### 1.

# BabuK

## A malware report


-----

### Contents 

1. Introduction _________________________________________________________________ 2

2. Initial Access _________________________________________________________________ 3

3. Malware features _____________________________________________________________ 3

4. Babuk ______________________________________________________________________ 5

4.1. Preparation ___________________________________________________________________ 6

4.2. Check services, processes and erase ShadowCopies ___________________________________ 7

4.3. Thread creation and path checks _________________________________________________ 12

4.4. Encryption and exclusion list _____________________________________________________ 16

4.5. Txt rescue file ________________________________________________________________ 22

5. Excluded Processes, services and folders/files _____________________________________ 25

6. IOC _______________________________________________________________________ 26

#### 1


-----

### 1. Introduction

One of the biggest current threats in terms of cybersecurity and the one that most concerns
companies today is the Ransomware attack, its power be on encrypting as much as posible,
regarding some exclusions and try to expand into a company to do as much damage as
possible and request a ransom based on extortion. Babuk a ransomware with a short lifespan,
is the first one in 2021.

Distinguished by a little perfected behaviour, it has already appeared in some companies,
requesting for ransoms, like all the previous Ransomwares.

An example of this is the attack to Serco and PhoneHouse, in which, after cypher computers,
they requested near 100.000$ through Bitcoin, the extorsión tryies to publicy sensitive and
privacy content about clients, something that would cause any company to lose customers.

As well other Malwares of this family, it belongs to RaaS (Ransomware as a service) group,
which is characterized by continuously being updated for sale, so it Will be easy to find
different types of Babuk, and also be more difficult to be stopped because of its constant
evolution.

#### 2


-----

### 2. Initial Access

The ways in which the babuk ransomware appears is diverse, we can found from phishing
attacks, through other files that launch a _.bat_ or Powershell that downloads the Malware.
Like al lof these families, its objective will be to affect the largest number of computers, so it
is common to be launched after gaining access to any computer in a company, making lateral
movements to gain acces to a domain controler (DC), Babuk has the ability to move through
the network drives and spreads easily through it.

### 3. Malware features

This Babuk Ransomware is not launched by any loader, moreover, as mentioned above, it
is a very poorly maintained malware with serious performance problems, such as slowness
in its execution. This time, it does not exploit any 0-day and is characterized by the use of
several threads to perform the encryption, something that we can see in previous
Ransomwares.

The general features of this Babuk are as follows:

**Babuk Information**
**MD5** A73D9DC904349B9C967DC6A724806B2D
**FileType** PE, 32B
**Size** 75 KB
**Compiler** MS Visual C++
**Packer** None

#### 3

|Babuk Information|Col2|
|---|---|
|MD5|A73D9DC904349B9C967DC6A724806B2D|
|FileType|PE, 32B|
|Size|75 KB|
|Compiler|MS Visual C++|
|Packer|None|


-----

This sample can be found since 12/03/2021 in VirusTotal (VT) with a large number of
detections by the engines, in most cases marked as Ransomware, but due to its short lifetime,
few detect it as Babuk.

#### 4


-----

### 4. Babuk

The Ransomware, is divided into different parts and the report will be built, respecting the
order in which it is executed, so a summary of the general characteristics of how the Babuk
works, is as follows:

  - It will start by obtaining the key context, checking if a Mutex exists or creating one if it

does not, and will increase the process completion time of the computer shutdown
process.

  - Later, Will check services and processes comprobará Servicios y procesos (And

terminate those on its exclusion list) and deleting ShadowCopies.

  - After that, it will create several Threads (which it will use to traverse and encrypt later)

it will check shared folders, network and disks to know what it can and cannot encrypt
(managing exclusion lists too)

  - Finally, it will encrypt everything it wants and/or can access and will create the ransom

file in each of the encrypted folders.

#### 5


-----

### 4.1. Preparation

First it obtains the handle of a key referenced to a CSP, this is very common when using
encryption keys since the CSP contains the characteristics, as we can see, it checks if it
has it

Later, we get the commandline and open a Mutex "DoYouWantToHaveSexWithCuongDong"
that will serve as IOC, it uses it for the most common use of the Mutex, to avoid reinfection,
so if we have any mutant with that name it will come out, otherwise it will create it.

#### 6


-----

In our case, we can see that we don't have any Mutex with that name, so it will create it.

After that, we can see how it will call SetProcessShutdownParameters in order to stay as
long as possible running in the process.

### 4.2. Check services, processes and erase ShadowCopies

Subsequently, we arrive at three interesting functions, in which it checks services, processes
and deletes Shadows and backups (usual in Ransomwares).

At the first one, __CheckServices, we see that it will try to access the service manager_
(OpenSCManagerA) and if the service matches an internal list it has, it will close it.

