babuk | 9b85a4cc99fb037c9f4033d54fc9f857cc5a89a3da48b3deaf0697c02873b8f5

Sharing

Copy URL

Twitter E-mail

General

Target

RNSM00424.7z
Size

49.1MB
Sample

241027-tfydvaxkcs
MD5

336f8ae05e74a7e35bad8814d1c68b9c
SHA1

582c5d7c2fb98d8dd2035a25971f2b45ecfb269a
SHA256

9b85a4cc99fb037c9f4033d54fc9f857cc5a89a3da48b3deaf0697c02873b8f5
SHA512

b5e7591c8a005c3e80e4b1a3157ebb707be3dfca023bb9b063d395fa7536345616fae2868ce837420c71fdf44145a03627c18f24b4a9ad40959cd6b6e8a7a202
SSDEEP

786432:YGuBiJAIDNGSOYHmWR1ZcbH4cflRHRju4boIidRxVIm3TcxcAJncrA1sai7XzKZW:YGdJAr/WR1ZasxHxumDcGSc03mXWZXxw

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

User

frankrat.no-ip.org:1604

Mutex

3J717VQ3Q355I6

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
frank123

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-4089630652-1596403869-279772308-1000\DKHMRCDXTJ-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .DKHMRCDXTJ The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/11584738b93043c2 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAH6PeAFvt1BRsSdKtwHxdgZ2uE7USFUV+1XskwAvT+gdGYg2N0QPPtND2m6Rx5DPb3bxtYPpO7E/lSlMpbxkm61Vshuke8e74mT2OoK1dN7h90M2RZeHJdVfCTHlwnYMtGZ3RZy/g3OgnSucQYfPpjrnc+b4aosLtDSrpPtRC2oGi8AqjXFtglt0k2DUGv0dTgE70gAyZxomSopHQ/uIUNfXq4sCcekO8u26MwoZJQUo2wIZQgLAZF9xVjsDMIeOaS5ok+plP3+N6Ho1OdOCZSjTClsmrNhwCP5/KOcZTTj97NOqaqlncxk/ntQh/AQyUZ6FdwieNZ9JCW2aTQlpsNB7I0dbgIM1ATVAEisv+2oOrE0FXx6ZaVztt2RZg/anz9Iluq8TK7yrFq+8GxW82Uj3iaNQ5ZKkIo6FH4FGWqfhHr7japm48ZqkHgyAVS9pfTO+k+XGJLmGICJaqlCJTb53HdTaN0YYkTJ2etWbb79Q8LTg/8q77ebBBdlpEKfOkGXn+L69GUln/Htit7DpNBbzKi8mvZTOS88UAKaCIgDQEhd2BP2b58go4Ln73uyBu/hvipfg+Au+viGqNSe59IQkIdy3ubT3G5ktxQz4L2+zZw17yA5DAD5rDUrxWF9fHyR0j76zFEeQWpROr5j3PE4RRtpGV+m3y0ceDqYBfLp7ZAt269Td4Tbv8bxFMoW7/kj+tI9JtuvVC+N+jXLjI7XvT/GS5TIbGxMmiCJ0CVprpKrk2GEUZLMX7LY7Gc22pJH2CGi+0rqH3Rs9dN5zdSwx0VALriswyTe+OeZmQ2qoOWxbKH8OxbC9oNGRSeVBoSO/kDA/2rLdFeqlFXepqL/wt6bEwDhQwUxr9KQJwP02FIJaeV6dqhflm5SmR3phgiPeODn0wXQrPVORJSm8uJqV+driNPPihQhIoADRnmpIp3US5Q5GJWSd9hnfi+8Nxo5DQ9B2XVuNIseCvcyI6ljhL7JM9CAGwF0KVCbAVNtSPZoPhW4jhrnNwfGtKzk3RfhLZr3C/egWmufNJOavDEWjiuEVlKBORf/8d0ntvkWLT7VxlIwG2meTTgliP3KVZv0H/8q1Q3O2kW9jyIMPH4C/Wxucy/2/TNzqAn9GJ0n7yVJvSPr8V9lGityA0BxpObCex/TKaXLb9xrfucKrJE768Jf59eNdAGIUT700agdnIAKuK9hMFUcoyq96dSO462T689c3cyXV8D1WzSqBskvP88pqlcxN4L/NNIiEjFQDPkNGU63UxM2jryYqHAdasrXh0UzBI5/JgqsZmGoD0ig6pjDvy6allLATDC3HYR4EZtufoDy1l0OL6vf7bhBNnik9Oj51yKquzrjpr091HawaxDCrXS+h1UPbjdqU3EtN9fiQjiGblXSuy8/zn6s0JoyB9+2Ie/ATRegcM1/jy5NLINsbwa2OKrC2tTU/b1eHL0GH4ocRQN4Whj7kYRZpjE0lnlZhJ82nR97Y2TdyALcG6icv5YI5txLW+wLxcSmQ5godd4qrFHHxFWdmockORe0XQZei9Ie7+9eANybb5SbDV9MZ/wU7lvow40tPl/SgGd5Z5bc2M9KbLldStWiXO/ZkZuj4int+Kx5/GPVFpPUCwpwLgL83oyXJG+oZJc83SNpCM1HfLfyyM+cmsyovPvbQrP0v7lVEX/+iERC1KAzKuHviqiXSb9x07hmuALGnUo3WFGwYk/GCVmzGwRCYvdViZ09ZL9H65U6HMPe7EWDLVqdoXfjR6ha/plOHobpgAdHTIEp68Iv7weQBHZRJNZ8ZOOe11vcQXRBrUKP2Fpd0retr7Q4BMzd8x8p+U3F6M+r2n95d0PTMK3ni3UXyGItwlZNYy4CpqQX+LofbVRSTglovtP18aGONxRZC8Sp7RgEMSpcN5ouGJu/qItII+oCyMeaRNM72OSueO13FZuJsgdYOnz2nLJGOUlbLWDPEEU0ucYJjz2/HUvULqEuGyz91iFiRAxi2TGrZiLZXqRBLwgVsmepK80AlLvuL3JqEu+VcsStUEFWcdQb3+CAhOqhYfsP4CnC9S9fWizOfp6wZQ1UET+aptgh8GbpJUfcye+iu3gVkNWOYKpTvCDuFwdH2bzpkGSNyr9Dmnvgew/BAuUjWgZwQtiG84SboETcLyo/PpvM+s+4Z+kwNeoZMNbdEM/AxS+X52gxGx3B2+2eF4QvAlRRVFzG3bIu5KWSua0Orf1WW1x3XfOXaIrCzW5Pjcc8= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD59MXJNJDbAveVquDMRXjIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJfNAMBiFqpsY6R+e3MrHEmYaRhUeDP9ny+PNmLOfjW6P0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwBrtoypS8O1fmlVjmQ7q94Buw5gT+wK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEsyM4ANvhxNQXIE31UkGbyf6MN51c1gY/++QTe24EznTbCqfrOdcnPBOVfcolLq8b8QmacCyV7bCGEZisVbSQnNiaPkJ9b5I041HXc2vSx6IODB3F1IH8qANwhkbcxMPGvnUSm+rK ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/11584738b93043c2

