adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/86836f20-44df-443f-9ee4-6fcf0e554883.json

238 lines
No EOL
20 KiB
JSON
Raw Permalink Blame History

{
"Event": {
"analysis": "0",
"date": "2021-01-05",
"extends_uuid": "",
"info": "OSINT - Babuk Ransomware",
"publish_timestamp": "1609871090",
"published": true,
"threat_level_id": "3",
"timestamp": "1609871056",
"uuid": "86836f20-44df-443f-9ee4-6fcf0e554883",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:ransomware=\"Babuk Ranomsware\"",
"relationship_type": ""
},
{
"colour": "#004646",
"local": false,
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
"local": false,
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#0087e8",
"local": false,
"name": "osint:certainty=\"50\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1609870799",
"to_ids": false,
"type": "link",
"uuid": "ebd69067-3b22-492a-a8be-dbd69e6e697b",
"value": "http://chuongdong.com//reverse%20engineering/2021/01/03/BabukRansomware/"
},
{
"category": "Payload delivery",
"comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1609870833",
"to_ids": true,
"type": "md5",
"uuid": "f189012c-b250-4f62-9a12-abfaaba0d75f",
"value": "e10713a4a5f635767dcd54d609bed977"
},
{
"category": "Payload delivery",
"comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1609870833",
"to_ids": true,
"type": "sha256",
"uuid": "e5366890-5bac-4795-9c46-c29adbe4f0d9",
"value": "8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1609870953",
"to_ids": false,
"type": "link",
"uuid": "7c2d2d04-2acc-4baf-a283-b9eb9a0760ca",
"value": "https://bazaar.abuse.ch/sample/8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9/"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1609870999",
"to_ids": true,
"type": "yara",
"uuid": "2d93f1e4-e6a2-462f-9d98-1b580e925a53",
"value": "rule BabukSabelt {\r\n\tmeta:\r\n\t \tdescription = \"YARA rule for Babuk Ransomware\"\r\n\t\treference = \"http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/\"\r\n\t\tauthor = \"@cPeterr\"\r\n\t\tdate = \"2021-01-03\"\r\n\t\trule_version = \"v1\"\r\n\t\tmalware_type = \"ransomware\"\r\n\t\ttlp = \"white\"\r\n\tstrings:\r\n\t\t$lanstr1 = \"-lanfirst\"\r\n\t\t$lanstr2 = \"-lansecond\"\r\n\t\t$lanstr3 = \"-nolan\"\r\n\t\t$str1 = \"BABUK LOCKER\"\r\n\t\t$str2 = \".__NIST_K571__\" wide\r\n\t\t$str3 = \"How To Restore Your Files.txt\" wide\r\n\t\t$str4 = \"ecdh_pub_k.bin\" wide\r\n\tcondition:\r\n\t\tall of ($str*) and all of ($lanstr*)\r\n}"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1609871033",
"to_ids": false,
"type": "link",
"uuid": "e19fda56-fa9a-4e68-a836-a288a4e1cfa1",
"value": "https://twitter.com/Arkbird_SOLG/status/1345569395725242373"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1609870852",
"uuid": "028f19e2-8c42-4488-94ea-9f445ea27a8c",
"ObjectReference": [
{
"comment": "",
"object_uuid": "028f19e2-8c42-4488-94ea-9f445ea27a8c",
"referenced_uuid": "878b0966-2524-4cde-8fe6-d938d33b0659",
"relationship_type": "analysed-with",
"timestamp": "0",
"uuid": "4abe37f7-f5d3-4357-8393-01e0b9f505e6"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1609870833",
"to_ids": true,
"type": "md5",
"uuid": "69f13bd6-4c9e-4608-b459-aca722d7ccf9",
"value": "e10713a4a5f635767dcd54d609bed977"
},
{
"category": "Payload delivery",
"comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1609870833",
"to_ids": true,
"type": "sha1",
"uuid": "5e7ae909-5b82-4a01-adff-e0a710e374e4",
"value": "320d799beef673a98481757b2ff7e3463ce67916"
},
{
"category": "Payload delivery",
"comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1609870833",
"to_ids": true,
"type": "sha256",
"uuid": "fbbd78cc-62b8-4760-b91d-3cfe01915fbe",
"value": "8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1609870852",
"uuid": "878b0966-2524-4cde-8fe6-d938d33b0659",
"Attribute": [
{
"category": "Other",
"comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1609870833",
"to_ids": false,
"type": "datetime",
"uuid": "73073b9a-3a5c-467a-9b50-9e36d22e0af8",
"value": "2021-01-05T08:13:52+00:00"
},
{
"category": "Payload delivery",
"comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1609870833",
"to_ids": false,
