SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.babuk (Back to overview)

Babuk

VTCollection    

ESX and NAS modules for Babuk ransomware.

References
2023-05-16KrebsOnSecurityBrian Krebs
Russian Hacker “Wazawaka” Indicted for Ransomware
Babuk Hive LockBit LockBit Babuk Hive LockBit
2022-09-28vmwareGiovanni Vigna
ESXi-Targeting Ransomware: The Threats That Are After Your Virtual Machines (Part 1)
Avoslocker Babuk Black Basta BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit Luna RansomEXX RedAlert Ransomware REvil
2022-03-24SentinelOneAntonio Cocomazzi
Ransomware Encryption Internals: A Behavioral Characterization
Babuk Babuk BlackMatter
2021-10-12CrowdStrikeCrowdStrike Intelligence Team
ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
Babuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil
2021-09-10S2W LAB Inc.S2W TALON
Groove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter
Babuk BlackMatter Babuk BlackMatter
2021-09-09Advanced IntelligenceAnastasia Sentsova, Yelisey Boguslavskiy
Groove VS Babuk; Groove Ransom Manifesto & RAMP Underground Platform Secret Inner Workings
Babuk Babuk
2021-09-08Medium s2wlabS2W TALON
Groove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands
Babuk BlackMatter Babuk BlackMatter
2021-09-08McAfeeJohn Fokker, Max Kersten, Thibault Seret
How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates
Babuk BlackMatter Babuk BlackMatter CTB Locker
2021-09-01Medium s2wlabChaewon Moon, Denise Dasom Kim, Jungyeon Lim, S2W LAB INTELLIGENCE TEAM, Sujin Lim, Yeonghyeon Jeong
BlackMatter x Babuk : Using the same web server for sharing leaked files
Babuk BlackMatter Babuk BlackMatter
2021-08-30CrowdStrikeMichael Dawson
Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware
Babuk HelloKitty REvil
2021-08-15SymantecThreat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-07-04Marco Ramilli's BlogMarco Ramilli
Babuk Ransomware: The Builder
Babuk Babuk
Yara Rules
[TLP:WHITE] elf_babuk_auto (20230808 | Detects elf.babuk.)
rule elf_babuk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects elf.babuk."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.babuk"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f7e2 89942488020000 898424a4000000 89e8 f7e1 89942484020000 898424a0000000 }
            // n = 7, score = 200
            //   f7e2                 | mul                 edx
            //   89942488020000       | mov                 dword ptr [esp + 0x288], edx
            //   898424a4000000       | mov                 dword ptr [esp + 0xa4], eax
            //   89e8                 | mov                 eax, ebp
            //   f7e1                 | mul                 ecx
            //   89942484020000       | mov                 dword ptr [esp + 0x284], edx
            //   898424a0000000       | mov                 dword ptr [esp + 0xa0], eax

        $sequence_1 = { 895c2404 e8???????? eba0 0fb6c1 3d88000000 0f8374020000 c1e007 }
            // n = 7, score = 200
            //   895c2404             | mov                 dword ptr [esp + 4], ebx
            //   e8????????           |                     
            //   eba0                 | jmp                 0xffffffa2
            //   0fb6c1               | movzx               eax, cl
            //   3d88000000           | cmp                 eax, 0x88
            //   0f8374020000         | jae                 0x27a
            //   c1e007               | shl                 eax, 7

        $sequence_2 = { e8???????? 31c0 eb08 898c8490000000 40 83f806 7d5a }
            // n = 7, score = 200
            //   e8????????           |                     
            //   31c0                 | xor                 eax, eax
            //   eb08                 | jmp                 0xa
            //   898c8490000000       | mov                 dword ptr [esp + eax*4 + 0x90], ecx
            //   40                   | inc                 eax
            //   83f806               | cmp                 eax, 6
            //   7d5a                 | jge                 0x5c

