Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Babuk #Ransomware
- https://pastebin.com/EfB83dwk
- previous_contact: n/a
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk
- attack_vector
- --------------
- n/a
- email_headers
- --------------
- n/a
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 4deaecd165abd8afefcaf0efd268f52fc6aa3904223bdccfb82dede849e01a44
- File name vpndeamon.exe (Grinch.exe) [PE32 executable for MS Windows]
- File size 134.32 KB (137544 bytes)
- SHA-256 1049bafd1648b6cfd6563e77c9301974b1e24b0486e5f2531f2479dd645ae602
- File name kings.exe [ PE32 executable for MS Windows]
- File size 72.50 KB (74240 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR -no network connections-
- C2 -no network connections-
- netwrk
- --------------
- -no network connections-
- comp
- --------------
- -no network connections-
- proc
- --------------
- C:\Users\operator\Desktop\vpndeamon.exe
- C:\tmp\kings.exe SW_SHOWNORMAL
- C:\Windows\System32\cmd.exe /c vssadmin.exe delete shadows /all /quiet
- C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
- C:\Windows\System32\cmd.exe /c vssadmin.exe delete shadows /all /quiet
- C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
- {repeat many times, even under Aadmin account - maybe config error}
- C:\tmp\kings.exe SW_SHOWNORMAL
- C:\Windows\System32\cmd.exe /c vssadmin.exe delete shadows /all /quiet
- C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
- C:\Windows\System32\cmd.exe /c vssadmin.exe delete shadows /all /quiet
- C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
- persist
- --------------
- n/a
- drop
- --------------
- %temp%\kings.exe
- %any folder or disk%\RestoreFiles.txt
- # # # # # # # #
- additional info
- # # # # # # # #
- Ransom note - RestoreFiles.txt
- ------------------------------
- << Hello, friends! >>
- > Your system has been compromised by our team. > We have blocked your files and also uploaded useful data from your computers(doc, docx, pdf, xls and other office extensions) to our servers.
- > You have 2 days to contact us to discuss the terms of payment for our services to restore your files. If you do not contact us or refuse to pay, we will place your stolen files in the public domain.
- > Do not change the file namesand extensions. Do not try to decrypt the files yourself, they are encrypted using a good encryption algorithm.
- > Main Mail:
- > alexnoyz@gmx.de
- > Backup mail(if we don't reply 24 hours):
- > alexnoyz2@mein.gmx
- > At the first contact, you can write to both emails for reliability.
- Original File Sample [11.txt]
- ------------------------------
-
- Get-WmiObject -class Win32_ComputerSystem
- Get-WmiObject -class Win32_BIOS
- Get-WmiObject -class Win32_DiskDrive
- mofcomp C:\Windows\System32\wbem\cimwin32.mof
- mofcomp hideVM.mof
- # # # #
- Check services:
- Get-Service -DisplayName *virtual*
- Check devices:
- Get-WmiObject -class Win32_PnPEntity | Select Name
- Modified File Sample [11.txt.kings]
- ------------------------------
- J
- ¬¡äÙXÑNÉ7ÖY¯ýÿ WB€Ï1 :2~zComputerSystem
- Get-WmiObject -class Win32_BIOS
- Get-WmiObject -class Win32_DiskDrive
- mofcomp C:\Windows\System32\wbem\cimwin32.mof
- mofcomp hideVM.mof
- # # # #
- Check services:
- Get-Service -DisplayName *virtual*
- Check devices:
- Get-WmiObject -class Win32_PnPEntity | Select Name
- bBVÒX¹QÅ1þsxDxìa±¬Ã®ÙúÞä ?¯ÉÎ8Fw yap yap yap yap yap yap yap yap
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/4deaecd165abd8afefcaf0efd268f52fc6aa3904223bdccfb82dede849e01a44/details
- https://www.virustotal.com/gui/file/1049bafd1648b6cfd6563e77c9301974b1e24b0486e5f2531f2479dd645ae602/detection
- https://analyze.intezer.com/analyses/1c6235d0-9525-4457-b63b-ef7fccf4bd2d/dynamic-ttps
- https://analyze.intezer.com/analyses/a6d87137-6073-4717-9b84-3fdef02bbccf/dynamic-ttps
- VR
Add Comment
Please, Sign In to add comment