"type": "link",
"uuid": "bf5076a9-f57f-4626-b1ee-a03c950cb65a",
"value": "https://www.virustotal.com/gui/file/8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9/detection/f-8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9-1609834432"
},
{
"category": "Payload delivery",
"comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1609870833",
"to_ids": false,
"type": "text",
"uuid": "5fb73878-5607-4271-9126-c04868b5364f",
"value": "48/70"
}
]
}
],
"EventReport": [
{
"name": "Report from - http://chuongdong.com//reverse%20engineering/2021/01/03/BabukRansomware/ (1609871056)",
"content": "html Global site tag (gtag.js) - Google Analytics Reverse Engineering \u00b7 03 Jan 2021 # Babuk Ransomware\n\n ## Overview\n\n This is my report for the new Babuk Ransomware that recently appears at the beginning of 2021.\n\n Since this is the first detection of this malware in the wild, it\u2019s not surprising that Babuk is not obsfuscated at all. Overall, it\u2019s a pretty standard ransomware that utilizes some of the new techniques we see such as multi-threading encryption as well as abusing the Windows Restart Manager similar to Conti and REvil.\n\n For encrypting scheme, Babuk uses its own implementation of SHA256 hashing, ChaCha8 encryption, and Elliptic-curve Diffie\u2013Hellman (ECDH) key generation and exchange algorithm to protect its keys and encrypt files. Like many ransomware that came before, it also has the ability to spread its encryption through enumerating the available network resources.\n\n *Figure 1: RaidForum Babuk leak*\n\n ## IOCS\n\n Babuk Ransomwarecomes in the form of a 32-bit *.exe* file.\n\n **MD5**: e10713a4a5f635767dcd54d609bed977\n\n **SHA256**: 8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9\n\n **Sample**: https://bazaar.abuse.ch/sample/8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9/\n\n *Figure 2: VirusTotal result*\n\n ## Ransom Note\n\n *Figure 3: Babuk\u2019s ransom note*\n\n *Figure 4: Babuk\u2019s Website*\n\n (Pretty unprofessional from the Babuk team since they did not remove the chat log between them and Sabelt)\n\n ## Code Analysis\n\n ### Command-line Arguments\n\n Babuk can work with or without command line paramters. If no parameter is given, it\u2019s restricted to only encrypting the local machines.\n\n *Figure 5: Argument parsing*\n\n If a parameter is given, it will process these arguments upon execution and behave accordingly.\n\n CMD Args Functionality -lanfirst Same as no parameter given, encrypting locally -lansecond Encrypting network shares after encrypting locally -nolan Same as no parameter given, encrypting locally ### Terminating Services\n\n Babuk\u2019s authors hard-coded a list of services to be closed before encryption.\n\n Before terminating a service, Babuk will calls **EnumDependentServicesA** to retrieve the name and status of each service that depends on that specified service.\n\n It will then call **ControlService** with the control code *SERVICE\\_CONTROL\\_STOP* to stop them before terminating the main service the same way.\n\n *Figure 6: Terminating serivces*\n\n Here is the list of services to be closed.\n\n vss, sql, svc$, memtas, mepocs, sophos, veeam, backup, GxVss, GxBlr, GxFWD, GxCVD, GxCIMgr, DefWatch, ccEvtMgr, ccSetMgr, SavRoam, RTVscan, QBFCService, QBIDPService, Intuit.QuickBooks.FCS, QBCFMonitorService, YooBackup, YooIT, zhudongfangyu, sophos, stc\\_raw\\_agent, VSNAPVSS, VeeamTransportSvc, VeeamDeploymentService, VeeamNFSSvc, veeam, PDVFSService, BackupExecVSSProvider, BackupExecAgentAccelerator, BackupExecAgentBrowser, BackupExecDiveciMediaService, BackupExecJobEngine, BackupExecManagementService, BackupExecRPCService, AcrSch2Svc, AcronisAgent, CASAD2DWebSvc, CAARCUpdateSvc, ### Terminating Running Processes\n\n The author also hard-coded a list of processes to be closed.\n\n Using calls to **CreateToolhelp32Snapshot**, **Process32FirstW**, and **Process32NextW** to examine all of the processes running on the system, Babuk can loop through and look for processes needed to be closed. Upon finding any, it will call **TerminateProcess** to terminate it.