{ "Event": { "analysis": "0", "date": "2021-01-05", "extends_uuid": "", "info": "OSINT - Babuk Ransomware", "publish_timestamp": "1609871090", "published": true, "threat_level_id": "3", "timestamp": "1609871056", "uuid": "86836f20-44df-443f-9ee4-6fcf0e554883", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#0088cc", "name": "misp-galaxy:ransomware=\"Babuk Ranomsware\"" }, { "colour": "#004646", "name": "type:OSINT" }, { "colour": "#0071c3", "name": "osint:lifetime=\"perpetual\"" }, { "colour": "#0087e8", "name": "osint:certainty=\"50\"" }, { "colour": "#ffffff", "name": "tlp:white" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1609870799", "to_ids": false, "type": "link", "uuid": "ebd69067-3b22-492a-a8be-dbd69e6e697b", "value": "http://chuongdong.com//reverse%20engineering/2021/01/03/BabukRansomware/" }, { "category": "Payload delivery", "comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.", "deleted": false, "disable_correlation": false, "timestamp": "1609870833", "to_ids": true, "type": "md5", "uuid": "f189012c-b250-4f62-9a12-abfaaba0d75f", "value": "e10713a4a5f635767dcd54d609bed977" }, { "category": "Payload delivery", "comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.", "deleted": false, "disable_correlation": false, "timestamp": "1609870833", "to_ids": true, "type": "sha256", "uuid": "e5366890-5bac-4795-9c46-c29adbe4f0d9", "value": "8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1609870953", "to_ids": false, "type": "link", "uuid": "7c2d2d04-2acc-4baf-a283-b9eb9a0760ca", "value": "https://bazaar.abuse.ch/sample/8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9/" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1609870999", "to_ids": true, "type": "yara", "uuid": "2d93f1e4-e6a2-462f-9d98-1b580e925a53", "value": "rule BabukSabelt {\r\n\tmeta:\r\n\t \tdescription = \"YARA rule for Babuk Ransomware\"\r\n\t\treference = \"http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/\"\r\n\t\tauthor = \"@cPeterr\"\r\n\t\tdate = \"2021-01-03\"\r\n\t\trule_version = \"v1\"\r\n\t\tmalware_type = \"ransomware\"\r\n\t\ttlp = \"white\"\r\n\tstrings:\r\n\t\t$lanstr1 = \"-lanfirst\"\r\n\t\t$lanstr2 = \"-lansecond\"\r\n\t\t$lanstr3 = \"-nolan\"\r\n\t\t$str1 = \"BABUK LOCKER\"\r\n\t\t$str2 = \".__NIST_K571__\" wide\r\n\t\t$str3 = \"How To Restore Your Files.txt\" wide\r\n\t\t$str4 = \"ecdh_pub_k.bin\" wide\r\n\tcondition:\r\n\t\tall of ($str*) and all of ($lanstr*)\r\n}" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1609871033", "to_ids": false, "type": "link", "uuid": "e19fda56-fa9a-4e68-a836-a288a4e1cfa1", "value": "https://twitter.com/Arkbird_SOLG/status/1345569395725242373" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "22", "timestamp": "1609870852", "uuid": "028f19e2-8c42-4488-94ea-9f445ea27a8c", "ObjectReference": [ { "comment": "", "object_uuid": "028f19e2-8c42-4488-94ea-9f445ea27a8c", "referenced_uuid": "878b0966-2524-4cde-8fe6-d938d33b0659", "relationship_type": "analysed-with", "timestamp": "0", "uuid": "4abe37f7-f5d3-4357-8393-01e0b9f505e6" } ], "Attribute": [ { "category": "Payload delivery", "comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1609870833", "to_ids": true, "type": "md5", "uuid": "69f13bd6-4c9e-4608-b459-aca722d7ccf9", "value": "e10713a4a5f635767dcd54d609bed977" }, { "category": "Payload delivery", "comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1609870833", "to_ids": true, "type": "sha1", "uuid": "5e7ae909-5b82-4a01-adff-e0a710e374e4", "value": "320d799beef673a98481757b2ff7e3463ce67916" }, { "category": "Payload delivery", "comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1609870833", "to_ids": true, "type": "sha256", "uuid": "fbbd78cc-62b8-4760-b91d-3cfe01915fbe", "value": "8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "3", "timestamp": "1609870852", "uuid": "878b0966-2524-4cde-8fe6-d938d33b0659", "Attribute": [ { "category": "Other", "comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1609870833", "to_ids": false, "type": "datetime", "uuid": "73073b9a-3a5c-467a-9b50-9e36d22e0af8", "value": "2021-01-05T08:13:52+00:00" }, { "category": "Payload delivery", "comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1609870833", "to_ids": false, "type": "link", "uuid": "bf5076a9-f57f-4626-b1ee-a03c950cb65a", "value": "https://www.virustotal.com/gui/file/8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9/detection/f-8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9-1609834432" }, { "category": "Payload delivery", "comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1609870833", "to_ids": false, "type": "text", "uuid": "5fb73878-5607-4271-9126-c04868b5364f", "value": "48/70" } ] } ] } }