General

  • Target

    1f2edda243404918b78aa6123aa1fc5b18dd9506e4042c7a1547b565334527e1.zip

  • Size

    29KB

  • Sample

    210511-s2jr426evn

  • MD5

    a51961badad00c66fddf3a72f85327d6

  • SHA1

    18c6e911ade4d82fda26af54c183129421c919e0

  • SHA256

    5ea6a1afc900ff3765b3838827e024e324e5180a7674fd1bf59c02425db1a745

  • SHA512

    240b8eb9d5494dde0e4e284a781246bebd10a87eb18c6de4c8e0338193650d1acc83590b7c7a41c8090759e80f4407eca09b1a2f586d22e1e7af94a75e6f4b88

Score
10/10

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
############## [ babuk ransomware greetings you ] ############## Introduction ---------------------------------------------- Congratulations! If you see this note, your company've been randomly chosen for security audit and your company haven't passed it. Unfortunately your servers are encrypted, backups are encrtypted too or deleted. Our enctyption algorythms are strong and it's impossible to decrypt your stuff without our help. Only one method to restore all your network and systems is - to buy our universal decryption software. Follow simple steps that discribed down below and your data will be saved. In case you ignore this situation, the consequences could me much serious, than you can imagine. Guarantees ---------------------------------------------- The hack and system encryption wasn't compromised by your competitors or any other 3rd party, this is just and only our initiative and only thing we interested is profit. Accurding the previous sentence We are very much value of our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We guarantee full support and help through the all decryption process. As the proof of our abilities and honesty, we can decrypt few small files for free, check the link provided and ask any questions. Data leakage ---------------------------------------------- We have copied some quantity of data from your servers. Check those proofs and estimate the seriousness of consequences which can occur in case you ignore us: (no blog url) This link is private and only you can see it. Use tor browser to open link. Ignoring the interaction with us brings you the publishing your data in our public blog http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/ Contact ---------------------------------------------- 1) Download tor browser: https://www.torproject.org/download/ 2) Open it 3) Follow this link in tor browser: http://os3xs2l3ftdqeuhxyuo4e6ymxvknp3gx6abordkcjde4coe37k66xyid.onion/4ee7ff7421bcb2ab35c523623ce11174c037e7db0562578b8a245630fc16a047 * 6 simple steps do minimize harm from ransomware. ----------------------------------------------------------------------------------------------------------------- Thousands of companies around the world are struggling on ransomware these days, and the most of companies are making the same mistakes again and again. Let’s figure out how to minimize harm and do not be a dumb and pathetic donkey which will make fun for journalists and so on.. 1. If you see small fella malicious .exe file never load it to virustotal.com or any other virus researching website. Otherwise the info about the hack is not a secret anymore. The fact that your company is under ransomware attack is already known by filthy predators data security agents who will post in their pity twitters the fresh known news “OMG ANOTHER RANSOMWARE NOW IT’S “Your company name LLC!!!!! We are all gonna die aaaaaa halp” 2. No any public announcements about the hack or data leakage. And do not applicate to law enforcement. If you commit this actions, more serious consequences can occur and you pay much more than a ransom amount. Law structures like GDPR in this case can oblige you to pay huge fine. 3. As soon as you see your network compromised, follow the link inside any note and follow instructions. 4. Calm your employees. Explain them that this is a drill. And you test your network security systems. 5. If you decide to hire the data recovery company, obligate them to do not inform anyone and any third party about details of the attack. We strongly do not recommend to cooperate with data recovery company, because they do absolutely nothing that you can do by yourself and take money for it. all communications with hackers could be conducted by your it department indipendently without any extra payments. 6. Do not try to decrypt your data via 3rd party software. Most of ransomware use strong encryption algorthm and you can harm your files by using 3rd party decryption software.
URLs

http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/

http://os3xs2l3ftdqeuhxyuo4e6ymxvknp3gx6abordkcjde4coe37k66xyid.onion/4ee7ff7421bcb2ab35c523623ce11174c037e7db0562578b8a245630fc16a047

Targets

    • Target

      1f2edda243404918b78aa6123aa1fc5b18dd9506e4042c7a1547b565334527e1.exe

    • Size

      79KB

    • MD5

      f0d4c7d334633a72a3c7bd722e12c378

    • SHA1

      5240f71f60c473b5f9ba100d2ce1d6effdbc08c1

    • SHA256

      1f2edda243404918b78aa6123aa1fc5b18dd9506e4042c7a1547b565334527e1

    • SHA512

      780809b5b877b3d693179d7635dadd80b0aa5e2943761b7623d0d923a34979cad363f4b5c2fcca22105a48c4dc34a71af5624cc28aaf0d086559aa206d9e315c

    Score
    10/10
    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v6

Tasks