misp-circl-feed/feeds/circl/misp/86836f20-44df-443f-9ee4-6fcf0e554883.json

{
  "Event": {
    "analysis": "0",
    "date": "2021-01-05",
    "extends_uuid": "",
    "info": "OSINT - Babuk Ransomware",
    "publish_timestamp": "1609871090",
    "published": true,
    "threat_level_id": "3",
    "timestamp": "1609871056",
    "uuid": "86836f20-44df-443f-9ee4-6fcf0e554883",
    "Orgc": {
      "name": "CIRCL",
      "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
    },
    "Tag": [
      {
        "colour": "#0088cc",
        "name": "misp-galaxy:ransomware=\"Babuk Ranomsware\""
      },
      {
        "colour": "#004646",
        "name": "type:OSINT"
      },
      {
        "colour": "#0071c3",
        "name": "osint:lifetime=\"perpetual\""
      },
      {
        "colour": "#0087e8",
        "name": "osint:certainty=\"50\""
      },
      {
        "colour": "#ffffff",
        "name": "tlp:white"
      }
    ],
    "Attribute": [
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1609870799",
        "to_ids": false,
        "type": "link",
        "uuid": "ebd69067-3b22-492a-a8be-dbd69e6e697b",
        "value": "http://chuongdong.com//reverse%20engineering/2021/01/03/BabukRansomware/"
      },
      {
        "category": "Payload delivery",
        "comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1609870833",
        "to_ids": true,
        "type": "md5",
        "uuid": "f189012c-b250-4f62-9a12-abfaaba0d75f",
        "value": "e10713a4a5f635767dcd54d609bed977"
      },
      {
        "category": "Payload delivery",
        "comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1609870833",
        "to_ids": true,
        "type": "sha256",
        "uuid": "e5366890-5bac-4795-9c46-c29adbe4f0d9",
        "value": "8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9"
      },
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1609870953",
        "to_ids": false,
        "type": "link",
        "uuid": "7c2d2d04-2acc-4baf-a283-b9eb9a0760ca",
        "value": "https://bazaar.abuse.ch/sample/8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9/"
      },
      {
        "category": "Artifacts dropped",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1609870999",
        "to_ids": true,
        "type": "yara",
        "uuid": "2d93f1e4-e6a2-462f-9d98-1b580e925a53",
        "value": "rule BabukSabelt {\r\n\tmeta:\r\n\t  \tdescription = \"YARA rule for Babuk Ransomware\"\r\n\t\treference = \"http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/\"\r\n\t\tauthor = \"@cPeterr\"\r\n\t\tdate = \"2021-01-03\"\r\n\t\trule_version = \"v1\"\r\n\t\tmalware_type = \"ransomware\"\r\n\t\ttlp = \"white\"\r\n\tstrings:\r\n\t\t$lanstr1 = \"-lanfirst\"\r\n\t\t$lanstr2 = \"-lansecond\"\r\n\t\t$lanstr3 = \"-nolan\"\r\n\t\t$str1 = \"BABUK LOCKER\"\r\n\t\t$str2 = \".__NIST_K571__\" wide\r\n\t\t$str3 = \"How To Restore Your Files.txt\" wide\r\n\t\t$str4 = \"ecdh_pub_k.bin\" wide\r\n\tcondition:\r\n\t\tall of ($str*) and all of ($lanstr*)\r\n}"
      },
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1609871033",
        "to_ids": false,
        "type": "link",
        "uuid": "e19fda56-fa9a-4e68-a836-a288a4e1cfa1",
        "value": "https://twitter.com/Arkbird_SOLG/status/1345569395725242373"
      }
    ],
    "Object": [
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "22",
        "timestamp": "1609870852",
        "uuid": "028f19e2-8c42-4488-94ea-9f445ea27a8c",
        "ObjectReference": [
          {
            "comment": "",
            "object_uuid": "028f19e2-8c42-4488-94ea-9f445ea27a8c",
            "referenced_uuid": "878b0966-2524-4cde-8fe6-d938d33b0659",
            "relationship_type": "analysed-with",
            "timestamp": "0",
            "uuid": "4abe37f7-f5d3-4357-8393-01e0b9f505e6"
          }
        ],
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "md5",
            "timestamp": "1609870833",
            "to_ids": true,
            "type": "md5",
            "uuid": "69f13bd6-4c9e-4608-b459-aca722d7ccf9",
            "value": "e10713a4a5f635767dcd54d609bed977"
          },
          {
            "category": "Payload delivery",
            "comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "sha1",
            "timestamp": "1609870833",
            "to_ids": true,
            "type": "sha1",
            "uuid": "5e7ae909-5b82-4a01-adff-e0a710e374e4",
            "value": "320d799beef673a98481757b2ff7e3463ce67916"
          },
          {
            "category": "Payload delivery",
            "comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "sha256",
            "timestamp": "1609870833",
            "to_ids": true,
            "type": "sha256",
            "uuid": "fbbd78cc-62b8-4760-b91d-3cfe01915fbe",
            "value": "8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "VirusTotal report",
        "meta-category": "misc",
        "name": "virustotal-report",
        "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
        "template_version": "3",
        "timestamp": "1609870852",
        "uuid": "878b0966-2524-4cde-8fe6-d938d33b0659",
        "Attribute": [
          {
            "category": "Other",
            "comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "last-submission",
            "timestamp": "1609870833",
            "to_ids": false,
            "type": "datetime",
            "uuid": "73073b9a-3a5c-467a-9b50-9e36d22e0af8",
            "value": "2021-01-05T08:13:52+00:00"
          },
          {
            "category": "Payload delivery",
            "comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "permalink",
            "timestamp": "1609870833",
            "to_ids": false,
            "type": "link",
            "uuid": "bf5076a9-f57f-4626-b1ee-a03c950cb65a",
            "value": "https://www.virustotal.com/gui/file/8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9/detection/f-8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9-1609834432"
          },
          {
            "category": "Payload delivery",
            "comment": "Babuk Ransomwarecomes in the form of a 32-bit .exe file.",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "detection-ratio",
            "timestamp": "1609870833",
            "to_ids": false,
            "type": "text",
            "uuid": "5fb73878-5607-4271-9126-c04868b5364f",
            "value": "48/70"
          }
        ]
      }
    ]
  }
}