Babuk
Associated Software Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Babuk has the ability to unpack itself into memory using XOR.[1][5] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
Babuk has the ability to use the command line to control execution on compromised hosts.[1][2] |
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
Babuk can stop anti-virus services on a compromised host.[1] |
| Enterprise | T1486 | 数据加密以实现影响 | ||
| Enterprise | T1083 | 文件和目录发现 |
Babuk has the ability to enumerate files on a targeted system.[2][4] |
|
| Enterprise | T1489 | 服务停止 |
Babuk can stop specific services related to backups.[1][2][4] |
|
| Enterprise | T1106 | 本机API |
Babuk can use multiple Windows API calls for actions on compromised hosts including discovery and execution.[1][2][5] |
|
| Enterprise | T1027 | .002 | 混淆文件或信息: Software Packing | |
| Enterprise | T1082 | 系统信息发现 |
Babuk can enumerate disk volumes, get disk information, and query service status.[2] |
|
| Enterprise | T1490 | 系统恢复抑制 |
Babuk has the ability to delete shadow volumes using |
|
| Enterprise | T1007 | 系统服务发现 |
Babuk can enumerate all services running on a compromised host.[2] |
|
| Enterprise | T1049 | 系统网络连接发现 |
Babuk can use "WNetOpenEnumW" and "WNetEnumResourceW" to enumerate files in network resources for encryption.[2] |
|
| Enterprise | T1135 | 网络共享发现 | ||
| Enterprise | T1057 | 进程发现 |
Babuk has the ability to check running processes on a targeted system.[1][2][4] |
|