{
	"id": "871be5ad-e9c7-4018-939e-e0beee3dc66a",
	"created_at": "2026-04-29T08:21:22.936176Z",
	"updated_at": "2026-04-29T10:42:22.354567Z",
	"deleted_at": null,
	"sha1_hash": "51453f77006d96a81409c3d132e7bd947318ade9",
	"title": "Babuk is distributed packed",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2265619,
	"plain_text": "Babuk is distributed packed\r\nBy Sebdraven\r\nPublished: 2021-02-08 · Archived: 2026-04-29 07:25:38 UTC\r\n4 min read\r\nFeb 8, 2021\r\na new babuk ransomware was uploaded on Virustotal.\r\nbc4066c3b8d2bb4af593ced9905d1c9c78fff5b10ab8dbed7f45da913fb2d748\r\nThis version is packed with the same technics of GandGrab described here.\r\nThreat Profile: GandCrab Ransomware (morphisec.com)\r\nPacker\r\nThe first stage is a first shellcode loaded with GloballAlloc and VirtualProtect in function 0042df00\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62\r\nPage 1 of 6\n\nThis shellcode create a second shellcode after a VirtualAlloc and VirtualProtect to change rights of the memory\r\npage\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nThe second shellcode decodes babuk malware in memory to execute it with a VirtualAlloc in a first page memory.\r\nPress enter or click to view image in full size\r\nhttps://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62\r\nPage 2 of 6\n\nAnd the shellcode deletes the malware packed and copy the babuk at the same place\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62\r\nPage 3 of 6\n\nAnd the shellcode deletes the first malware unpacked.\r\nPress enter or click to view image in full size\r\nThe shellcode fixes the import before to jump in babuk malware.\r\nPress enter or click to view image in full size\r\nhttps://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62\r\nPage 4 of 6\n\nBabuk analysis\r\nGet Sebdraven’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nthe version of babuk is the version v4 to use the mutex “DoYouWantToHaveSexWithCoungDong” with the\r\nchacha20 for the symetric encryption and curve2559 for the exchange key with the good base Point for the elyptic\r\ncurve. The crypto of babuk is explained here. Babuk Ransomware v3 | Chuong Dong\r\nThe curve2559 is the function FUN_004035b0(local_1b04,(int)local_28,\u0026DAT_00401784);\r\nand the chacha encryption.\r\nFUN_00402fa0((int)local_48,0x14,(int)\u0026DAT_00401778,(int)lpBuffer,(int)lpBuffer,local_1aa8)\r\nhttps://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62\r\nPage 5 of 6\n\nThe files are encrypted in the function: FUN_00408060\r\nThe ransomnote is ############## [ babyk ransomware ] ##############\r\n* What happend?\r\n— — — — — — — — — — — — — — — — — — — — — — —\r\nYour computers and servers are encrypted, backups are deleted from your network and copied.\r\nWe use strong encryption algorithms, so you cannot decrypt your data without us.\r\nBut you can restore everything by purchasing a special program from us — a universal decoder.\r\nThis program will restore your entire network. Follow our instructions below and you will recover all\r\nyour data.\r\nIf you continue to ignore this for a long time, we will start reporting the hack to mainstream media and\r\nposting\r\nyour data to the dark web.\r\n* What guarantees?\r\n— — — — — — — — — — — — — — — — — — — — — — —\r\nWe value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our\r\ninterests.\r\nAll our decryption software is perfectly tested and will decrypt your data. We will also provide support\r\nin case of problems.\r\nWe guarantee to decrypt one file for free. Go to the site and contact us.\r\n* What information compromised?\r\n— — — — — — — — — — — — — — — — — — — — — — —\r\nWe copied many data from your internal network,\r\nhere are some proofs (private link): http://gtmx56k4hutn3ikv.onion/?JJ2Sdd8mtObS8tBQv5mM\r\nFor additional confirmations, please chat with us/\r\nIn cases of ignoring us, the information will be released to the public in blog\r\nhttp://gtmx56k4hutn3ikv.onion/\r\n* How to contact us?\r\n— — — — — — — — — — — — — — — — — — — — — — —\r\n1) Download for browser: https://www.torproject.org/download/\r\n2) Open it\r\n3) Follow this link in tor browser: http://babukq4e2p4wu4iq.onion/login.php?\r\nid=UDFfRZirMNY2ENxMGJ9xczl3CTcie3\r\nConclusion\r\nIt seems to Babuk is distributed packed. The packer has many similarities with the packer of GandGrab. This\r\npacker should be downable on forum of malware developpers.\r\nThanks to Valery Marchive (@ValeryMarchive) / Twitter for the sample !\r\nSource: https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62\r\nhttps://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62"
	],
	"report_names": [
		"babuk-is-distributed-packed-78e2f5dd2e62"
	],
	"threat_actors": [],
	"ts_created_at": 1777450882,
	"ts_updated_at": 1777459342,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/51453f77006d96a81409c3d132e7bd947318ade9.pdf",
		"text": "https://archive.orkl.eu/51453f77006d96a81409c3d132e7bd947318ade9.txt",
		"img": "https://archive.orkl.eu/51453f77006d96a81409c3d132e7bd947318ade9.jpg"
	}
}