Derin Analiz - Maze Ransomware | Tehdit: KRITIK

Fichier Kimligi

SHA2564263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167
Taille920,552 byte PE32 x86, 1 section, entropi 6.70
FamilleMaze Ransomware (2019-2020 kuresel kampanyalar)

Maze Ransomware Kimlik Dogrulama

MAZE: Maze Ransomware - 2019-2020 yillarinda Fortune 500 sirketlerine saldiran kuresel ransomware grubu!
Maze Ransomware  <- ailenin kendini tanimlayan string\n.Logging enabled | Maze <- internal debug logu\nDear %s, your files have been encrypted by RSA-2048 and ChaCha algorithms\nDECRYPT-FILES.txt   <- fidye notu dosyasi\nSo we will give you appropriate price for recovering <- odeme tehdidi

Sifreleme Architecturesi

RSA-2048 + ChaCha20 hibrit sifrelemesi:\n  1. RSA-2048 ile ChaCha anahtar sifrelenir\n  2. ChaCha20 stream cipher ile dosya icerikler sifrelenir\n  3. CryptAcquireContextW + CryptGenKey + CryptEncrypt/CryptDecrypt\n  => Ucretsiz kurtarma IMKANSIZ (ozel anahtar olmadan)

VSS ve Yedek Silme (WMI)

WMI uzerinden Volume Shadow Copy silme:\n  select * from Win32_ShadowCopy\n  "%s" shadowcopy delete\n  Win32_ShadowCopy.id=\'%s\'  <- her VHD snapshot silindi\n\ncmd.exe kullanmadan WMI ile gerceklestirilir -> EDR tespiti zor!

Ek Yetenekler

autorun.inf         <- USB/removable media ile yayilma\nEncrypting: [yol]   <- canli sifrelememe logu\n--path parametresi  <- hedefli dizin sifrelemesi\nEncrypting whole system <- tam sistem sifrelemesi\n\nHTTP C2 (network comms):\n  InternetOpenA / InternetConnectA\n  HttpOpenRequestA / HttpSendRequestA

IOC

SHA2564263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167
FamilleMaze Ransomware (2019-2020)
SifrelemesiRSA-2048 + ChaCha20
Fidye NotuDECRYPT-FILES.txt
VSS SilmeWMI Win32_ShadowCopy shadowcopy delete

MazeRansomware — Profil du malware

Maze Ransomware - 2019-2020 yillarinda Fortune 500 sirketlerine buyuk capli saldirilar duzenleyen gelismis ransomware grubu. RSA-2048+ChaCha20 sifrelemesi, WMI uzerinden VSS silme (cmd.exe olmadan), double extortion (veri sizdirma + sifrelemesi) teknikleri kullanir. 2020 sonunda faaliyetlerine son vermistir.

Type de malware
Ransomware
Langage de programmation
C++
Protocole C2
HTTP
Systèmes ciblés
Kuresel/Kurumsal

Capacités et comportement

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

Liste IOC (1 indicateurs)

IOC — MazeRansomware
# SHA256 4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167
TypeValeurNote
sha256 4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167
Tags
maze-ransomware-2019-2020-rsa2048-chacha20-hybriddecrypt-files-txt-ransom-notewmi-win32shadowcopy-delete-no-cmdautorun-inf-usb-spreadinginternetopena-http-c2-communicationcryptacquirecontextw-cryptencryptpath-parameter-targeted-encryptionmaze-logging-enabled-debug-string1-section-pe-suspicious-dos-stubchacha20-stream-cipher-file-encryption