SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.babuk (Back to overview)

Babuk

ESX and NAS modules for Babuk ransomware.

References
2022-03-24SentinelOneAntonio Cocomazzi
@techreport{cocomazzi:20220324:ransomware:be706fa, author = {Antonio Cocomazzi}, title = {{Ransomware Encryption Internals: A Behavioral Characterization}}, date = {2022-03-24}, institution = {SentinelOne}, url = {https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf}, language = {English}, urldate = {2022-03-25} } Ransomware Encryption Internals: A Behavioral Characterization
Babuk Babuk BlackMatter
2021-10-12CrowdStrikeCrowdStrike Intelligence Team
@online{team:20211012:ecx:5540ee9, author = {CrowdStrike Intelligence Team}, title = {{ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity}}, date = {2021-10-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/}, language = {English}, urldate = {2021-11-02} } ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
Babuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil
2021-09-10S2W LAB Inc.S2W TALON
@online{talon:20210910:groove:3dab88b, author = {S2W TALON}, title = {{Groove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter}}, date = {2021-09-10}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d}, language = {English}, urldate = {2021-09-14} } Groove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter
Babuk BlackMatter Babuk BlackMatter
2021-09-09Advanced IntelligenceYelisey Boguslavskiy, Anastasia Sentsova
@online{boguslavskiy:20210909:groove:f678f6d, author = {Yelisey Boguslavskiy and Anastasia Sentsova}, title = {{Groove VS Babuk; Groove Ransom Manifesto & RAMP Underground Platform Secret Inner Workings}}, date = {2021-09-09}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings}, language = {English}, urldate = {2021-09-12} } Groove VS Babuk; Groove Ransom Manifesto & RAMP Underground Platform Secret Inner Workings
Babuk Babuk
2021-09-08Medium s2wlabS2W TALON
@online{talon:20210908:grooves:64ea498, author = {S2W TALON}, title = {{Groove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands}}, date = {2021-09-08}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2}, language = {English}, urldate = {2021-09-12} } Groove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands
Babuk BlackMatter Babuk BlackMatter
2021-09-08McAfeeMax Kersten, John Fokker, Thibault Seret
@online{kersten:20210908:how:5c39aac, author = {Max Kersten and John Fokker and Thibault Seret}, title = {{How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates}}, date = {2021-09-08}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/}, language = {English}, urldate = {2021-09-12} } How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates
Babuk BlackMatter Babuk BlackMatter CTB Locker
2021-09-01Medium s2wlabS2W LAB INTELLIGENCE TEAM, Denise Dasom Kim, Jungyeon Lim, Yeonghyeon Jeong, Sujin Lim, Chaewon Moon
@online{team:20210901:blackmatter:6a2a025, author = {S2W LAB INTELLIGENCE TEAM and Denise Dasom Kim and Jungyeon Lim and Yeonghyeon Jeong and Sujin Lim and Chaewon Moon}, title = {{BlackMatter x Babuk : Using the same web server for sharing leaked files}}, date = {2021-09-01}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751}, language = {English}, urldate = {2021-09-06} } BlackMatter x Babuk : Using the same web server for sharing leaked files
Babuk BlackMatter Babuk BlackMatter
2021-08-30CrowdStrikeMichael Dawson
@online{dawson:20210830:hypervisor:81ca39b, author = {Michael Dawson}, title = {{Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware}}, date = {2021-08-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/}, language = {English}, urldate = {2021-08-31} } Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware
Babuk HelloKitty REvil
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-07-04Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210704:babuk:3ba79a8, author = {Marco Ramilli}, title = {{Babuk Ransomware: The Builder}}, date = {2021-07-04}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/}, language = {English}, urldate = {2021-07-06} } Babuk Ransomware: The Builder
Babuk Babuk
Yara Rules
[TLP:WHITE] elf_babuk_auto (20220808 | Detects elf.babuk.)
rule elf_babuk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects elf.babuk."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.babuk"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b2d???????? 8b74245c 89f7 29ee 8b0d???????? 898c24c4000000 01f1 }
            // n = 7, score = 200
            //   8b2d????????         |                     
            //   8b74245c             | mov                 esi, dword ptr [esp + 0x5c]
            //   89f7                 | mov                 edi, esi
            //   29ee                 | sub                 esi, ebp
            //   8b0d????????         |                     
            //   898c24c4000000       | mov                 dword ptr [esp + 0xc4], ecx
            //   01f1                 | add                 ecx, esi

        $sequence_1 = { eb0c 41 0fb77c242e 89f2 89d8 89fb 39d9 }
            // n = 7, score = 200
            //   eb0c                 | jmp                 0xe
            //   41                   | inc                 ecx
            //   0fb77c242e           | movzx               edi, word ptr [esp + 0x2e]
            //   89f2                 | mov                 edx, esi
            //   89d8                 | mov                 eax, ebx
            //   89fb                 | mov                 ebx, edi
            //   39d9                 | cmp                 ecx, ebx

        $sequence_2 = { e8???????? 8b442420 8b4c241c e9???????? e8???????? e8???????? 8b0424 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]
            //   e9????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   8b0424               | mov                 eax, dword ptr [esp]

        $sequence_3 = { c744241801000000 8d442434 8944241c c744242002000000 c744242402000000 e8???????? 8b442458 }
            // n = 7, score = 200
            //   c744241801000000     | mov                 dword ptr [esp + 0x18], 1
            //   8d442434             | lea                 eax, [esp + 0x34]
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   c744242002000000     | mov                 dword ptr [esp + 0x20], 2
            //   c744242402000000     | mov                 dword ptr [esp + 0x24], 2
            //   e8????????           |                     
            //   8b442458             | mov                 eax, dword ptr [esp + 0x58]

        $sequence_4 = { ebcf 891424 8b442424 89442404 894c2408 e8???????? 0fb644240c }
            // n = 7, score = 200
            //   ebcf                 | jmp                 0xffffffd1
            //   891424               | mov                 dword ptr [esp], edx
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   894c2408             | mov                 dword ptr [esp + 8], ecx
            //   e8????????           |                     
            //   0fb644240c           | movzx               eax, byte ptr [esp + 0xc]

        $sequence_5 = { e8???????? c684248c00000001 83ec80 c3 88442422 8b842484000000 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   c684248c00000001     | mov                 byte ptr [esp + 0x8c], 1
            //   83ec80               | sub                 esp, -0x80
            //   c3                   | ret                 
            //   88442422             | mov                 byte ptr [esp + 0x22], al
            //   8b842484000000       | mov                 eax, dword ptr [esp + 0x84]

        $sequence_6 = { c70424b4000000 8b542434 89542404 894c2408 8944240c 8b442444 89442410 }
            // n = 7, score = 200
            //   c70424b4000000       | mov                 dword ptr [esp], 0xb4
            //   8b542434             | mov                 edx, dword ptr [esp + 0x34]
            //   89542404             | mov                 dword ptr [esp + 4], edx
            //   894c2408             | mov                 dword ptr [esp + 8], ecx
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   8b442444             | mov                 eax, dword ptr [esp + 0x44]
            //   89442410             | mov                 dword ptr [esp + 0x10], eax

        $sequence_7 = { 8d540a01 8b0490 89442418 890424 e8???????? 8b442404 c744241c00000000 }
            // n = 7, score = 200
            //   8d540a01             | lea                 edx, [edx + ecx + 1]
            //   8b0490               | mov                 eax, dword ptr [eax + edx*4]
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   c744241c00000000     | mov                 dword ptr [esp + 0x1c], 0

        $sequence_8 = { 8b442404 85c0 0f8554010000 8b44243c 89442404 8b4c241c 890c24 }
            // n = 7, score = 200
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   85c0                 | test                eax, eax
            //   0f8554010000         | jne                 0x15a
            //   8b44243c             | mov                 eax, dword ptr [esp + 0x3c]
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]
            //   890c24               | mov                 dword ptr [esp], ecx

        $sequence_9 = { 8bac24d8000000 8bbc242c030000 01fd 11cb 8b4c243c 8bac247c020000 0fafcd }
            // n = 7, score = 200
            //   8bac24d8000000       | mov                 ebp, dword ptr [esp + 0xd8]
            //   8bbc242c030000       | mov                 edi, dword ptr [esp + 0x32c]
            //   01fd                 | add                 ebp, edi
            //   11cb                 | adc                 ebx, ecx
            //   8b4c243c             | mov                 ecx, dword ptr [esp + 0x3c]
            //   8bac247c020000       | mov                 ebp, dword ptr [esp + 0x27c]
            //   0fafcd               | imul                ecx, ebp

    condition:
        7 of them and filesize < 4186112
}
Download all Yara Rules