SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.babuk (Back to overview)

Babuk


ESX and NAS modules for Babuk ransomware.

References
2022-03-24SentinelOneAntonio Cocomazzi
@techreport{cocomazzi:20220324:ransomware:be706fa, author = {Antonio Cocomazzi}, title = {{Ransomware Encryption Internals: A Behavioral Characterization}}, date = {2022-03-24}, institution = {SentinelOne}, url = {https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf}, language = {English}, urldate = {2022-03-25} } Ransomware Encryption Internals: A Behavioral Characterization
Babuk Babuk BlackMatter
2021-10-12CrowdStrikeCrowdStrike Intelligence Team
@online{team:20211012:ecx:5540ee9, author = {CrowdStrike Intelligence Team}, title = {{ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity}}, date = {2021-10-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/}, language = {English}, urldate = {2021-11-02} } ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
Babuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil
2021-09-10S2W LAB Inc.S2W TALON
@online{talon:20210910:groove:3dab88b, author = {S2W TALON}, title = {{Groove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter}}, date = {2021-09-10}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d}, language = {English}, urldate = {2021-09-14} } Groove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter
Babuk BlackMatter Babuk BlackMatter
2021-09-09Advanced IntelligenceYelisey Boguslavskiy, Anastasia Sentsova
@online{boguslavskiy:20210909:groove:f678f6d, author = {Yelisey Boguslavskiy and Anastasia Sentsova}, title = {{Groove VS Babuk; Groove Ransom Manifesto & RAMP Underground Platform Secret Inner Workings}}, date = {2021-09-09}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings}, language = {English}, urldate = {2021-09-12} } Groove VS Babuk; Groove Ransom Manifesto & RAMP Underground Platform Secret Inner Workings
Babuk Babuk
2021-09-08Medium s2wlabS2W TALON
@online{talon:20210908:grooves:64ea498, author = {S2W TALON}, title = {{Groove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands}}, date = {2021-09-08}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2}, language = {English}, urldate = {2021-09-12} } Groove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands
Babuk BlackMatter Babuk BlackMatter
2021-09-08McAfeeMax Kersten, John Fokker, Thibault Seret
@online{kersten:20210908:how:5c39aac, author = {Max Kersten and John Fokker and Thibault Seret}, title = {{How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates}}, date = {2021-09-08}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/}, language = {English}, urldate = {2021-09-12} } How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates
Babuk BlackMatter Babuk BlackMatter CTB Locker
2021-09-01Medium s2wlabS2W LAB INTELLIGENCE TEAM, Denise Dasom Kim, Jungyeon Lim, Yeonghyeon Jeong, Sujin Lim, Chaewon Moon
@online{team:20210901:blackmatter:6a2a025, author = {S2W LAB INTELLIGENCE TEAM and Denise Dasom Kim and Jungyeon Lim and Yeonghyeon Jeong and Sujin Lim and Chaewon Moon}, title = {{BlackMatter x Babuk : Using the same web server for sharing leaked files}}, date = {2021-09-01}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751}, language = {English}, urldate = {2021-09-06} } BlackMatter x Babuk : Using the same web server for sharing leaked files
Babuk BlackMatter Babuk BlackMatter
2021-08-30CrowdStrikeMichael Dawson
@online{dawson:20210830:hypervisor:81ca39b, author = {Michael Dawson}, title = {{Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware}}, date = {2021-08-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/}, language = {English}, urldate = {2021-08-31} } Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware
Babuk HelloKitty REvil
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-07-04Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210704:babuk:3ba79a8, author = {Marco Ramilli}, title = {{Babuk Ransomware: The Builder}}, date = {2021-07-04}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/}, language = {English}, urldate = {2021-07-06} } Babuk Ransomware: The Builder
Babuk Babuk
Yara Rules
[TLP:WHITE] elf_babuk_auto (20220411 | Detects elf.babuk.)
rule elf_babuk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects elf.babuk."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.babuk"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d842488000000 890424 89442404 e8???????? 8d842428010000 890424 89442404 }
            // n = 7, score = 200
            //   8d842488000000       | lea                 eax, dword ptr [esp + 0x88]
            //   890424               | mov                 dword ptr [esp], eax
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   e8????????           |                     
            //   8d842428010000       | lea                 eax, dword ptr [esp + 0x128]
            //   890424               | mov                 dword ptr [esp], eax
            //   89442404             | mov                 dword ptr [esp + 4], eax

        $sequence_1 = { e8???????? 8b442458 0548010000 890424 8b44243c 89442404 e8???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b442458             | mov                 eax, dword ptr [esp + 0x58]
            //   0548010000           | add                 eax, 0x148
            //   890424               | mov                 dword ptr [esp], eax
            //   8b44243c             | mov                 eax, dword ptr [esp + 0x3c]
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   e8????????           |                     

