk BlackMatter Babuk BlackMatter
2021-08-30CrowdStrikeMichael Dawson
@online{dawson:20210830:hypervisor:81ca39b, author = {Michael Dawson}, title = {{Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware}}, date = {2021-08-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/}, language = {English}, urldate = {2021-08-31} } Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware
Babuk HelloKitty REvil
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-07-04Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210704:babuk:3ba79a8, author = {Marco Ramilli}, title = {{Babuk Ransomware: The Builder}}, date = {2021-07-04}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/}, language = {English}, urldate = {2021-07-06} } Babuk Ransomware: The Builder
Babuk Babuk
Yara Rules
[TLP:WHITE] elf_babuk_auto (20221010 | Detects elf.babuk.)
rule elf_babuk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-10-07"
        version = "1"
        description = "Detects elf.babuk."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.babuk"
        malpedia_rule_date = "20221007"
        malpedia_hash = "597f9539014e3d0f350c069cd804aa71679486ae"
        malpedia_version = "20221010"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b9c2460030000 8bb424d8010000 01f3 11d1 8b54246c 8b9c2454020000 0fafd3 }
            // n = 7, score = 200
            //   8b9c2460030000       | mov                 ebx, dword ptr [esp + 0x360]
            //   8bb424d8010000       | mov                 esi, dword ptr [esp + 0x1d8]
            //   01f3                 | add                 ebx, esi
            //   11d1                 | adc                 ecx, edx
            //   8b54246c             | mov                 edx, dword ptr [esp + 0x6c]
            //   8b9c2454020000       | mov                 ebx, dword ptr [esp + 0x254]
            //   0fafd3               | imul                edx, ebx

        $sequence_1 = { 890424 e8???????? 0fb6442404 84c0 7409 e8???????? 83c410 }
            // n = 7, score = 200
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   0fb6442404           | movzx               eax, byte ptr [esp + 4]
            //   84c0                 | test                al, al
            //   7409                 | je                  0xb
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_2 = { c1ea05 899424c8000000 6bc264 8b9c249c000000 29c3 b8285c8f02 f7e3 }
            // n = 7, score = 200
            //   c1ea05               | shr                 edx, 5
            //   899424c8000000       | mov                 dword ptr [esp + 0xc8], edx
            //   6bc264               | imul                eax, edx, 0x64
            //   8b9c249c000000       | mov                 ebx, dword ptr [esp + 0x9c]
            //   29c3                 | sub                 ebx, eax
            //   b8285c8f02           | mov                 eax, 0x28f5c28
            //   f7e3                 | mul                 ebx

        $sequence_3 = { 8bac2490010000 01cd 89ac24b8030000 8b8c2468010000 01e9 898c24b4030000 8bac243c010000 }
            // n = 7, score = 200
            //   8bac2490010000       | mov                 ebp, dword ptr [esp + 0x190]
            //   01cd                 | add                 ebp, ecx
            //   89ac24b8030000       | mov                 dword ptr [esp + 0x3b8], ebp
            //   8b8c2468010000       | mov                 ecx, dword ptr [esp + 0x168]
            //   01e9                 | add                 ecx, ebp
            //   898c24b4030000       | mov                 dword ptr [esp + 0x3b4], ecx
            //   8bac243c010000       | mov                 ebp, dword ptr [esp + 0x13c]

        $sequence_4 = { 8b89fcffffff 3b6108 0f86ac000000 83ec1c 8b442428 890424 e8???????? }
            // n = 7, score = 200
            //   8b89fcffffff         | mov                 ecx, dword ptr [ecx - 4]
            //   3b6108               | cmp                 esp, dword ptr [ecx + 8]
            //   0f86ac000000         | jbe                 0xb2
            //   83ec1c               | sub                 esp, 0x1c
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     

        $sequence_5 = { 8b9c2498000000 8d04d8 8b9c2494000000 01d8 8b9c2490000000 8d2c18 8d4c0314 }
            // n = 7, score = 200
            //   8b9c2498000000       | mov                 ebx, dword ptr [esp + 0x98]
            //   8d04d8               | lea                 eax, [eax + ebx*8]
            //   8b9c2494000000       | mov                 ebx, dword ptr [esp + 0x94]
            //   01d8                 | add                 eax, ebx
            //   8b9c2490000000       | mov                 ebx, dword ptr [esp + 0x90]
            //   8d2c18               | lea                 ebp, [eax + ebx]
            //   8d4c0314             | lea                 ecx, [ebx + eax + 0x14]

        $sequence_6 = { 8b7c2404 8b442448 894704 8b05???????? 85c0 7556 8b842484000000 }
            // n = 7, score = 200
            //   8b7c2404             | mov                 edi, dword ptr [esp + 4]
            //   8b442448             | mov                 eax, dword ptr [esp + 0x48]
            //   894704               | mov                 dword ptr [edi + 4], eax
            //   8b05????????         |                     
            //   85c0                 | test                eax, eax
            //   7556                 | jne                 0x58
            //   8b842484000000       | mov                 eax, dword ptr [esp + 0x84]

        $sequence_7 = { c744241000010000 e8???????? 8b442414 8b4c2418 8b542414 8b5c2414 8b6c2418 }
            // n = 7, score = 200
            //   c744241000010000     | mov                 dword ptr [esp + 0x10], 0x100
            //   e8????????           |                     
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   8b4c2418             | mov                 ecx, dword ptr [esp + 0x18]
            //   8b542414             | mov                 edx, dword ptr [esp + 0x14]
            //   8b5c2414             | mov                 ebx, dword ptr [esp + 0x14]
            //   8b6c2418             | mov                 ebp, dword ptr [esp + 0x18]

        $sequence_8 = { 8b9c2480000000 8d6c1801 807d002e 0f851a050000 8d6802 39ee 0f85db020000 }
            // n = 7, score = 200
            //   8b9c2480000000       | mov                 ebx, dword ptr [esp + 0x80]
            //   8d6c1801             | lea                 ebp, [eax + ebx + 1]
            //   807d002e             | cmp                 byte ptr [ebp], 0x2e
            //   0f851a050000         | jne                 0x520
            //   8d6802               | lea                 ebp, [eax + 2]
            //   39ee                 | cmp                 esi, ebp
            //   0f85db020000         | jne                 0x2e1

        $sequence_9 = { 0f84c0000000 85f6 0f859a000000 8b442438 890424 }
            // n = 5, score = 200
            //   0f84c0000000         | je                  0xc6
            //   85f6                 | test                esi, esi
            //   0f859a000000         | jne                 0xa0
            //   8b442438             | mov                 eax, dword ptr [esp + 0x38]
            //   890424               | mov                 dword ptr [esp], eax

    condition:
        7 of them and filesize < 4186112
}
Download all Yara Rules