\n\n *Figure 7: Terminating processes*\n\n Here is the list of processes to be closed.\n\n sql.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, encsvc.exe, firefox.exe, tbirdconfig.exe, mydesktopqos.exe, ocomm.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, notepad.exe ### Deleting Shadow Copies\n\n Babuk attempts to delete shadow copies before and after encryption.\n\n First, it calls **Wow64DisableWow64FsRedirection** to disables file system redirection before calling **ShellExecuteW** to execute this command\n\n cmd.exe /c vssadmin.exe delete shadows /all /quiet\n\n After deleting the shadow copies, Babuk checks if the system is running under an 64-bit processor. If it is, then **Wow64RevertWow64FsRedirection** is called to enable file system redirection again.\n\n *Figure 8: Deleting Shadow Copies*\n\n ### Encryption\n\n ### Key Generation\n\n First, Babuk uses **RtlGenRandom** to generate 4 random buffers. Two of which are used as ChaCha8 keys, and the other two are used as ChaCha8 nonces.\n\n *Figure 9: Randomly generating ChaCha8 keys and nonce*\n\n Next, it will encrypt the second ChaCha8 key using the first key and nonce. After that, the first key is then encrypted using the encrypted second key and nonce.\n\n This encrypted first key is treated as the Elliptic-curve Diffie\u2013Hellman (ECDH) private key for the local machine.\n\n *Figure 10: Randomly generating ECDH private key*\n\n From here, Babuk generate a local ECDH public key from the private key using the code from this ECDH library.\n\n Then, it generates a shared secret using the local private key and the author\u2019s hard-coded public key.\n\n This shared secret goes thorugh a SHA256 hashing algorithm to generate 2 ChaCha8 keys, which are used to encrypt files later.\n\n In order to be able to decrypt files, Babuk stores the local public key in the file **ecdh\\_pub\\_k.bin** in the **APPDATA** folder.\n\n Because of ECDH\u2019s mechanism, the ransomware author can generate the shared secret using his own private key and the victim\u2019s public key to decrypt files. This makes it impossible for the victim to decrypt on their own unless they can capture the randomly-generated private key in the malware before it finishes encryting.\n\n *Figure 11: Generating ChaCha8 keys from ECDH shared secret*\n\n ### Multithreading\n\n From a programmer\u2019s point of view, Babuk\u2019s approach to multithreading is pretty mediocre.\n\n First, it determines the number of threads to spawn by doubling the number of cores on the victim\u2019s machine and allocates an array to store all of the thread handles.\n\n *Figure 12: Thread initialization*\n\n The first problem with this approach has to do with thread\u2019s concurrency in an OS. A huge amount of threads can potentially be created for each process. However, in an ideal situation, it\u2019s better to have one thread running per processor to avoid having threads competing with each other for the processor\u2019s time and resource during encryption.\n\n However, that, by itself, is not that big of a problem if the author implemented a queue-like structure to process encrypting requests to utilize 100% of the victim processing power. Unfortunately, they decided to only spawn one encrypting thread per existing drive.\n\n *Figure 13: Launching encrypting threads*\n\n In the case where the number of drives is less than the number of processors (which is highly likely), Babuk won\u2019t spawn as many threads as possible to encrypt.\n\n Since each thread is responsible for an entire drive, this forces it to use the traditional recursive approach to traverse through its own folders, which results in a longer encryption time due to the huge workload.\n\n The workload for each thread varies based on the size of the drive it\u2019s encrypting, so the average encrypting time will just be approximately near the time it takes for one thread to encrypt the largest drive. This is inefficient and really defeats the purpose of using multithreading to encrypt drives.