        $sequence_3 = { 8b9c2490000000 8d2c18 8d4c0314 8b942400010000 8b8424fc000000 8b9c24f8000000 39c1 }
            // n = 7, score = 200
            //   8b9c2490000000       | mov                 ebx, dword ptr [esp + 0x90]
            //   8d2c18               | lea                 ebp, [eax + ebx]
            //   8d4c0314             | lea                 ecx, [ebx + eax + 0x14]
            //   8b942400010000       | mov                 edx, dword ptr [esp + 0x100]
            //   8b8424fc000000       | mov                 eax, dword ptr [esp + 0xfc]
            //   8b9c24f8000000       | mov                 ebx, dword ptr [esp + 0xf8]
            //   39c1                 | cmp                 ecx, eax

        $sequence_4 = { e8???????? e8???????? 8b442458 8b4018 c680b500000002 8b44247c 8b4c2478 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   e8????????           |                     
            //   8b442458             | mov                 eax, dword ptr [esp + 0x58]
            //   8b4018               | mov                 eax, dword ptr [eax + 0x18]
            //   c680b500000002       | mov                 byte ptr [eax + 0xb5], 2
            //   8b44247c             | mov                 eax, dword ptr [esp + 0x7c]
            //   8b4c2478             | mov                 ecx, dword ptr [esp + 0x78]

        $sequence_5 = { e8???????? 0fb644240c 84c0 7539 90 658b0500000000 8b80fcffffff }
            // n = 7, score = 200
            //   e8????????           |                     
            //   0fb644240c           | movzx               eax, byte ptr [esp + 0xc]
            //   84c0                 | test                al, al
            //   7539                 | jne                 0x3b
            //   90                   | nop                 
            //   658b0500000000       | mov                 eax, dword ptr gs:[0]
            //   8b80fcffffff         | mov                 eax, dword ptr [eax - 4]

        $sequence_6 = { 8b492c 8b5c2414 01d3 895904 8b4818 8b492c }
            // n = 6, score = 200
            //   8b492c               | mov                 ecx, dword ptr [ecx + 0x2c]
            //   8b5c2414             | mov                 ebx, dword ptr [esp + 0x14]
            //   01d3                 | add                 ebx, edx
            //   895904               | mov                 dword ptr [ecx + 4], ebx
            //   8b4818               | mov                 ecx, dword ptr [eax + 0x18]
            //   8b492c               | mov                 ecx, dword ptr [ecx + 0x2c]

        $sequence_7 = { e8???????? e8???????? 658b0500000000 8b80fcffffff 8b4018 8b0c24 894824 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   e8????????           |                     
            //   658b0500000000       | mov                 eax, dword ptr gs:[0]
            //   8b80fcffffff         | mov                 eax, dword ptr [eax - 4]
            //   8b4018               | mov                 eax, dword ptr [eax + 0x18]
            //   8b0c24               | mov                 ecx, dword ptr [esp]
            //   894824               | mov                 dword ptr [eax + 0x24], ecx

        $sequence_8 = { c1fd1f 21dd 8d3c2e 89bc24f8000000 8b6c2450 e9???????? 39f5 }
            // n = 7, score = 200
            //   c1fd1f               | sar                 ebp, 0x1f
            //   21dd                 | and                 ebp, ebx
            //   8d3c2e               | lea                 edi, [esi + ebp]
            //   89bc24f8000000       | mov                 dword ptr [esp + 0xf8], edi
            //   8b6c2450             | mov                 ebp, dword ptr [esp + 0x50]
            //   e9????????           |                     
            //   39f5                 | cmp                 ebp, esi

        $sequence_9 = { 89442408 e8???????? 8b44240c 8b4c2410 890d???????? 890d???????? 8b15???????? }
            // n = 7, score = 200
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   e8????????           |                     
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   890d????????         |                     
            //   890d????????         |                     
            //   8b15????????         |                     

    condition:
        7 of them and filesize < 4186112
}
Download all Yara Rules