SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.babuk (Back to overview)

Babuk

ESX and NAS modules for Babuk ransomware.

References
2021-10-12CrowdStrikeCrowdStrike Intelligence Team
@online{team:20211012:ecx:5540ee9, author = {CrowdStrike Intelligence Team}, title = {{ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity}}, date = {2021-10-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/}, language = {English}, urldate = {2021-11-02} } ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
Babuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil
2021-09-10S2W LAB Inc.S2W TALON
@online{talon:20210910:groove:3dab88b, author = {S2W TALON}, title = {{Groove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter}}, date = {2021-09-10}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d}, language = {English}, urldate = {2021-09-14} } Groove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter
Babuk BlackMatter Babuk BlackMatter
2021-09-09Advanced IntelligenceYelisey Boguslavskiy, Anastasia Sentsova
@online{boguslavskiy:20210909:groove:f678f6d, author = {Yelisey Boguslavskiy and Anastasia Sentsova}, title = {{Groove VS Babuk; Groove Ransom Manifesto & RAMP Underground Platform Secret Inner Workings}}, date = {2021-09-09}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings}, language = {English}, urldate = {2021-09-12} } Groove VS Babuk; Groove Ransom Manifesto & RAMP Underground Platform Secret Inner Workings
Babuk Babuk
2021-09-08Medium s2wlabS2W TALON
@online{talon:20210908:grooves:64ea498, author = {S2W TALON}, title = {{Groove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands}}, date = {2021-09-08}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2}, language = {English}, urldate = {2021-09-12} } Groove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands
Babuk BlackMatter Babuk BlackMatter
2021-09-08McAfeeMax Kersten, John Fokker, Thibault Seret
@online{kersten:20210908:how:5c39aac, author = {Max Kersten and John Fokker and Thibault Seret}, title = {{How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates}}, date = {2021-09-08}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/}, language = {English}, urldate = {2021-09-12} } How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates
Babuk BlackMatter Babuk BlackMatter CTB Locker
2021-09-01Medium s2wlabS2W LAB INTELLIGENCE TEAM, Denise Dasom Kim, Jungyeon Lim, Yeonghyeon Jeong, Sujin Lim, Chaewon Moon
@online{team:20210901:blackmatter:6a2a025, author = {S2W LAB INTELLIGENCE TEAM and Denise Dasom Kim and Jungyeon Lim and Yeonghyeon Jeong and Sujin Lim and Chaewon Moon}, title = {{BlackMatter x Babuk : Using the same web server for sharing leaked files}}, date = {2021-09-01}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751}, language = {English}, urldate = {2021-09-06} } BlackMatter x Babuk : Using the same web server for sharing leaked files
Babuk BlackMatter Babuk BlackMatter
2021-08-30CrowdStrikeMichael Dawson
@online{dawson:20210830:hypervisor:81ca39b, author = {Michael Dawson}, title = {{Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware}}, date = {2021-08-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/}, language = {English}, urldate = {2021-08-31} } Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware
Babuk HelloKitty REvil
2021-07-04Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210704:babuk:3ba79a8, author = {Marco Ramilli}, title = {{Babuk Ransomware: The Builder}}, date = {2021-07-04}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/}, language = {English}, urldate = {2021-07-06} } Babuk Ransomware: The Builder
Babuk Babuk
Yara Rules
[TLP:WHITE] elf_babuk_auto (20211008 | Detects elf.babuk.)
rule elf_babuk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects elf.babuk."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.babuk"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffd1 8b442438 8b08 8b5004 8b5808 8b400c 8b6c2404 }
            // n = 7, score = 200
            //   ffd1                 | call                ecx
            //   8b442438             | mov                 eax, dword ptr [esp + 0x38]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8b5004               | mov                 edx, dword ptr [eax + 4]
            //   8b5808               | mov                 ebx, dword ptr [eax + 8]
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]
            //   8b6c2404             | mov                 ebp, dword ptr [esp + 4]

        $sequence_1 = { e8???????? 8b442414 8b4c2418 8b54241c 8b5c2430 89530c 8b15???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   8b4c2418             | mov                 ecx, dword ptr [esp + 0x18]
            //   8b54241c             | mov                 edx, dword ptr [esp + 0x1c]
            //   8b5c2430             | mov                 ebx, dword ptr [esp + 0x30]
            //   89530c               | mov                 dword ptr [ebx + 0xc], edx
            //   8b15????????         |                     