\n\n ### Folder Traversing\n\n As discussed above, Babuk uses a recursion method to traverse and encrypt files. Using **FindFirstFileW** and **FindNextFileW** calls, it goes through each directory to look for files and sub-directories.\n\n When encountering a directory, it recursively calls the **main\\_encrypt** function again. However, Babuk only goes down 16 directory layers deep, so it potentially does not encrypt every single folders in the drive to save time.\n\n When encountering a file, it will check if the file name is **How To Restore Your Files.txt** or if the file extension is **.\\_\\_NIST\\_K571\\_\\_** to avoid encrypting the ransom note or encrypted files.\n\n *Figure 14: Traversing through folders*\n\n ### Kill File Owner\n\n Similar to Conti or REvil ransomware, Babuk utilizes the Windows Restart Manager to terminate any process that is using files. This ensures that nothing prevents it from opening and encrypting the files.\n\n This is accomplished through the calls **RmStartSession**, **RmRegisterResources**, and **RmGetList** to get a list of processes that are using the a specified file. If the process is not **explorer.exe** or a critical process, then Babuk will call **TerminateProcess** to kill it.\n\n *Figure 15: Killing processes that are using files*\n\n ### File Encryption\n\n Babuk\u2019s file encryption is divided into 2 different types - small file encryption and large file encryption.\n\n For small files that are les than 41943040 bytes or roughly 41 MB in size, the file is mapped entirely and encrypted with ChaCha8 two times.\n\n *Figure 16: Small file encryption*\n\n With large files, encryption is a bit different. To save time, the entire file is divided into three equally-large regions.\n\n For each of these regions, only the first 10485760 bytes or 10 MB will be encrypted.\n\n *Figure 17: Large file encryption*\n\n For encryption, Babuk uses the two ChaCha8 keys generated from the ECDH shared secret\u2019s SHA256 hash as the encrypting keys and the first 12 bytes of the shared secret as nonce.\n\n ### Remote File Encryption\n\n To encrypt the remote drives from the victim machine, Babuk calls **WNetGetConnectionW** to retrieves the name of the network resources associated with those drives and pass them to the encrypting thread.\n\n *Figure 18: Encrypting remote drives*\n\n It also encrypts network shares on the machine\u2019s LAN given the correct parameter.\n\n Babuk calls **WNetOpenEnumW** and **WNetOpenEnumW** to traverse through remote folders on the network and encrypts file using the similar recursive method mentioned above.\n\n *Figure 19: LAN Encryption*\n\n ## Key Findings\n\n Babuk is a new ransomware that started at the beginning of this year. Despite the amateur coding practices used, its strong encryption scheme that utilizes Elliptic-curve Diffie\u2013Hellman algorithm has proven effective in attacking a lot of companies so far.\n\n Because the malware authors are using one private key for each Babuk sample, it\u2019s clear that their main target is large corporations instead of normal computer users. So far, according to the website embedded in the ransom note as well as the leaks on **Raidforums**, they have sucessfully compromised Sabelt, BOCA group, Spiratex, and Mecol.\n\n ## YARA Rule\n\n rule BabukSabelt { meta: description = \"YARA rule for Babuk Ransomware\" reference = \"http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/\" author = \"@cPeterr\" date = \"2021-01-03\" rule\\_version = \"v1\" malware\\_type = \"ransomware\" tlp = \"white\" strings: $lanstr1 = \"-lanfirst\" $lanstr2 = \"-lansecond\" $lanstr3 = \"-nolan\" $str1 = \"BABUK LOCKER\" $str2 = \".\\_\\_NIST\\_K571\\_\\_\" wide $str3 = \"How To Restore Your Files.txt\" wide $str4 = \"ecdh\\_pub\\_k.bin\" wide condition: all of ($str*) and all of ($lanstr*) } ## References\n\n https://twitter.com/Arkbird\\_SOLG/status/1345569395725242373\n\n Twitter twitter Facebook facebook Email email Overwrite this file with code you want before the closing body tag",
"id": "33",
"event_id": "81812",
"timestamp": "1609871056",
"uuid": "d5630604-8946-48dc-97f7-8e43cae52442",
"deleted": false
}
]
}
}
Reference in a new issue View git blame Copy permalink