Derin Analiz - Maze Ransomware | Tehdit: KRITIK

Dosya Kimligi

SHA2564263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167
Boyut920,552 byte PE32 x86, 1 section, entropi 6.70
AileMaze Ransomware (2019-2020 kuresel kampanyalar)

Maze Ransomware Kimlik Dogrulama

MAZE: Maze Ransomware - 2019-2020 yillarinda Fortune 500 sirketlerine saldiran kuresel ransomware grubu!
Maze Ransomware  <- ailenin kendini tanimlayan string\n.Logging enabled | Maze <- internal debug logu\nDear %s, your files have been encrypted by RSA-2048 and ChaCha algorithms\nDECRYPT-FILES.txt   <- fidye notu dosyasi\nSo we will give you appropriate price for recovering <- odeme tehdidi

Sifreleme Mimarisi

RSA-2048 + ChaCha20 hibrit sifrelemesi:\n  1. RSA-2048 ile ChaCha anahtar sifrelenir\n  2. ChaCha20 stream cipher ile dosya icerikler sifrelenir\n  3. CryptAcquireContextW + CryptGenKey + CryptEncrypt/CryptDecrypt\n  => Ucretsiz kurtarma IMKANSIZ (ozel anahtar olmadan)

VSS ve Yedek Silme (WMI)

WMI uzerinden Volume Shadow Copy silme:\n  select * from Win32_ShadowCopy\n  "%s" shadowcopy delete\n  Win32_ShadowCopy.id=\'%s\'  <- her VHD snapshot silindi\n\ncmd.exe kullanmadan WMI ile gerceklestirilir -> EDR tespiti zor!

Ek Yetenekler

autorun.inf         <- USB/removable media ile yayilma\nEncrypting: [yol]   <- canli sifrelememe logu\n--path parametresi  <- hedefli dizin sifrelemesi\nEncrypting whole system <- tam sistem sifrelemesi\n\nHTTP C2 (network comms):\n  InternetOpenA / InternetConnectA\n  HttpOpenRequestA / HttpSendRequestA

IOC

SHA2564263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167
AileMaze Ransomware (2019-2020)
SifrelemesiRSA-2048 + ChaCha20
Fidye NotuDECRYPT-FILES.txt
VSS SilmeWMI Win32_ShadowCopy shadowcopy delete

MazeRansomware — Malware Profile

Maze Ransomware - 2019-2020 yillarinda Fortune 500 sirketlerine buyuk capli saldirilar duzenleyen gelismis ransomware grubu. RSA-2048+ChaCha20 sifrelemesi, WMI uzerinden VSS silme (cmd.exe olmadan), double extortion (veri sizdirma + sifrelemesi) teknikleri kullanir. 2020 sonunda faaliyetlerine son vermistir.

Malware Type
Ransomware
Programming Language
C++
C2 Protocol
HTTP
Target Systems
Kuresel/Kurumsal

Capabilities & Behavior

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

IOC List (1 indicators)

IOC — MazeRansomware
# SHA256 4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167
TypeValueNote
sha256 4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167
Tags
maze-ransomware-2019-2020-rsa2048-chacha20-hybriddecrypt-files-txt-ransom-notewmi-win32shadowcopy-delete-no-cmdautorun-inf-usb-spreadinginternetopena-http-c2-communicationcryptacquirecontextw-cryptencryptpath-parameter-targeted-encryptionmaze-logging-enabled-debug-string1-section-pe-suspicious-dos-stubchacha20-stream-cipher-file-encryption