SYMBOLCOMMON_NAMEaka. SYNONYMS
win.babyshark (Back to overview)

BabyShark

Actor(s): Kimsuki


BabyShark is Microsoft Visual Basic (VB) script-based malware family first seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator

References
2020-03-09PWC UKKris McConkey, Sveva Vittoria Scenarelli
@online{mcconkey:20200309:tracking:1979cbf, author = {Kris McConkey and Sveva Vittoria Scenarelli}, title = {{Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 2}}, date = {2020-03-09}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html}, language = {English}, urldate = {2020-03-09} } Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 2
BabyShark MyDogs Kimsuki
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Kryptonite Panda MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2019-02-22Twitter0xffff0800
@online{0xffff0800:20190222:pe:ea39c56, author = {0xffff0800}, title = {{Tweet on PE}}, date = {2019-02-22}, organization = {Twitter}, url = {https://twitter.com/i/web/status/1099147896950185985}, language = {English}, urldate = {2020-01-08} } Tweet on PE
BabyShark
2019-02-22Palo Alto Networks Unit 42Unit 42
@online{42:20190222:new:7bda906, author = {Unit 42}, title = {{New BabyShark Malware Targets U.S. National Security Think Tanks}}, date = {2019-02-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/}, language = {English}, urldate = {2020-01-07} } New BabyShark Malware Targets U.S. National Security Think Tanks
BabyShark STOLEN PENCIL
Yara Rules
[TLP:WHITE] win_babyshark_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_babyshark_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.babyshark"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 8b15???????? 890411 83c020 83c104 3d80654000 }
            // n = 5, score = 100
            //   8b15????????         |                     
            //   890411               | mov                 dword ptr [ecx + edx], eax
            //   83c020               | add                 eax, 0x20
            //   83c104               | add                 ecx, 4
            //   3d80654000           | cmp                 eax, 0x406580

        $sequence_1 = { 7f0e 0fbec3 8a8094504000 83e00f eb02 }
            // n = 5, score = 100
            //   7f0e                 | jg                  0x10
            //   0fbec3               | movsx               eax, bl
            //   8a8094504000         | mov                 al, byte ptr [eax + 0x405094]
            //   83e00f               | and                 eax, 0xf
            //   eb02                 | jmp                 4

        $sequence_2 = { 682c544000 57 ffd6 6818544000 57 a3???????? }
            // n = 6, score = 100
            //   682c544000           | push                0x40542c
            //   57                   | push                edi
            //   ffd6                 | call                esi
            //   6818544000           | push                0x405418
            //   57                   | push                edi
            //   a3????????           |                     

        $sequence_3 = { 6804604000 6800604000 e8???????? 83c410 c3 6a00 6a00 }
            // n = 7, score = 100
            //   6804604000           | push                0x406004
            //   6800604000           | push                0x406000
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   c3                   | ret                 
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_4 = { ffd0 6814604000 6808604000 e8???????? 6804604000 6800604000 e8???????? }
            // n = 7, score = 100
            //   ffd0                 | call                eax
            //   6814604000           | push                0x406014
            //   6808604000           | push                0x406008
            //   e8????????           |                     
            //   6804604000           | push                0x406004
            //   6800604000           | push                0x406000
            //   e8????????           |                     

        $sequence_5 = { c3 55 8bec 6aff 6860544000 6808254000 64a100000000 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   6aff                 | push                -1
            //   6860544000           | push                0x405460
            //   6808254000           | push                0x402508
            //   64a100000000         | mov                 eax, dword ptr fs:[0]

        $sequence_6 = { 81fe40634000 750b 53 e8???????? 85c0 59 7507 }
            // n = 7, score = 100
            //   81fe40634000         | cmp                 esi, 0x406340
            //   750b                 | jne                 0xd
            //   53                   | push                ebx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   59                   | pop                 ecx
            //   7507                 | jne                 9

        $sequence_7 = { 742e 85f6 7419 0fb6da f683216d400004 7406 }
            // n = 6, score = 100
            //   742e                 | je                  0x30
            //   85f6                 | test                esi, esi
            //   7419                 | je                  0x1b
            //   0fb6da               | movzx               ebx, dl
            //   f683216d400004       | test                byte ptr [ebx + 0x406d21], 4
            //   7406                 | je                  8

        $sequence_8 = { 8d8560ffffff 68dc534000 50 e8???????? ffb674624000 }
            // n = 5, score = 100
            //   8d8560ffffff         | lea                 eax, [ebp - 0xa0]
            //   68dc534000           | push                0x4053dc
            //   50                   | push                eax
            //   e8????????           |                     
            //   ffb674624000         | push                dword ptr [esi + 0x406274]

        $sequence_9 = { 7714 8088216d400010 8ac8 80c120 }
            // n = 4, score = 100
            //   7714                 | ja                  0x16
            //   8088216d400010       | or                  byte ptr [eax + 0x406d21], 0x10
            //   8ac8                 | mov                 cl, al
            //   80c120               | add                 cl, 0x20

    condition:
        7 of them
}
Download all Yara Rules