Reverse Engineering New Variant of Ransomware seen in 2021
Babuk Ransom is the newly discovered ransomware that targets enterprises as the operation called Big Game Hunting. Babuk threat actors first and the foremost seen in 2021 as being lurking as part of double extortion groups. In this blog i will be revering latest sample of Babuk ransom.
The sample analyzed in this report has hash as:
Static Analysis (Basic)
Static Analysis (Advanced)
Starting off with exports in Babuk( babyk ) ransom which is neither protected nor obfuscated payload of 8096 bytes targeting 32-bit systems.
Here is the disassembly call graph of Babuk ransom.
Firstly in the babyk ransom heap information is being gathered in start function.
then after that command line string is being retrieved using GetCommandLineW and soon after that the string fetched are being parsed using the CommandLineToArgvW function and after that the Shutdown level is set to zero so that the user cannot be able to shutdown the system and warning is being shown to user that malware process can’t be stopped which is quiet often not being seen in the Ransomware as due to that feature in Babyk ransom user had to manually shutdown the system.
Next up after saving the public key on disk calling function “save_pub_key_on_disk” , services operations are being performed using “service_ops” function, following up on that the system information is being recorded calling “record_sys_activities” .
And then recycle bin is being freed up by calling “SHEmptyRecycleBinA” function. Then the information on system is being gathered using “GetSystemInfo“ and then the heap allocation and access operations on victim system are being performed using “heap_alloc” & “create_access”.
As we move further in the start function , firstly the modification of arguments is being done then using the “CreateThread” function thread is being created.
Then the scrambling is being done on three variables a1, a2 and a3 by calling “scrambling” function. In this function mainly the modification of values is being done.
As we move further in start function, check for heap allocation is being done using “alloc_heap” and then check for admin privileges is being done calling “check_for_admin_prv “ function.
Here is the disassembly call graph view of start function during moving to location “loc_40ADFF”.
then afterwards the drive information on network is being fetched by making call to “drive_info_fetch_on_netwrk” function.
Then after that by syncing the access and setting up mutex operations.
then the enumeration of resources on network is being done using “enum_netrk_resrcs” function which have to be encrypted.
in the end of start function, freeing up of victim system memory is being done and also the handle of cryptographic service provider (CSP) and a key container is being released which is being created in the starting of the start function calling “rtrn_ptr_to_handle”.
In this Babuk ransom sample , algo. used for protecting encryption keys is ChaCha.
Dynamic Analysis (Basic)
Dynamic Analysis (Advanced)
Setting up few breakpoints for carrying out dynamic analysis.
:- extract_heap_info() ;
:- CryptReleaseContext() .
On debugging execution, debugger hits at our first breakpoint extract_heap_info() which extracts heap information.
Soon after that another breakpoint at “rtrn_ptr_to_handle()” is being hit where the using the Crypto APIs handle to CSP and key container is being started.
As the debugging continues, debugger hits at the “scrambling” function which scramble up the args passed to scrambling function.
Next up the debugger hits at the “service_ops” function where the operations related to starting and stopping services is being carried out.
Then after that , debugger hits at the “OpenSCManagerA” for making connection with the SCManager and opening specified SCManager db.
Then after that debugger again hits at the “record_sys_activities” function.
After that exception is being raised during debugging.
and the debugger stops at 75A6B727 location.
As we move further in debugging “create_access” function is being hit. Where the access is being created for further triage of victim system.
As the debugging continues, “alloc_heap” is being hit during debugging, by which the allocation of heap happens.
Now, after hitting at the “alloc_heap” debugger get hits at the CreateThread function by which thread is being created.
Now the further debugging during dynamic analysis “scrambling” function is again hit by debugger.
Then the debugger gets hit at the “OpenMutexA” by which the handles to differ mutex objects are being handled.
As debugging continues, debugger hits at the function “drive_info_fetch_on_netwrk” which handles fetching of drive information over network.
Lastly debugger hits at the last breakpoint at location 76EE01C4.
Indicators of Compromise (IOCs) & Detection
Att&ck Techniques (Static TTPs)
Sample from Report
Samples from Abuse.ch : https://bazaar.abuse.ch/browse/tag/Babuk/
Blogs from Community:
Babuk Locker is the first new enterprise ransomware of 2021
It's a new year, and with it comes a new ransomware called Babuk Locker that targets corporate victims in…