Extracted

Path

C:\Recovery\WindowsRE\How To Restore Your Files.txt

Ransom Note

############## [ babyk ransomware ] ############## * What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data without us. But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network. Follow our instructions below and you will recover all your data. If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. * What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. * What information compromised? ---------------------------------------------- We copied many data from your internal network, here are some proofs (private link): http://gtmx56k4hutn3ikv.onion/blog/ff6b763849c49971c7ef8508064a3d8681529c7f45e532ff9e3d9ec13165263b/ For additional confirmations, please chat with us/ In cases of ignoring us, the information will be released to the public in blog http://gtmx56k4hutn3ikv.onion/ * How to contact us? ---------------------------------------------- 1) Download for browser: https://www.torproject.org/download/ 2) Open it 3) Follow this link in tor browser: http://babukq4e2p4wu4iq.onion/login.php?id=l6Kr29xLbfnq1f0jzES55LLmmrZPd8

URLs

http://gtmx56k4hutn3ikv.onion/blog/ff6b763849c49971c7ef8508064a3d8681529c7f45e532ff9e3d9ec13165263b/

http://gtmx56k4hutn3ikv.onion/

http://babukq4e2p4wu4iq.onion/login.php?id=l6Kr29xLbfnq1f0jzES55LLmmrZPd8

Extracted

Path

C:\HOW-TO-DECRYPT-jjj9b.txt

Ransom Note

[+] What happened? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has extension *.jjj9b By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant get back your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] Using a TOR browser! - Download and install TOR browser from this site: hxxps://torproject.org/ - Open our website: http://o76s3m7l5ogig4u5.onion - Follow the on-screen instructions Extension name: *.jjj9b ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) will make everything possible for restoring, but please do not interfere. !!! !!! !!! ��

URLs

http://o76s3m7l5ogig4u5.onion

Targets

- Target
  
  RNSM00424.7z
- Size
  
  49.1MB
- MD5
  
  336f8ae05e74a7e35bad8814d1c68b9c
- SHA1
  
  582c5d7c2fb98d8dd2035a25971f2b45ecfb269a
- SHA256
  
  9b85a4cc99fb037c9f4033d54fc9f857cc5a89a3da48b3deaf0697c02873b8f5
- SHA512
  
  b5e7591c8a005c3e80e4b1a3157ebb707be3dfca023bb9b063d395fa7536345616fae2868ce837420c71fdf44145a03627c18f24b4a9ad40959cd6b6e8a7a202
- SSDEEP
  
  786432:YGuBiJAIDNGSOYHmWR1ZcbH4cflRHRju4boIidRxVIm3TcxcAJncrA1sai7XzKZW:YGdJAr/WR1ZasxHxumDcGSc03mXWZXxw
Score

10^/10

babuk clop cybergate gandcrab modiloader neshta stormkitty troldesh user backdoor collection credential_access cryptone defense_evasion discovery evasion execution impact packer persistence privilege_escalation pyinstaller ransomware spyware stealer trojan upx vmprotect
- Babuk Locker
  RaaS first seen in 2021 initially called Vasa Locker.
  ransomware babuk
- Babuk family
  babuk
- Clop family
  clop
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Gandcrab family
  gandcrab
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modiloader family
  modiloader
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Neshta family
  neshta
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Stormkitty family
  stormkitty
- Suspicious use of NtCreateProcessExOtherParentProcess
- Troldesh family
  troldesh
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- UAC bypass
  evasion trojan
- clop
  Ransomware discovered in early 2019 which has been actively developed since release.
  ransomware clop
- CryptOne packer
  Detects CryptOne packer defined in NCC blogpost.
  cryptone packer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- ModiLoader Second Stage
- Renames multiple (195) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1