#### 7


-----

We can see, as he goes through his list, listing each of them and constantly consulting,
among them we have interesting services such as backups, anyone who has any service
related to Sophos or Broadcom's _DefWatch, so this can serve from preventing copies are_
launched to be blocked

#### 8


-----

At the following function, we found something usual on Ransomwares, search of processes,
usually it seeks to inject the Malware or perform some malicious action with a process, but
in this case the logic is the same as with the services, control the running processes to shut
them down if they match with its internal list

As we can see, it will make a snapshot (CreateToolHelp32Snapshot) and will go through the
processes with _Process32First and_ _Process32Next, if it matches its blacklist, it will close_
them.

What it will do is to see which process is running, this type of Malwares always try to avoid
affecting the operation of processes such, for example, smss.exe or csrss.exe, but, in this
case, we can see how it checks the entire blacklist of processes in each of the processes
that are running, so it checks each of the parent and child processes to try to shut down any
that match any of its internal list.

#### 9


-----

First of all, it takes a process and and then it goes through all its internal list to see if it
matches with any, when it has finished with the first process it will do the Process32Next and
go to the next process and so on, this is not strange, as it will try to avoid certain processes,
as we can see it will compare it to another list.

This list system can be seen in other Ransomwares with an Rsrc that contains a file as a
json with all the information or directly check in memory as in this case.

The following function takes care of one of the most common tasks of this type of malware,
which is the deletion of ShadowCopies and backup copies in general.

At _DeleteShadows, we first found techniques to detect which type of system we are using
(32B or 64B) by using the _IsWow64Process when taking a_ _Handle from a process and_
checking in a Boolean way if it returns a 0 or 1 to determine the type of O.S.

#### 10


-----

Also use _Wow64DisableWow64FsRedirection in_ _GetProcAddress to avoid the usual_
redirection to syswow64 and get access to system32.

It will remove the shadows, a common technique used by Ransomwares using ShellExecute,
which will prevent us from recovering previous versions of the O.S, and will make it
impossible to recover our files that will later be encrypted.

#### 11


-----

Once the shadowcopies have been deleted, it creates semaphore, which will manage the
threads and deletes all content of the recycle bin.

### 4.3. Thread creation and path checks

After that, it creates threads in our process, in which one of the parameters will be the
function in which it encrypts and creates the TXT, so it will use the threads to encrypt, it
makes a loop of threads and creates up to 8 threads more in our case, but it will be different
depending on the CPU we are using.

#### 12


-----

Afterwards, it checks that we have shared folders, in case we do not have any, it will jump
several functions related to network paths encryption.

In these functions, it focuses on enumerating the units that exist, traversing them and
encrypting them by performing the same routine that will be used later in the other functions.

#### 13


-----

As I mentioned before, since we do not have shared folders, we go directly to paths, where,
as we can see, it checks if it can encrypt something in network, so in order, it checks Shared
Folders, Network and then disks, the routines to manage that it can encrypt in shared folders
or network, are the same

#### 14


-----

Then, we can see how it will try to look for each of the volumes that we may have in our
computer, it checks one by one if they are there (GetDriveTypeW), when it finishes it will look
for drives

#### 15


-----

In these volumes, which in my case I have 3, the name of each one of them associated to
its ID will be taken out, associating them to other letters or paths in case they are not, in my
case the first volume is not associated to any letter and it associates it to M:

At this point it will be clear which disks or network drives can be encrypted or not and you
will only have to check if you can encrypt the file and do it.

### 4.4. Encryption and exclusion list

Later, we access at disk encryption routine, in which, it will take each of the units that have
already been collected in the previous point and go encrypting them, in our case with .babyk.

#### 16


-----

The encryption starts, and where we will see more movements Will be in C:\, in my case,
since i have nothing else outside the main disk.

Mainly, searches for certain folders by comparing with an internal list of applications/paths at
C:\ like Appdata, Boot, Windows.old, and so on. To be used as an exclusion list

#### 17


-----

Once it finds the path it wants, for example, iDefense, it exits the loop and goes to the routine
in which it will go into each of the folders, but before, it does in each of the paths the previous
check, avoiding touching any file within each of the paths, so it does it quite slow, to speed
up, using other threads (Using Semaphores) It focus on running, writte txt rescue file and
encrypt every checked path, ussually used by Ransomwares, first of all, is engaged in
accessing to every folder and subfolder starting from C:\ and with another threads doing
_ReleaseSemaphore,_ dropps the txt rescue file, writes, and encrypts files, but this will be
discussed in the next section.

#### 18


-----

As mentioned, the encryption is done by another thread, in which we find the routine that is
dedicated to both, encrypt and create the Txt, which we had already seen when creating the
threads in point 4.3.

After that, we will have the routine that will create and write the rescue txt that we will discuss
in the following point

#### 19


-----

After modifying FileAttributes of the file to encrypt, we see how it modifies strings to change
the extension to .babyk using a MoveFileExW, is the first thing it does, in fact we can get the
file with changed extension without having done the encryption yet at this point, in the case
that the path complies with its internal list, and is going to encrypt it, it will make the extension
change.

#### 20


-----

A relevant information, is that it checks the size of the file, depending if it is bigger or smaller
it encrypts it in one way or another, first, it prioritizes the small files, so it goes through all the
paths that contain the main path and when it has those files encrypted and the txt files
launched, it starts with the biggest ones.

