General

  • Target

    2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer

  • Size

    79KB

  • Sample

    240904-aymwaa1ekn

  • MD5

    535d7581519e1a575b54ed9b10a22f9e

  • SHA1

    9d6092b82c80880dabe6e01608a68b655aef3ce5

  • SHA256

    ab5f9ab8a8072142d4b6ffcfdf50442cc729f67ce327b6afc73d7dbc51c49520

  • SHA512

    5672a1d5395158ba0d2032688e4bb571ac0d7c53bbb462891f807df430478b7412fe7e980c26020b2642caf490a34a4430012a6d03bd4c849e44298f9760666b

  • SSDEEP

    1536:PJkWBeGovEb+srQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2vsf:DBeJs+srQLOJgY8Zp8LHD4XWaNH71dLE

Malware Config

Targets

    • Target

      2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer

    • Size

      79KB

    • MD5

      535d7581519e1a575b54ed9b10a22f9e

    • SHA1

      9d6092b82c80880dabe6e01608a68b655aef3ce5

    • SHA256

      ab5f9ab8a8072142d4b6ffcfdf50442cc729f67ce327b6afc73d7dbc51c49520

    • SHA512

      5672a1d5395158ba0d2032688e4bb571ac0d7c53bbb462891f807df430478b7412fe7e980c26020b2642caf490a34a4430012a6d03bd4c849e44298f9760666b

    • SSDEEP

      1536:PJkWBeGovEb+srQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2vsf:DBeJs+srQLOJgY8Zp8LHD4XWaNH71dLE

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (192) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks