Overview

overview

10

Static

static

3

4e7f6c2b49...JC.exe

windows7-x64

10

4e7f6c2b49...JC.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4e7f6c2b49e0754a98832560bbba9cd9_babuk_destroyer_JC.exe

  • Size

    79KB

  • Sample

    230820-l12b8sed53

  • MD5

    4e7f6c2b49e0754a98832560bbba9cd9

  • SHA1

    47083e35d2abc557e5d95717df7dd022698ecc5a

  • SHA256

    92b26a77b619f66aefcf2aab33152ff0dd826252283025fd25eec9ac936306bf

  • SHA512

    db9f9ab8cdba03eabd5ed723d2415772bc8c48813b98bfcd3e9c9ef2137e3f4ff2de2ecc99b46281acc62923af2fbad15ef3989c23d558b1e893bc3227260af3

  • SSDEEP

    1536:9k6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:QhZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI

Score
10/10
babukransomware

Malware Config

Extracted

Path

C:\PerfLogs\Admin\How To Restore Your Files.txt

Ransom Note
ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED! WARNINGS: • ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT AND MAKE RECOVERY IMPOSSIBLE. • DO NOT MODIFY ENCRYPTED FILES. • DO NOT RENAME ENCRYPTED FILES (Including the file extension!). • No software available on internet can help you. We are the only ones able to solve your problem. IMPORTANT: • We gathered highly confidential/personal data. This data is currently stored on a private server. This data will be immediately removed after your payment. If you decide to not pay, we will release your data to public or re-seller. • We only want money and our goal is not to damage your reputation or prevent your business from running. • You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. • Our promises are guaranteed. Faliure to comply with our agreement such as leaking data, not recovering data, or selling data/access from victims who have paid will result in loss of reputation. This will cause less victims to pay the ransom fee meaning we lose money. Because of this we have no incentive to scam you and will only lose money by doing so. Contact us for price and get decryption software. [email protected] YOUR TIME IS LIMITED: • IF YOU DON'T CONTACT US WITHIN 48 HOURS, PRICE WILL BE HIGHER. • IF YOU DON'T CONTACT US WITHIN 72 HOURS, DATA WILL BE LEAKED AND KEY WILL BE DELETED. Many Thanks, Support is Waiting ;)

Targets

    • Target

      4e7f6c2b49e0754a98832560bbba9cd9_babuk_destroyer_JC.exe

    • Size

      79KB

    • MD5

      4e7f6c2b49e0754a98832560bbba9cd9

    • SHA1

      47083e35d2abc557e5d95717df7dd022698ecc5a

    • SHA256

      92b26a77b619f66aefcf2aab33152ff0dd826252283025fd25eec9ac936306bf

    • SHA512

      db9f9ab8cdba03eabd5ed723d2415772bc8c48813b98bfcd3e9c9ef2137e3f4ff2de2ecc99b46281acc62923af2fbad15ef3989c23d558b1e893bc3227260af3

    • SSDEEP

      1536:9k6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:QhZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (185) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Renames multiple (205) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks