Reverse Engineering New Variant of Ransomware seen in 2021
Babuk Ransom is the newly discovered ransomware that targets enterprises as the operation called Big Game Hunting. Babuk threat actors first and the foremost seen in 2021 as being lurking as part of double extortion groups. In this blog i will be revering latest sample of Babuk ransom.
The sample analyzed in this report has hash as:
Static Analysis (Basic)
Static Analysis (Advanced)
Starting off with exports in Babuk( babyk ) ransom which is neither protected nor obfuscated payload of 8096 bytes targeting 32-bit systems.export in Babyk ransom.
Here is the disassembly call graph of Babuk ransom.
Firstly in the babyk ransom heap information is being gathered in start function.
then after that command line string is being retrieved using GetCommandLineW and soon after that the string fetched are being parsed using the CommandLineToArgvW function and after that the Shutdown level is set to zero so that the user cannot be able to shutdown the system and warning is being shown to user that malware process can’t be stopped which is quiet often not being seen in the Ransomware as due to that feature in Babyk ransom user had to manually shutdown the system.CmdLine args ops and Shutdown process halting.
Next up after saving the public key on disk calling function “save_pub_key_on_disk” , services operations are being performed using “service_ops” function, following up on that the system information is being recorded calling “record_sys_activities” .
And then recycle bin is being freed up by calling “SHEmptyRecycleBinA” function. Then the information on system is being gathered using “GetSystemInfo“ and then the heap allocation and access operations on victim system are being performed using “heap_alloc” & “create_access”.
As we move further in the start function , firstly the modification of arguments is being done then using the “CreateThread” function thread is being created.further reversed code of entry ( start ) function of babyk ransom.
Then the scrambling is being done on three variables a1, a2 and a3 by calling “scrambling” function. In this function mainly the modification of values is being done.code and call graph of scrambling function.
As we move further in start function, check for heap allocation is being done using “alloc_heap” and then check for admin privileges is being done calling “check_for_admin_prv “ function.
Here is the disassembly call graph view of start function during moving to location “loc_40ADFF”.
then afterwards the drive information on network is being fetched by making call to “drive_info_fetch_on_netwrk” function.reversed code of start function where the drive_info_fetch_on_netwrk is being called.
Then after that by syncing the access and setting up mutex operations.disassembly call graph of start function during creating mutex.
then the enumeration of resources on network is being done using “enum_netrk_resrcs” function which have to be encrypted.Disassembly view of start function during setting up enum_netwk_resrcs function.reversed code of enum_netwk_resrcs function.
in the end of start function, freeing up of victim system memory is being done and also the handle of cryptographic service provider (CSP) and a key container is being released which is being created in the starting of the start function calling “rtrn_ptr_to_handle”.
In this Babuk ransom sample , algo. used for protecting encryption keys is ChaCha.github.
Dynamic Analysis (Basic)VirusTotal Detection of babuk ransom.
Dynamic Analysis (Advanced)
Setting up few breakpoints for carrying out dynamic analysis.
:- extract_heap_info() ;
:- CryptReleaseContext() .
On debugging execution, debugger hits at our first breakpoint extract_heap_info() which extracts heap information.
Soon after that another breakpoint at “rtrn_ptr_to_handle()” is being hit where the using the Crypto APIs handle to CSP and key container is being started.
As the debugging continues, debugger hits at the “scrambling” function which scramble up the args passed to scrambling function.
Next up the debugger hits at the “service_ops” function where the operations related to starting and stopping services is being carried out.
Then after that , debugger hits at the “OpenSCManagerA” for making connection with the SCManager and opening specified SCManager db.
Then after that debugger again hits at the “record_sys_activities” function.
After that exception is being raised during debugging.
and the debugger stops at 75A6B727 location.
As we move further in debugging “create_access” function is being hit. Where the access is being created for further triage of victim system.
As the debugging continues, “alloc_heap” is being hit during debugging, by which the allocation of heap happens.
Now, after hitting at the “alloc_heap” debugger get hits at the CreateThread function by which thread is being created.
Now the further debugging during dynamic analysis “scrambling” function is again hit by debugger.
Then the debugger gets hit at the “OpenMutexA” by which the handles to differ mutex objects are being handled.
As debugging continues, debugger hits at the function “drive_info_fetch_on_netwrk” which handles fetching of drive information over network.
Lastly debugger hits at the last breakpoint at location 76EE01C4.
Indicators of Compromise (IOCs) & Detection
Att&ck IDsAny.Run Sandbox.
Att&ck Techniques (Static TTPs)Techniques Projected by CAPA(FireEye).
Sample from Report
Samples from Abuse.ch : https://bazaar.abuse.ch/browse/tag/Babuk/
Blogs from Community: