Derin Analiz - Maze Ransomware | Tehdit: KRITIK
Dosya Kimligi
| SHA256 | 4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167 |
|---|---|
| Boyut | 920,552 byte PE32 x86, 1 section, entropi 6.70 |
| Aile | Maze Ransomware (2019-2020 kuresel kampanyalar) |
Maze Ransomware Kimlik Dogrulama
MAZE: Maze Ransomware - 2019-2020 yillarinda Fortune 500 sirketlerine saldiran kuresel ransomware grubu!
Maze Ransomware <- ailenin kendini tanimlayan string\n.Logging enabled | Maze <- internal debug logu\nDear %s, your files have been encrypted by RSA-2048 and ChaCha algorithms\nDECRYPT-FILES.txt <- fidye notu dosyasi\nSo we will give you appropriate price for recovering <- odeme tehdidi
Sifreleme Mimarisi
RSA-2048 + ChaCha20 hibrit sifrelemesi:\n 1. RSA-2048 ile ChaCha anahtar sifrelenir\n 2. ChaCha20 stream cipher ile dosya icerikler sifrelenir\n 3. CryptAcquireContextW + CryptGenKey + CryptEncrypt/CryptDecrypt\n => Ucretsiz kurtarma IMKANSIZ (ozel anahtar olmadan)
VSS ve Yedek Silme (WMI)
WMI uzerinden Volume Shadow Copy silme:\n select * from Win32_ShadowCopy\n "%s" shadowcopy delete\n Win32_ShadowCopy.id=\'%s\' <- her VHD snapshot silindi\n\ncmd.exe kullanmadan WMI ile gerceklestirilir -> EDR tespiti zor!
Ek Yetenekler
autorun.inf <- USB/removable media ile yayilma\nEncrypting: [yol] <- canli sifrelememe logu\n--path parametresi <- hedefli dizin sifrelemesi\nEncrypting whole system <- tam sistem sifrelemesi\n\nHTTP C2 (network comms):\n InternetOpenA / InternetConnectA\n HttpOpenRequestA / HttpSendRequestA
IOC
| SHA256 | 4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167 |
|---|---|
| Aile | Maze Ransomware (2019-2020) |
| Sifrelemesi | RSA-2048 + ChaCha20 |
| Fidye Notu | DECRYPT-FILES.txt |
| VSS Silme | WMI Win32_ShadowCopy shadowcopy delete |
MazeRansomware — Malware Profile
Maze Ransomware - 2019-2020 yillarinda Fortune 500 sirketlerine buyuk capli saldirilar duzenleyen gelismis ransomware grubu. RSA-2048+ChaCha20 sifrelemesi, WMI uzerinden VSS silme (cmd.exe olmadan), double extortion (veri sizdirma + sifrelemesi) teknikleri kullanir. 2020 sonunda faaliyetlerine son vermistir.
Malware Type
Ransomware
Programming Language
C++
C2 Protocol
HTTP
Target Systems
Kuresel/Kurumsal
Capabilities & Behavior
Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)
IOC List (1 indicators)
IOC — MazeRansomware
# SHA256
4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167
| Type | Value | Note |
|---|---|---|
| sha256 | 4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167 |