        $sequence_2 = { e8???????? eb9a b801000000 ebdb 90 8d5728 e9???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   eb9a                 | jmp                 0xffffff9c
            //   b801000000           | mov                 eax, 1
            //   ebdb                 | jmp                 0xffffffdd
            //   90                   | nop                 
            //   8d5728               | lea                 edx, dword ptr [edi + 0x28]
            //   e9????????           |                     

        $sequence_3 = { e8???????? 8b44240c 8400 90 8b5c244c 0fb64b30 8d5008 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   8400                 | test                byte ptr [eax], al
            //   90                   | nop                 
            //   8b5c244c             | mov                 ebx, dword ptr [esp + 0x4c]
            //   0fb64b30             | movzx               ecx, byte ptr [ebx + 0x30]
            //   8d5008               | lea                 edx, dword ptr [eax + 8]

        $sequence_4 = { eb89 e8???????? 8b0424 85c0 0f8585feffff 90 90 }
            // n = 7, score = 200
            //   eb89                 | jmp                 0xffffff8b
            //   e8????????           |                     
            //   8b0424               | mov                 eax, dword ptr [esp]
            //   85c0                 | test                eax, eax
            //   0f8585feffff         | jne                 0xfffffe8b
            //   90                   | nop                 
            //   90                   | nop                 

        $sequence_5 = { e8???????? 8b44243c 890424 8b442438 89442404 0fb644246c 88442410 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b44243c             | mov                 eax, dword ptr [esp + 0x3c]
            //   890424               | mov                 dword ptr [esp], eax
            //   8b442438             | mov                 eax, dword ptr [esp + 0x38]
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   0fb644246c           | movzx               eax, byte ptr [esp + 0x6c]
            //   88442410             | mov                 byte ptr [esp + 0x10], al

        $sequence_6 = { eb08 89d1 89c2 8b442440 897c2418 8974241c 95 }
            // n = 7, score = 200
            //   eb08                 | jmp                 0xa
            //   89d1                 | mov                 ecx, edx
            //   89c2                 | mov                 edx, eax
            //   8b442440             | mov                 eax, dword ptr [esp + 0x40]
            //   897c2418             | mov                 dword ptr [esp + 0x18], edi
            //   8974241c             | mov                 dword ptr [esp + 0x1c], esi
            //   95                   | xchg                eax, ebp

        $sequence_7 = { 89442410 8b4c240c 894c2424 89442428 83c414 c3 31c0 }
            // n = 7, score = 200
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   8b4c240c             | mov                 ecx, dword ptr [esp + 0xc]
            //   894c2424             | mov                 dword ptr [esp + 0x24], ecx
            //   89442428             | mov                 dword ptr [esp + 0x28], eax
            //   83c414               | add                 esp, 0x14
            //   c3                   | ret                 
            //   31c0                 | xor                 eax, eax

        $sequence_8 = { 8b54244c 8b44243c 39d3 0f8edc000000 89542440 83fe20 19ed }
            // n = 7, score = 200
            //   8b54244c             | mov                 edx, dword ptr [esp + 0x4c]
            //   8b44243c             | mov                 eax, dword ptr [esp + 0x3c]
            //   39d3                 | cmp                 ebx, edx
            //   0f8edc000000         | jle                 0xe2
            //   89542440             | mov                 dword ptr [esp + 0x40], edx
            //   83fe20               | cmp                 esi, 0x20
            //   19ed                 | sbb                 ebp, ebp

        $sequence_9 = { e9???????? b8ffffffff 89442434 83c428 c3 895c2418 8b4058 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   b8ffffffff           | mov                 eax, 0xffffffff
            //   89442434             | mov                 dword ptr [esp + 0x34], eax
            //   83c428               | add                 esp, 0x28
            //   c3                   | ret                 
            //   895c2418             | mov                 dword ptr [esp + 0x18], ebx
            //   8b4058               | mov                 eax, dword ptr [eax + 0x58]

    condition:
        7 of them and filesize < 4193570
}
Download all Yara Rules