babuk | cc65535243dfd3cd54a9c5ecfcb93c7f918a87c725e9c52925017ab92effe278

Resubmissions

05-02-2025 08:57

250205-kwyvwayrgv 10

13-07-2024 09:29

240713-lf7nhsvgrp 10

Sharing

Copy URL

Twitter E-mail

General

Target

002.7z
Size

11.2MB
Sample

250205-kwyvwayrgv
MD5

82180da2d9ecde4947a618ff1a37fdad
SHA1

ae327ea9229498e86afb337b87cf6d6f4caaa309
SHA256

cc65535243dfd3cd54a9c5ecfcb93c7f918a87c725e9c52925017ab92effe278
SHA512

606ddfb833eb38952403ae10e9eec694d45e3fb2df326d5825f93257d605552868343e80fd6e3a497d690dabe8ed1493b60843118f1aa5412be8cc55a66335a3
SSDEEP

196608:nYcNyJpHBLBc6gKWYZzbK26sqaddXpgPxydfcNQChzHayMxpJ51LipiFe5TZD0B:n5yJ1pB+KWYtbK26sq25GyxcR6yMt51L

Malware Config

Extracted

Path

C:\Recovery\How To Restore Your Files.txt

Family

darkside

Ransom Note

----------- [ Hello! ] -------------> ****BY BABUK LOCKER**** What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network. Follow our instructions below and you will recover all your data. If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. How to contact us? ---------------------------------------------- Using EMAIL: 1) Open your mail 2) Write us: [email protected] backup address: [email protected] [email protected] TO SEND TO THE EMAIL ONLY PERSONAL ID!!! YOUR PERSONAL ID, ATTACH IT: beRv79st1xwM9NTHA1NluiebVXTdr4FS0eRnD5W9wMjAqbKQctyvdxbYuZ8e !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

Emails

[email protected]

Targets

- Target
  
  002.7z
- Size
  
  11.2MB
- MD5
  
  82180da2d9ecde4947a618ff1a37fdad
- SHA1
  
  ae327ea9229498e86afb337b87cf6d6f4caaa309
- SHA256
  
  cc65535243dfd3cd54a9c5ecfcb93c7f918a87c725e9c52925017ab92effe278
- SHA512
  
  606ddfb833eb38952403ae10e9eec694d45e3fb2df326d5825f93257d605552868343e80fd6e3a497d690dabe8ed1493b60843118f1aa5412be8cc55a66335a3
- SSDEEP
  
  196608:nYcNyJpHBLBc6gKWYZzbK26sqaddXpgPxydfcNQChzHayMxpJ51LipiFe5TZD0B:n5yJ1pB+KWYtbK26sq25GyxcR6yMt51L
Score

1^/10
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5 behavioral6 behavioral7 behavioral8 behavioral9
- Target
  
  01aabfaa4177d8d4953a65e8c0d92df98d5eb9a3b8d557a369301660a252f550.exe
- Size
  
  155KB
- MD5
  
  7e3b2b10d66955465c12da9f2ab43e36
- SHA1
  
  2ee3d7ce4ec3461026e910fdfcf9d18dd43eb380
- SHA256
  
  01aabfaa4177d8d4953a65e8c0d92df98d5eb9a3b8d557a369301660a252f550
- SHA512
  
  ce37aff2e2aba9d6434454e17bafeebc47e9d86a716fcd9732bc03bf6484c4b6428d43322279b9273c3e5386ce924853d3aebf90178b2fa5009d63e1defd47a0
- SSDEEP
  
  3072:l5K/B0toLuSNJilZHQsozTS+SMqqDL2/TrKLOG:lcytw7a1yTS+xqqDL6HKL
Score

3^/10

discovery
behavioral10 behavioral11 behavioral12 behavioral13 behavioral14 behavioral15 behavioral16 behavioral17 behavioral18
- Target
  
  01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe
- Size
  
  79KB
- MD5
  
  f9afb31bc17811e5ab4fa406f105b1fe
- SHA1
  
  d1a9449dcc8a3aa0c887bce71f128866175f679a
- SHA256
  
  01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f
- SHA512
  
  6feca3dfa221b704208754e67bcdce02a2253961da098b3e376d11217cd00b9f77e42f37f242e1a1f4b759b5fd172c29c9f153fce32eace48e07e802aff40b55
- SSDEEP
  
  1536:SX6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:uhZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI
Score

10^/10

discovery babuk darkside defense_evasion execution impact ransomware
- Babuk Locker
  RaaS first seen in 2021 initially called Vasa Locker.
  ransomware babuk
- Babuk family
  babuk
- DarkSide
  Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
  ransomware darkside
- Darkside family
  darkside
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (190) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral19 behavioral20 behavioral21 behavioral22 behavioral23 behavioral24 behavioral25 behavioral26 behavioral27
- Target
  
  02f5c32fa22fdc43924718b66ff5aec3115f5d0e1d7bb873b1cd2440eee016d6.exe
- Size
  
  70KB
- MD5
  
  58d6eab3aafd9139a2f1c7606ecd4cef
- SHA1
  
  4152a7431b3d5dd8b0f6ad08148cb166315f41e9
- SHA256
  
  02f5c32fa22fdc43924718b66ff5aec3115f5d0e1d7bb873b1cd2440eee016d6
- SHA512
  
  ae92012d8401c886cb898ac0134db1567aaefb467d04d7afdb4e3e6b390b929dc353467d55b8cce5f3c74c942ac79ce565c172e296468ac44b3d8bd730a52c49
- SSDEEP
  
  1536:ZZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:wd5BJHMqqDL2/Ovvdr
Score

6^/10

discovery persistence
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral28 behavioral29 behavioral30 behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Babuk Locker

Babuk family

DarkSide

Darkside family

Deletes shadow copies

Renames multiple (190) files with added filename extension

Checks computer location settings

Enumerates connected drives

Adds Run key to start application

Enumerates connected drives

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32