#babuk_260122

#IOC #OptiData #VR #Babuk #Ransomware

https://pastebin.com/EfB83dwk

previous_contact:   n/a

FAQ:
https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk

attack_vector
--------------
n/a

email_headers
--------------
n/a

# # # # # # # #
files
# # # # # # # #

SHA-256		    4deaecd165abd8afefcaf0efd268f52fc6aa3904223bdccfb82dede849e01a44
File name	    vpndeamon.exe (Grinch.exe) [PE32 executable for MS Windows]
File size	    134.32 KB (137544 bytes)

SHA-256		    1049bafd1648b6cfd6563e77c9301974b1e24b0486e5f2531f2479dd645ae602
File name	    kings.exe [ PE32 executable for MS Windows]
File size	    72.50 KB (74240 bytes)


# # # # # # # #
activity
# # # # # # # #
PL_SCR			-no network connections-

C2		       -no network connections-


netwrk
--------------
-no network connections-

comp
--------------
-no network connections-

proc
--------------
C:\Users\operator\Desktop\vpndeamon.exe
	C:\tmp\kings.exe SW_SHOWNORMAL
		C:\Windows\System32\cmd.exe /c vssadmin.exe delete shadows /all /quiet
			C:\Windows\system32\vssadmin.exe  delete shadows /all /quiet
		C:\Windows\System32\cmd.exe  /c vssadmin.exe delete shadows /all /quiet
			C:\Windows\system32\vssadmin.exe delete shadows /all /quiet

    {repeat many times, even under Aadmin account - maybe config error}

	C:\tmp\kings.exe SW_SHOWNORMAL
		C:\Windows\System32\cmd.exe /c vssadmin.exe delete shadows /all /quiet
			C:\Windows\system32\vssadmin.exe  delete shadows /all /quiet
		C:\Windows\System32\cmd.exe  /c vssadmin.exe delete shadows /all /quiet
			C:\Windows\system32\vssadmin.exe delete shadows /all /quiet

persist
--------------
n/a

drop
--------------
%temp%\kings.exe
%any folder or disk%\RestoreFiles.txt

# # # # # # # #
additional info
# # # # # # # #

Ransom note - RestoreFiles.txt
------------------------------
 << Hello, friends! >>
 > Your system has been compromised by our team. > We have blocked your files and also uploaded useful data from your computers(doc, docx, pdf, xls and other office extensions) to our servers.
 > You have 2 days to contact us to discuss the terms of payment for our services to restore your files. If you do not contact us or refuse to pay, we will place your stolen files in the public domain.
 > Do not change the file namesand extensions. Do not try to decrypt the files yourself, they are encrypted using a good encryption algorithm.
 > Main Mail:
 > [email protected]
 > Backup mail(if we don't reply 24 hours):
 > [email protected]
 > At the first contact, you can write to both emails for reliability.


Original File Sample    [11.txt]
------------------------------

Get-WmiObject -class Win32_ComputerSystem
Get-WmiObject -class Win32_BIOS
Get-WmiObject -class Win32_DiskDrive

mofcomp C:\Windows\System32\wbem\cimwin32.mof
mofcomp hideVM.mof

# # # #

Check services:
Get-Service -DisplayName *virtual*

Check devices:
Get-WmiObject -class Win32_PnPEntity | Select Name


Modified File Sample     [11.txt.kings]
------------------------------
J
¬¡äÙXÑNÉ7ÖY¯ýÿ WB€Ï1:2~zComputerSystem
Get-WmiObject -class Win32_BIOS
Get-WmiObject -class Win32_DiskDrive

mofcomp C:\Windows\System32\wbem\cimwin32.mof
mofcomp hideVM.mof

# # # #

Check services:
Get-Service -DisplayName *virtual*

Check devices:
Get-WmiObject -class Win32_PnPEntity | Select Name
bBVÒX¹QÅ1þsxDxìa±¬Ã®ÙúÞä	?¯ÉÎ8Fw yap yap yap yap yap yap yap yap


# # # # # # # #
VT & Intezer
# # # # # # # #
https://www.virustotal.com/gui/file/4deaecd165abd8afefcaf0efd268f52fc6aa3904223bdccfb82dede849e01a44/details
https://www.virustotal.com/gui/file/1049bafd1648b6cfd6563e77c9301974b1e24b0486e5f2531f2479dd645ae602/detection
https://analyze.intezer.com/analyses/1c6235d0-9525-4457-b63b-ef7fccf4bd2d/dynamic-ttps
https://analyze.intezer.com/analyses/a6d87137-6073-4717-9b84-3fdef02bbccf/dynamic-ttps

VR