Yara Rules for Ransomware group  babuk

/*
Babuk ransomware
*/


rule Babuk_ESXi
{
    meta:
        author = "rivitna"
        family = "ransomware.babuk.esxi"
        description = "Babuk ESXi"
        severity = 10
        score = 100

    strings:
        $h0 = "/dev/urandom\x00" ascii
        $h1 = "EiB\x00PiB\x00TiB\x00GiB\x00MiB\x00KiB\x00B\x00" ascii
        $h2 = "crypting: %s\n\x00" ascii

        $c0 = { 67 E6 09 6A [2-8] 85 AE 67 BB [2-8] 72 F3 6E 3C [2-8]
                3A F5 4F A5 [2-8] 7F 52 0E 51 [2-8] 8C 68 05 9B }
        $c1 = { 98 2F 8A 42 91 44 37 71 CF FB C0 B5 A5 DB B5 E9
                5B C2 56 39 F1 11 F1 59 A4 82 3F 92 D5 5E 1C AB }
        $c2 = { 79 37 9E 89 [4-16] C1 C? ( 15 | 0B ) [16-40] 79 37 9E 89 }

    condition:
        (uint32(0) == 0x464C457F) and (filesize < 120000) and
        (
            (all of ($c*)) and (1 of ($h*))
        )
}

rule Ransom_Babuk {
    meta:
        description = "Rule to detect Babuk Locker"
        author = "TS @ McAfee ATR"
        date = "2021-01-19"
        hash = "e10713a4a5f635767dcd54d609bed977"
        rule_version = "v2"
        malware_family = "Ransom:Win/Babuk"
        malware_type = "Ransom"
        mitre_attack = "T1027, T1083, T1057, T1082, T1129, T1490, T1543.003"

    strings:
        $s1 = {005C0048006F007700200054006F00200052006500730074006F0072006500200059006F00750072002000460069006C00650073002E007400780074}
        //  \ How To Restore Your Files .txt
        $s2 = "delete shadows /all /quiet" fullword wide

        $pattern1 = {006D656D74617300006D65706F63730000736F70686F730000766565616D0000006261636B7570000047785673730000004778426C7200000047784657440000004778435644000000477843494D67720044656657617463680000000063634576744D67720000000063635365744D677200000000536176526F616D005254567363616E0051424643536572766963650051424944505365727669636500000000496E747569742E517569636B426F6F6B732E46435300}
        $pattern2 = {004163725363683253766300004163726F6E69734167656E74000000004341534144324457656253766300000043414152435570646174655376630000730071}
        $pattern3 = {FFB0154000C78584FDFFFFB8154000C78588FDFFFFC0154000C7858CFDFFFFC8154000C78590FDFFFFD0154000C78594FDFFFFD8154000C78598FDFFFFE0154000C7859CFDFFFFE8154000C785A0FDFFFFF0154000C785A4FDFFFFF8154000C785A8FDFFFF00164000C785ACFDFFFF08164000C785B0FDFFFF10164000C785B4FDFFFF18164000C785B8FDFFFF20164000C785BCFDFFFF28164000C785C0FDFFFF30164000C785C4FDFFFF38164000C785C8FDFFFF40164000C785CCFDFFFF48164000C785D0FDFFFF50164000C785D4FDFFFF581640}
        $pattern4 = {400010104000181040002010400028104000301040003810400040104000481040005010400058104000601040006C10400078104000841040008C10400094104000A0104000B0104000C8104000DC104000E8104000F01040000011400008114000181140002411400038114000501140005C11400064114000741140008C114000A8114000C0114000E0114000F4114000101240002812400034124000441240005412400064124000741240008C124000A0124000B8124000D4124000EC1240000C1340002813400054134000741340008C134000A4134000C4134000E8134000FC134000141440003C144000501440006C144000881440009C144000B4144000CC144000E8144000FC144000141540003415400048154000601540007815}
 
    condition:
        filesize >= 15KB and filesize <= 90KB and 
        1 of ($s*) and 3 of ($pattern*) 
}

rule BabukRansomwareV3 {
	meta:
		description = "YARA rule for Babuk Ransomware v3"
		reference = "http://chuongdong.com/reverse engineering/2021/01/16/BabukRansomware-v3/"
		author = "@cPeterr"
		date = "2021-01-16"
		rule_version = "v3"
		malware_type = "ransomware"
		tlp = "white"
	strings:
		$lanstr1 = "-lanfirst"
		$lanstr2 = "-nolan"
		$lanstr3 = "shares"
		$str1 = "BABUK LOCKER"
		$str2 = "babukq4e2p4wu4iq.onion"
		$str3 = "How To Restore Your Files.txt" wide
		$str4 = "babuk_v3"
		$str5 = ".babyk" wide
	condition:
		all of ($str*) and all of ($lanstr*)
}