General
-
Target
BABUK.exe
-
Size
38KB
-
Sample
210122-dcvdsabdme
-
MD5
be76ed428523b9aefe706aeaa72bb6b2
-
SHA1
b040f2bdee3999aad415396f9f79e43b2aa9452b
-
SHA256
afcf265a1dcd9eab5aab270d48aa561e4ddeb71c05e32c857d3b809bb64c0430
-
SHA512
d08870197e1234a8e7115fc8bc0a868841054a0f6d3153a9ad77dad1bb077da3c2af3bdeebf53c6304943a3169ef5ae4fde16ce0e45a421e9afc2b4041a07c5b
Static task
static1
Behavioral task
behavioral1
Sample
BABUK.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
BABUK.exe
Resource
win10v20201028
Malware Config
Extracted
C:\MSOCache\How To Restore Your Files.txt
http://babukq4e2p4wu4iq.onion/login.php?id=p9gFgBg5TsdcO3mV9mf2RJlJoI0iy1
Targets
-
-
Target
BABUK.exe
-
Size
38KB
-
MD5
be76ed428523b9aefe706aeaa72bb6b2
-
SHA1
b040f2bdee3999aad415396f9f79e43b2aa9452b
-
SHA256
afcf265a1dcd9eab5aab270d48aa561e4ddeb71c05e32c857d3b809bb64c0430
-
SHA512
d08870197e1234a8e7115fc8bc0a868841054a0f6d3153a9ad77dad1bb077da3c2af3bdeebf53c6304943a3169ef5ae4fde16ce0e45a421e9afc2b4041a07c5b
Score10/10-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-