misp-circl-feed/feeds/circl/misp/86836f20-44df-443f-9ee4-6fcf0e554883.json

238 lines
20 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event": {
"analysis": "0",
"date": "2021-01-05",
"extends_uuid": "",
"info": "OSINT - Babuk Ransomware",
"publish_timestamp": "1609871090",
"published": true,
"threat_level_id": "3",
"timestamp": "1609871056",
"uuid": "86836f20-44df-443f-9ee4-6fcf0e554883",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:ransomware=\"Babuk Ranomsware\"",
"relationship_type": ""
},
{
"colour": "#004646",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#0087e8",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "osint:certainty=\"50\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "tlp:white",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1609870799",
"to_ids": false,
"type": "link",
"uuid": "ebd69067-3b22-492a-a8be-dbd69e6e697b",
"value": "http://chuongdong.com//reverse%20engineering/2021/01/03/BabukRansomware/"
},
{
"category": "Payload delivery",
"comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1609870833",
"to_ids": true,
"type": "md5",
"uuid": "f189012c-b250-4f62-9a12-abfaaba0d75f",
"value": "e10713a4a5f635767dcd54d609bed977"
},
{
"category": "Payload delivery",
"comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1609870833",
"to_ids": true,
"type": "sha256",
"uuid": "e5366890-5bac-4795-9c46-c29adbe4f0d9",
"value": "8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1609870953",
"to_ids": false,
"type": "link",
"uuid": "7c2d2d04-2acc-4baf-a283-b9eb9a0760ca",
"value": "https://bazaar.abuse.ch/sample/8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9/"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1609870999",
"to_ids": true,
"type": "yara",
"uuid": "2d93f1e4-e6a2-462f-9d98-1b580e925a53",
"value": "rule BabukSabelt {\r\n\tmeta:\r\n\t \tdescription = \"YARA rule for Babuk Ransomware\"\r\n\t\treference = \"http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/\"\r\n\t\tauthor = \"@cPeterr\"\r\n\t\tdate = \"2021-01-03\"\r\n\t\trule_version = \"v1\"\r\n\t\tmalware_type = \"ransomware\"\r\n\t\ttlp = \"white\"\r\n\tstrings:\r\n\t\t$lanstr1 = \"-lanfirst\"\r\n\t\t$lanstr2 = \"-lansecond\"\r\n\t\t$lanstr3 = \"-nolan\"\r\n\t\t$str1 = \"BABUK LOCKER\"\r\n\t\t$str2 = \".__NIST_K571__\" wide\r\n\t\t$str3 = \"How To Restore Your Files.txt\" wide\r\n\t\t$str4 = \"ecdh_pub_k.bin\" wide\r\n\tcondition:\r\n\t\tall of ($str*) and all of ($lanstr*)\r\n}"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1609871033",
"to_ids": false,
"type": "link",
"uuid": "e19fda56-fa9a-4e68-a836-a288a4e1cfa1",
"value": "https://twitter.com/Arkbird_SOLG/status/1345569395725242373"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1609870852",
"uuid": "028f19e2-8c42-4488-94ea-9f445ea27a8c",
"ObjectReference": [
{
"comment": "",
"object_uuid": "028f19e2-8c42-4488-94ea-9f445ea27a8c",
"referenced_uuid": "878b0966-2524-4cde-8fe6-d938d33b0659",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-12-14 14:30:15 +00:00
"timestamp": "0",
"uuid": "4abe37f7-f5d3-4357-8393-01e0b9f505e6"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1609870833",
"to_ids": true,
"type": "md5",
"uuid": "69f13bd6-4c9e-4608-b459-aca722d7ccf9",
"value": "e10713a4a5f635767dcd54d609bed977"
},
{
"category": "Payload delivery",
"comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1609870833",
"to_ids": true,
"type": "sha1",
"uuid": "5e7ae909-5b82-4a01-adff-e0a710e374e4",
"value": "320d799beef673a98481757b2ff7e3463ce67916"
},
{
"category": "Payload delivery",
"comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1609870833",
"to_ids": true,
"type": "sha256",
"uuid": "fbbd78cc-62b8-4760-b91d-3cfe01915fbe",
"value": "8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1609870852",
"uuid": "878b0966-2524-4cde-8fe6-d938d33b0659",
"Attribute": [
{
"category": "Other",
"comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1609870833",
"to_ids": false,
"type": "datetime",
"uuid": "73073b9a-3a5c-467a-9b50-9e36d22e0af8",
"value": "2021-01-05T08:13:52+00:00"
},
{
"category": "Payload delivery",
"comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1609870833",
"to_ids": false,
"type": "link",
"uuid": "bf5076a9-f57f-4626-b1ee-a03c950cb65a",
"value": "https://www.virustotal.com/gui/file/8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9/detection/f-8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9-1609834432"
},
{
"category": "Payload delivery",
"comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1609870833",
"to_ids": false,
"type": "text",
"uuid": "5fb73878-5607-4271-9126-c04868b5364f",
"value": "48/70"
}
]
}
],
"EventReport": [
{
"name": "Report from - http://chuongdong.com//reverse%20engineering/2021/01/03/BabukRansomware/ (1609871056)",
"content": "html Global site tag (gtag.js) - Google Analytics Reverse Engineering \u00b7 03 Jan 2021 # Babuk Ransomware\n\n ## Overview\n\n This is my report for the new Babuk Ransomware that recently appears at the beginning of 2021.\n\n Since this is the first detection of this malware in the wild, it\u2019s not surprising that Babuk is not obsfuscated at all. Overall, it\u2019s a pretty standard ransomware that utilizes some of the new techniques we see such as multi-threading encryption as well as abusing the Windows Restart Manager similar to Conti and REvil.\n\n For encrypting scheme, Babuk uses its own implementation of SHA256 hashing, ChaCha8 encryption, and Elliptic-curve Diffie\u2013Hellman (ECDH) key generation and exchange algorithm to protect its keys and encrypt files. Like many ransomware that came before, it also has the ability to spread its encryption through enumerating the available network resources.\n\n *Figure 1: RaidForum Babuk leak*\n\n ## IOCS\n\n Babuk Ransomwarecomes in the form of a 32-bit *.exe* file.\n\n **MD5**: e10713a4a5f635767dcd54d609bed977\n\n **SHA256**: 8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9\n\n **Sample**: https://bazaar.abuse.ch/sample/8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9/\n\n *Figure 2: VirusTotal result*\n\n ## Ransom Note\n\n *Figure 3: Babuk\u2019s ransom note*\n\n *Figure 4: Babuk\u2019s Website*\n\n (Pretty unprofessional from the Babuk team since they did not remove the chat log between them and Sabelt)\n\n ## Code Analysis\n\n ### Command-line Arguments\n\n Babuk can work with or without command line paramters. If no parameter is given, it\u2019s restricted to only encrypting the local machines.\n\n *Figure 5: Argument parsing*\n\n If a parameter is given, it will process these arguments upon execution and behave accordingly.\n\n CMD Args Functionality -lanfirst Same as no parameter given, encrypting locally -lansecond Encrypting network shares after encrypting locally -nolan Same as no parameter given, encrypting locally ### Terminating Services\n\n Babuk\u2019s authors hard-coded a list of services to be closed before encryption.\n\n Before terminating a service, Babuk will calls **EnumDependentServicesA** to retrieve the name and status of each service that depends on that specified service.\n\n It will then call **ControlService** with the control code *SERVICE\\_CONTROL\\_STOP* to stop them before terminating the main service the same way.\n\n *Figure 6: Terminating serivces*\n\n Here is the list of services to be closed.\n\n vss, sql, svc$, memtas, mepocs, sophos, veeam, backup, GxVss, GxBlr, GxFWD, GxCVD, GxCIMgr, DefWatch, ccEvtMgr, ccSetMgr, SavRoam, RTVscan, QBFCService, QBIDPService, Intuit.QuickBooks.FCS, QBCFMonitorService, YooBackup, YooIT, zhudongfangyu, sophos, stc\\_raw\\_agent, VSNAPVSS, VeeamTransportSvc, VeeamDeploymentService, VeeamNFSSvc, veeam, PDVFSService, BackupExecVSSProvider, BackupExecAgentAccelerator, BackupExecAgentBrowser, BackupExecDiveciMediaService, BackupExecJobEngine, BackupExecManagementService, BackupExecRPCService, AcrSch2Svc, AcronisAgent, CASAD2DWebSvc, CAARCUpdateSvc, ### Terminating Running Processes\n\n The author also hard-coded a list of processes to be closed.\n\n Using calls to **CreateToolhelp32Snapshot**, **Process32FirstW**, and **Process32NextW** to examine all of the processes running on the system, Babuk can loop through and look for processes needed to be closed. Upon finding any, it will call **TerminateProcess** to terminate it.\n\n *Figure 7: Terminating processes*\n\n Here is the list of processes to be closed.\n\n sql.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, encsvc.exe, firefox.exe, tbirdconfig.exe, mydesktopqos.exe, ocomm.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thunderbird.exe, visio.exe, winwo
"id": "33",
"event_id": "81812",
"timestamp": "1609871056",
"uuid": "d5630604-8946-48dc-97f7-8e43cae52442",
"deleted": false
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}