Win32/Filecoder.Maze [Threat Name] go to Threat

Win32/Filecoder.Maze.A [Threat Variant Name]

Category trojan
Size 368160 B
Aliases Ransom:Win32/Maze.PA!MTB (Microsoft)
  Ransom.Maze (Symantec)
Short description

Win32/Filecoder.Maze.A is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

The trojan does not create any copies of itself.

Payload information

Win32/Filecoder.Maze.A is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches for files with the following file extensions:

  • *.*

It avoids files which contain any of the following strings in their path:

  • :\­Windows
  • \­All Users
  • \­cache2\­entries\­
  • \­Games\­
  • \­Local Settings\­
  • \­Low\­Content.IE5\­
  • \­Program Files
  • \­ProgramData\­
  • \­Tor Browser\­
  • \­User Data\­Default\­Cache\­
  • {0AFACED1-E828-11D1-9187-B532F1E9575D}
  • AhnLab
  • AppData\­Local
  • IETldCache\­

It avoids files with the following filenames:

  • autorun.inf
  • boot.ini
  • Bootfont.bin
  • bootsect.bak
  • DECRYPT-FILES.txt
  • desktop.ini
  • iconcache.db
  • ntuser.dat
  • ntuser.dat.log

It avoids files with the following extensions:

  • .dll
  • .exe
  • .lnk
  • .sys

The trojan encrypts the file content.


The RSA, ChaCha encryption algorithm is used.


The extension of the encrypted files is changed to:

  • %originalfilepath%%variable%

A string with variable content is used instead of %variable% .


To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


When searching the drives, the trojan creates the following file in every folder visited:

  • DECRYPT-FILES.txt

It contains the following text:

Attention! ---------------------------- | What happened? ---------------------------- All your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You have a chance! It is easy to recover in a few steps. ---------------------------- | How to get my files back? ---------------------------- The only method to restore your files is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: %redacted% e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: %redacted% b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer! If you have any problems our friendly support team is always here to assist you in a live chat! ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- %redacted% ---END MAZE KEY---

The following file is dropped:

  • %temp%\­000.bmp (3145782 B)

This file/image is set as a wallpaper.


Some examples follow.

Information stealing

Win32/Filecoder.Maze.A is a trojan that steals sensitive information.


The trojan collects the following information:

  • user name
  • computer name
  • size of hard disk drive
  • operating system version
  • list of shared folders

The trojan contains a list of 10 IP addresses.


The trojan attempts to send gathered information to a remote machine.

Other information

The trojan may execute the following commands:

  • %system%\­wmic.exe shadowcopy delete

The trojan may terminate specific running processes.


The trojan may create the following files:

  • %remotedrive%\­CLASSIFIED.{0AFACED1-E828-11D1-9187-B532F1E9575D}\­target.lnk (455 B)
  • %remotedrive%\­SECRET.{0AFACED1-E828-11D1-9187-B532F1E9575D}\­target.lnk (455 B)

Please enable Javascript to ensure correct displaying of this content and refresh this page.