Name | Description |
---|---|
Babyk | |
Vasa Locker |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Babuk has the ability to use the command line to control execution on compromised hosts.[1][2] |
Enterprise | T1486 | Data Encrypted for Impact | ||
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Babuk has the ability to unpack itself into memory using XOR.[1][5] |
|
Enterprise | T1083 | File and Directory Discovery |
Babuk has the ability to enumerate files on a targeted system.[2][4] |
|
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Babuk can stop anti-virus services on a compromised host.[1] |
Enterprise | T1490 | Inhibit System Recovery |
Babuk has the ability to delete shadow volumes using |
|
Enterprise | T1106 | Native API |
Babuk can use multiple Windows API calls for actions on compromised hosts including discovery and execution.[1][2][5] |
|
Enterprise | T1135 | Network Share Discovery | ||
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing | |
Enterprise | T1057 | Process Discovery |
Babuk has the ability to check running processes on a targeted system.[1][2][4] |
|
Enterprise | T1489 | Service Stop |
Babuk can stop specific services related to backups.[1][2][4] |
|
Enterprise | T1082 | System Information Discovery |
Babuk can enumerate disk volumes, get disk information, and query service status.[2] |
|
Enterprise | T1049 | System Network Connections Discovery |
Babuk can use "WNetOpenEnumW" and "WNetEnumResourceW" to enumerate files in network resources for encryption.[2] |
|
Enterprise | T1007 | System Service Discovery |
Babuk can enumerate all services running on a compromised host.[2] |