#babuk_260122

1. #IOC #OptiData #VR #Babuk #Ransomware
2.  
3. https://pastebin.com/EfB83dwk
4.  
5. previous_contact: n/a
6.  
7. FAQ:
8. https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk
9.  
10. attack_vector
11. --------------
12. n/a
13.  
14. email_headers
15. --------------
16. n/a
17.  
18. # # # # # # # #
19. files
20. # # # # # # # #
21.  
22. SHA-256 4deaecd165abd8afefcaf0efd268f52fc6aa3904223bdccfb82dede849e01a44
23. File name vpndeamon.exe (Grinch.exe) [PE32 executable for MS Windows]
24. File size 134.32 KB (137544 bytes)
25.  
26. SHA-256 1049bafd1648b6cfd6563e77c9301974b1e24b0486e5f2531f2479dd645ae602
27. File name kings.exe [ PE32 executable for MS Windows]
28. File size 72.50 KB (74240 bytes)
29.  
30.  
31. # # # # # # # #
32. activity
33. # # # # # # # #
34. PL_SCR -no network connections-
35.  
36. C2 -no network connections-
37.  
38.  
39. netwrk
40. --------------
41. -no network connections-
42.  
43. comp
44. --------------
45. -no network connections-
46.  
47. proc
48. --------------
49. C:\Users\operator\Desktop\vpndeamon.exe
50. C:\tmp\kings.exe SW_SHOWNORMAL
51. C:\Windows\System32\cmd.exe /c vssadmin.exe delete shadows /all /quiet
52. C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
53. C:\Windows\System32\cmd.exe /c vssadmin.exe delete shadows /all /quiet
54. C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
55.  
56. {repeat many times, even under Aadmin account - maybe config error}
57.  
58. C:\tmp\kings.exe SW_SHOWNORMAL
59. C:\Windows\System32\cmd.exe /c vssadmin.exe delete shadows /all /quiet
60. C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
61. C:\Windows\System32\cmd.exe /c vssadmin.exe delete shadows /all /quiet
62. C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
63.  
64. persist
65. --------------
66. n/a
67.  
68. drop
69. --------------
70. %temp%\kings.exe
71. %any folder or disk%\RestoreFiles.txt
72.  
73. # # # # # # # #
74. additional info
75. # # # # # # # #
76.  
77. Ransom note - RestoreFiles.txt
78. ------------------------------
79. << Hello, friends! >>
80. > Your system has been compromised by our team. > We have blocked your files and also uploaded useful data from your computers(doc, docx, pdf, xls and other office extensions) to our servers.
81. > You have 2 days to contact us to discuss the terms of payment for our services to restore your files. If you do not contact us or refuse to pay, we will place your stolen files in the public domain.
82. > Do not change the file namesand extensions. Do not try to decrypt the files yourself, they are encrypted using a good encryption algorithm.
83. > Main Mail:
84. > alexnoyz@gmx.de
85. > Backup mail(if we don't reply 24 hours):
86. > alexnoyz2@mein.gmx
87. > At the first contact, you can write to both emails for reliability.
88.  
89.  
90. Original File Sample [11.txt]
91. ------------------------------
92. 
93. Get-WmiObject -class Win32_ComputerSystem
94. Get-WmiObject -class Win32_BIOS
95. Get-WmiObject -class Win32_DiskDrive
96.  
97. mofcomp C:\Windows\System32\wbem\cimwin32.mof
98. mofcomp hideVM.mof
99.  
100. # # # #
101.  
102. Check services:
103. Get-Service -DisplayName *virtual*
104.  
105. Check devices:
106. Get-WmiObject -class Win32_PnPEntity | Select Name
107.  
108.  
109. Modified File Sample [11.txt.kings]
110. ------------------------------
111. J
112. ¬¡äÙXÑNÉ7ÖY¯ýŽÿ WB€Ï1…:2~zComputerSystem
113. Get-WmiObject -class Win32_BIOS
114. Get-WmiObject -class Win32_DiskDrive
115.  
116. mofcomp C:\Windows\System32\wbem\cimwin32.mof
117. mofcomp hideVM.mof
118.  
119. # # # #
120.  
121. Check services:
122. Get-Service -DisplayName *virtual*
123.  
124. Check devices:
125. Get-WmiObject -class Win32_PnPEntity | Select Name
126. bBVÒX’¹QÅ1þs˜xDxìa±¬Ã®ÙúÞä— —?¯ÉÎ8Fw yap yap yap yap yap yap yap yap
127.  
128.  
129. # # # # # # # #
130. VT & Intezer
131. # # # # # # # #
132. https://www.virustotal.com/gui/file/4deaecd165abd8afefcaf0efd268f52fc6aa3904223bdccfb82dede849e01a44/details
133. https://www.virustotal.com/gui/file/1049bafd1648b6cfd6563e77c9301974b1e24b0486e5f2531f2479dd645ae602/detection
134. https://analyze.intezer.com/analyses/1c6235d0-9525-4457-b63b-ef7fccf4bd2d/dynamic-ttps
135. https://analyze.intezer.com/analyses/a6d87137-6073-4717-9b84-3fdef02bbccf/dynamic-ttps
136.  
137. VR
138.