SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.babuk (Back to overview)

Babuk


ESX and NAS modules for Babuk ransomware.

References
2023-05-16KrebsOnSecurityBrian Krebs
@online{krebs:20230516:russian:b526450, author = {Brian Krebs}, title = {{Russian Hacker “Wazawaka” Indicted for Ransomware}}, date = {2023-05-16}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/}, language = {English}, urldate = {2023-05-21} } Russian Hacker “Wazawaka” Indicted for Ransomware
Babuk Hive LockBit LockBit Babuk Hive LockBit
2022-09-28vmwareGiovanni Vigna
@online{vigna:20220928:esxitargeting:bd1ce9a, author = {Giovanni Vigna}, title = {{ESXi-Targeting Ransomware: The Threats That Are After Your Virtual Machines (Part 1)}}, date = {2022-09-28}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html}, language = {English}, urldate = {2022-10-10} } ESXi-Targeting Ransomware: The Threats That Are After Your Virtual Machines (Part 1)
Avoslocker Babuk Black Basta BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit Luna RansomEXX RedAlert Ransomware REvil
2022-03-24SentinelOneAntonio Cocomazzi
@techreport{cocomazzi:20220324:ransomware:be706fa, author = {Antonio Cocomazzi}, title = {{Ransomware Encryption Internals: A Behavioral Characterization}}, date = {2022-03-24}, institution = {SentinelOne}, url = {https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf}, language = {English}, urldate = {2022-03-25} } Ransomware Encryption Internals: A Behavioral Characterization
Babuk Babuk BlackMatter
2021-10-12CrowdStrikeCrowdStrike Intelligence Team
@online{team:20211012:ecx:5540ee9, author = {CrowdStrike Intelligence Team}, title = {{ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity}}, date = {2021-10-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/}, language = {English}, urldate = {2021-11-02} } ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
Babuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil
2021-09-10S2W LAB Inc.S2W TALON
@online{talon:20210910:groove:3dab88b, author = {S2W TALON}, title = {{Groove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter}}, date = {2021-09-10}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d}, language = {English}, urldate = {2021-09-14} } Groove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter
Babuk BlackMatter Babuk BlackMatter
2021-09-09Advanced IntelligenceYelisey Boguslavskiy, Anastasia Sentsova
@online{boguslavskiy:20210909:groove:f678f6d, author = {Yelisey Boguslavskiy and Anastasia Sentsova}, title = {{Groove VS Babuk; Groove Ransom Manifesto & RAMP Underground Platform Secret Inner Workings}}, date = {2021-09-09}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings}, language = {English}, urldate = {2021-09-12} } Groove VS Babuk; Groove Ransom Manifesto & RAMP Underground Platform Secret Inner Workings
Babuk Babuk
2021-09-08Medium s2wlabS2W TALON
@online{talon:20210908:grooves:64ea498, author = {S2W TALON}, title = {{Groove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands}}, date = {2021-09-08}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2}, language = {English}, urldate = {2021-09-12} } Groove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands
Babuk BlackMatter Babuk BlackMatter
2021-09-08McAfeeMax Kersten, John Fokker, Thibault Seret
@online{kersten:20210908:how:5c39aac, author = {Max Kersten and John Fokker and Thibault Seret}, title = {{How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates}}, date = {2021-09-08}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/}, language = {English}, urldate = {2021-09-12} } How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates
Babuk BlackMatter Babuk BlackMatter CTB Locker
2021-09-01Medium s2wlabS2W LAB INTELLIGENCE TEAM, Denise Dasom Kim, Jungyeon Lim, Yeonghyeon Jeong, Sujin Lim, Chaewon Moon
@online{team:20210901:blackmatter:6a2a025, author = {S2W LAB INTELLIGENCE TEAM and Denise Dasom Kim and Jungyeon Lim and Yeonghyeon Jeong and Sujin Lim and Chaewon Moon}, title = {{BlackMatter x Babuk : Using the same web server for sharing leaked files}}, date = {2021-09-01}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751}, language = {English}, urldate = {2021-09-06} } BlackMatter x Babuk : Using the same web server for sharing leaked files
Babuk BlackMatter Babuk BlackMatter
2021-08-30CrowdStrikeMichael Dawson
@online{dawson:20210830:hypervisor:81ca39b, author = {Michael Dawson}, title = {{Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware}}, date = {2021-08-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/}, language = {English}, urldate = {2021-08-31} } Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware
Babuk HelloKitty REvil
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-07-04Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210704:babuk:3ba79a8, author = {Marco Ramilli}, title = {{Babuk Ransomware: The Builder}}, date = {2021-07-04}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/}, language = {English}, urldate = {2021-07-06} } Babuk Ransomware: The Builder
Babuk Babuk
Yara Rules
[TLP:WHITE] elf_babuk_auto (20230715 | Detects elf.babuk.)
rule elf_babuk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects elf.babuk."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.babuk"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b8c246c010000 01e9 898c24d4030000 8bac2440010000 01cd 89ac24d0030000 8b8c2418010000 }
            // n = 7, score = 200
            //   8b8c246c010000       | mov                 ecx, dword ptr [esp + 0x16c]
            //   01e9                 | add                 ecx, ebp
            //   898c24d4030000       | mov                 dword ptr [esp + 0x3d4], ecx
            //   8bac2440010000       | mov                 ebp, dword ptr [esp + 0x140]
            //   01cd                 | add                 ebp, ecx
            //   89ac24d0030000       | mov                 dword ptr [esp + 0x3d0], ebp
            //   8b8c2418010000       | mov                 ecx, dword ptr [esp + 0x118]