Subsequently, manages the public/private keys by protecting them with CryptGenRandom,
which is common to prevent the analyst from knowing the encryption keys to be used for the
encryption algorithm.

And then it will encrypt it using a variant of Salsa20 which is called ChaCha algorithm, an
example of the algorithm and the comparison with our Ransomware is as follows:

#### 21


-----

Once our disks have been encrypted, it does not make any connection with C2 as usual to
send the victim's data, moreover, the encryption is very slow due to the large number of
checks it performs from the beginning, both at the network level and at the level of disks and
individual files.

### 4.5. Txt rescue file

When our files has been encrypted, they explain us with the txt named "How To Restore Your
_Files.txt" and that we can find in each of the paths that do not exist in their blacklist, that we_
could recover our files by performing the steps they describe, they also threaten us that they
have taken data from our network and that they will also be published, something very typical
to force the victims to pay.

According to the path in which it is, based on its list of exclusions, it will create the rescue
file, in which, as in all the other steps, it will take the information from memory and will dump
it in the .txt file.

#### 22


-----

First, it will perform a CreateFile with the name of the file

Afterwards, writes in it all the content that we then obtain in the .txt file, which will explain the
steps to follow if we want to recover our files, which previously, as we had seen in the
previous point, had been encrypted.

#### 23


-----

As usual, we are required to use Tor Browser, enter our identifier and, of course, pay a
ransom to use the decryptor.

#### 24


-----

### 5. Excluded Processes, services and folders/files

**Processes** **Services** **Folders/Files**


AppData
bot
Windows
Windows.old
Tor Browser
Internet Explorer
Google
Opera
Opera Software
Mozilla
Mozilla Firefox
$RecycleBin
ProgramData
All Users
Autorun.inf
boot.ini
bootfont.bin
bootsect.bak
bootmgr
bootmgr.efi
bootmgfw.efi
desktop.ini
iconcache.db
ntldr
ntuser.dat
ntuserdat.log
ntuser.ini
thumbs.db
Program Files
Program Files (x86)
#recycle


sql.exe
oracle.exe
ocssd.exe
dbsnmp.exe
synctime.exe
agntsvc.exe
isqlplussvc.exe
xfssvccon.exe
mydesktopservice.exe
ocautoupds.exe
encsvc.exe
firefox.exe
tbirdconfig.exe
mydesktopqos.exe
ocomm.exe
dbeng50.exe
sqbcoreservice.exe
excel.exe
infopath.exe
msaccess.exe
mspub.exe
onenote.exe
outlook.exe
powerpnt.exe
steam.exe
thebat.exe
thunderbird.exe
visio.exe
winword.exe
wordpad.exe
notepad.exe


vss
sql
svc$
memtas
mepocs
sophos
veeam
backup
GxVss
GxBlr
GxFWD
GxCVD
GxCIMgr
DefWatch
ccEvtMgr
ccSetMgr
SavRoam
RTVscan
QBFCService
QBIDPService
Intuit.QuickBooks.FCS
QBCFMonitorService
YooBackup
YooIT
zhudongfangyu
sophos
stc_raw_agent
VSNAPVSS
VeeamTransportSvc
VeeamDeploymentService
VeeamNFSSvc
veeam
PDVFSService
BackupExecVSSProvider
BackupExecAgentAccelerator
BackupExecAgentBrowser
BackupExecDiveciMediaService
BackupExecJobEngine
BackupExecManagementService
BackupExecRPCService
AcrSch2Svc
AcronisAgent
CASAD2DWebSvc
CAARCUpdateSvc


#### 25


-----

### 6. IOC

**MD5:**

64f7ac45f930fe0ae05f6a6102ddb511
8b9a0b44b738c7884e6a14f4cb18afff
9478050023c7f8668df4fc39b0ddd79c
50fecec126570e4b8fcd531d6711879a

**Rescue File:**

  - How to Restore Your Files.txt

**Encrypted File:**

  - <File_Name>.<original_extension >.babyk

**Example: Shell_ext.exe.babyk**

**Mutex:**

  - DoYouWantToHaveSexWithCuongDong

#### 26


-----

### References

[https://www.computerweekly.com/news/252496839/Babuk-ransomware-unsophisticated-](https://www.computerweekly.com/news/252496839/Babuk-ransomware-unsophisticated-but-highly-dangerous)
[but-highly-dangerous](https://www.computerweekly.com/news/252496839/Babuk-ransomware-unsophisticated-but-highly-dangerous)

[https://news.sky.com/story/covid-19-nhs-test-and-trace-unaffected-by-cyber-attack-at-](https://news.sky.com/story/covid-19-nhs-test-and-trace-unaffected-by-cyber-attack-at-serco-firm-says-12204747)
[serco-firm-says-12204747](https://news.sky.com/story/covid-19-nhs-test-and-trace-unaffected-by-cyber-attack-at-serco-firm-says-12204747)

[https://www.mcafee.com/blogs/other-blogs/mcafee-labs/babuk-ransomware/](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/babuk-ransomware/)

#### 27


-----