        $sequence_2 = { 8b89fcffffff 3b6108 0f8636090000 83ec7c 8b8c2484000000 85c9 0f8402080000 }
            // n = 7, score = 200
            //   8b89fcffffff         | mov                 ecx, dword ptr [ecx - 4]
            //   3b6108               | cmp                 esp, dword ptr [ecx + 8]
            //   0f8636090000         | jbe                 0x93c
            //   83ec7c               | sub                 esp, 0x7c
            //   8b8c2484000000       | mov                 ecx, dword ptr [esp + 0x84]
            //   85c9                 | test                ecx, ecx
            //   0f8402080000         | je                  0x808

        $sequence_3 = { c6470c01 31c0 31c9 83f904 7d12 c6470c01 c744240800000000 }
            // n = 7, score = 200
            //   c6470c01             | mov                 byte ptr [edi + 0xc], 1
            //   31c0                 | xor                 eax, eax
            //   31c9                 | xor                 ecx, ecx
            //   83f904               | cmp                 ecx, 4
            //   7d12                 | jge                 0x14
            //   c6470c01             | mov                 byte ptr [edi + 0xc], 1
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0

        $sequence_4 = { e8???????? 8b05???????? 8b4c2414 8901 8b442418 8b08 85c9 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b05????????         |                     
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   8901                 | mov                 dword ptr [ecx], eax
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   85c9                 | test                ecx, ecx

        $sequence_5 = { 8b4c2420 894c2404 ffd0 8b442418 8b4c2418 8b5c241c 8b6c2418 }
            // n = 7, score = 200
            //   8b4c2420             | mov                 ecx, dword ptr [esp + 0x20]
            //   894c2404             | mov                 dword ptr [esp + 4], ecx
            //   ffd0                 | call                eax
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   8b4c2418             | mov                 ecx, dword ptr [esp + 0x18]
            //   8b5c241c             | mov                 ebx, dword ptr [esp + 0x1c]
            //   8b6c2418             | mov                 ebp, dword ptr [esp + 0x18]

        $sequence_6 = { c744243000000000 c744243400000000 c744242c00000020 c744243000000010 c744243400000008 8d81ffff4300 250000c0ff }
            // n = 7, score = 200
            //   c744243000000000     | mov                 dword ptr [esp + 0x30], 0
            //   c744243400000000     | mov                 dword ptr [esp + 0x34], 0
            //   c744242c00000020     | mov                 dword ptr [esp + 0x2c], 0x20000000
            //   c744243000000010     | mov                 dword ptr [esp + 0x30], 0x10000000
            //   c744243400000008     | mov                 dword ptr [esp + 0x34], 0x8000000
            //   8d81ffff4300         | lea                 eax, dword ptr [ecx + 0x43ffff]
            //   250000c0ff           | and                 eax, 0xffc00000

        $sequence_7 = { 8bbc249c000000 01fd 11d1 8b94247c010000 0fafd6 8d3cd2 8d147a }
            // n = 7, score = 200
            //   8bbc249c000000       | mov                 edi, dword ptr [esp + 0x9c]
            //   01fd                 | add                 ebp, edi
            //   11d1                 | adc                 ecx, edx
            //   8b94247c010000       | mov                 edx, dword ptr [esp + 0x17c]
            //   0fafd6               | imul                edx, esi
            //   8d3cd2               | lea                 edi, dword ptr [edx + edx*8]
            //   8d147a               | lea                 edx, dword ptr [edx + edi*2]

        $sequence_8 = { 8b7c2460 8b5c2464 85ff 7421 39d8 0f83ba070000 0fb61c07 }
            // n = 7, score = 200
            //   8b7c2460             | mov                 edi, dword ptr [esp + 0x60]
            //   8b5c2464             | mov                 ebx, dword ptr [esp + 0x64]
            //   85ff                 | test                edi, edi
            //   7421                 | je                  0x23
            //   39d8                 | cmp                 eax, ebx
            //   0f83ba070000         | jae                 0x7c0
            //   0fb61c07             | movzx               ebx, byte ptr [edi + eax]

        $sequence_9 = { 8b8424a4000000 89442404 897c2408 e8???????? 0fb644240c 84c0 751b }
            // n = 7, score = 200
            //   8b8424a4000000       | mov                 eax, dword ptr [esp + 0xa4]
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   897c2408             | mov                 dword ptr [esp + 8], edi
            //   e8????????           |                     
            //   0fb644240c           | movzx               eax, byte ptr [esp + 0xc]
            //   84c0                 | test                al, al
            //   751b                 | jne                 0x1d

    condition:
        7 of them and filesize < 4186112
}
Download all Yara Rules