        $sequence_1 = { e8???????? 8b4818 8b89c8000000 c70100000000 8b4818 8401 81c1c4000000 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b4818               | mov                 ecx, dword ptr [eax + 0x18]
            //   8b89c8000000         | mov                 ecx, dword ptr [ecx + 0xc8]
            //   c70100000000         | mov                 dword ptr [ecx], 0
            //   8b4818               | mov                 ecx, dword ptr [eax + 0x18]
            //   8401                 | test                byte ptr [ecx], al
            //   81c1c4000000         | add                 ecx, 0xc4

        $sequence_2 = { 90 ff8194000000 8b4818 8b4970 85c9 0f8431020000 8b0d???????? }
            // n = 7, score = 200
            //   90                   | nop                 
            //   ff8194000000         | inc                 dword ptr [ecx + 0x94]
            //   8b4818               | mov                 ecx, dword ptr [eax + 0x18]
            //   8b4970               | mov                 ecx, dword ptr [ecx + 0x70]
            //   85c9                 | test                ecx, ecx
            //   0f8431020000         | je                  0x237
            //   8b0d????????         |                     

        $sequence_3 = { 0f857d010000 8d7c2424 31c0 e8???????? 8b8c2488000000 8b11 89d3 }
            // n = 7, score = 200
            //   0f857d010000         | jne                 0x183
            //   8d7c2424             | lea                 edi, [esp + 0x24]
            //   31c0                 | xor                 eax, eax
            //   e8????????           |                     
            //   8b8c2488000000       | mov                 ecx, dword ptr [esp + 0x88]
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   89d3                 | mov                 ebx, edx

        $sequence_4 = { c744240800000000 c744240c22000000 c7442410ffffffff c744241400000000 e8???????? 8b44241c 8b4c2418 }
            // n = 7, score = 200
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0
            //   c744240c22000000     | mov                 dword ptr [esp + 0xc], 0x22
            //   c7442410ffffffff     | mov                 dword ptr [esp + 0x10], 0xffffffff
            //   c744241400000000     | mov                 dword ptr [esp + 0x14], 0
            //   e8????????           |                     
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   8b4c2418             | mov                 ecx, dword ptr [esp + 0x18]

        $sequence_5 = { 85c0 750c 8b442428 8988c8000000 ebd4 8b542428 8dbac8000000 }
            // n = 7, score = 200
            //   85c0                 | test                eax, eax
            //   750c                 | jne                 0xe
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]
            //   8988c8000000         | mov                 dword ptr [eax + 0xc8], ecx
            //   ebd4                 | jmp                 0xffffffd6
            //   8b542428             | mov                 edx, dword ptr [esp + 0x28]
            //   8dbac8000000         | lea                 edi, [edx + 0xc8]

        $sequence_6 = { 8b89fcffffff 3b6108 0f86e3000000 83ec24 8b442428 8b881c030000 894c2414 }
            // n = 7, score = 200
            //   8b89fcffffff         | mov                 ecx, dword ptr [ecx - 4]
            //   3b6108               | cmp                 esp, dword ptr [ecx + 8]
            //   0f86e3000000         | jbe                 0xe9
            //   83ec24               | sub                 esp, 0x24
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]
            //   8b881c030000         | mov                 ecx, dword ptr [eax + 0x31c]
            //   894c2414             | mov                 dword ptr [esp + 0x14], ecx

        $sequence_7 = { 8b542444 f7e2 89942448020000 8944243c 8b442434 8b542438 f7e2 }
            // n = 7, score = 200
            //   8b542444             | mov                 edx, dword ptr [esp + 0x44]
            //   f7e2                 | mul                 edx
            //   89942448020000       | mov                 dword ptr [esp + 0x248], edx
            //   8944243c             | mov                 dword ptr [esp + 0x3c], eax
            //   8b442434             | mov                 eax, dword ptr [esp + 0x34]
            //   8b542438             | mov                 edx, dword ptr [esp + 0x38]
            //   f7e2                 | mul                 edx

        $sequence_8 = { c3 0fb6987c010000 84db 7589 890c24 e8???????? 83c428 }
            // n = 7, score = 200
            //   c3                   | ret                 
            //   0fb6987c010000       | movzx               ebx, byte ptr [eax + 0x17c]
            //   84db                 | test                bl, bl
            //   7589                 | jne                 0xffffff8b
            //   890c24               | mov                 dword ptr [esp], ecx
            //   e8????????           |                     
            //   83c428               | add                 esp, 0x28

        $sequence_9 = { 8bbc24b8030000 01fe 11d1 8b942494020000 0fafd5 8d3cd2 }
            // n = 6, score = 200
            //   8bbc24b8030000       | mov                 edi, dword ptr [esp + 0x3b8]
            //   01fe                 | add                 esi, edi
            //   11d1                 | adc                 ecx, edx
            //   8b942494020000       | mov                 edx, dword ptr [esp + 0x294]
            //   0fafd5               | imul                edx, ebp
            //   8d3cd2               | lea                 edi, [edx + edx*8]

    condition:
        7 of them and filesize < 4186112
}
Download all Yara Rules