Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Malware-Misc-RE/2019-06-07-maze-ransomware-notes.vk.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
205 lines (175 sloc)
5.12 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //SHA-256: 639af330da2d4389a6ecb1c3e26e5449c3c4fae7f198d158cbcdadc9466d1bcc | |
| //h/t @malwrhunterteam | |
| Possible version 1.0.2 | |
| Oddity: | |
| AhnLab | |
| "select * From AntiVirusProduct" | |
| Whitelisted Directories: | |
| :\\Windows | |
| \\Program Files | |
| \\Games\\ | |
| \\Tor Browser\\ | |
| \\ProgramData\\ | |
| \\cache2\\entries\\ | |
| \\Low\\Content.IE5\\ | |
| \\All Users | |
| Whitelisted Files: | |
| autorun.inf | |
| boot.ini | |
| desktop.ini | |
| ntuser.dat | |
| concache.db | |
| bootsect.bak | |
| ntuser.dat.log | |
| thumbs.db | |
| Bootfont.bin | |
| Stats Request Builder: | |
| .php | |
| .asp | |
| .aspx | |
| .cgi | |
| .jsp | |
| .jspx | |
| .action | |
| .html | |
| .phtml | |
| .shtml | |
| news | |
| login | |
| register | |
| logout | |
| edit | |
| content | |
| private | |
| messages | |
| account | |
| view | |
| webauth | |
| webaccess | |
| archive | |
| forum | |
| post | |
| signin | |
| signout | |
| update | |
| support | |
| ticket | |
| task | |
| tracker | |
| analytics | |
| check | |
| checkout | |
| payout | |
| withdrawal | |
| sepa | |
| create | |
| transfer | |
| wire | |
| Ransomware Note (koreadec@tutanota.com) & IP: | |
| <head> | |
| <script> | |
| function CopyToClipboard(containerid) { | |
| if (document.selection) { | |
| var range = document.body.createTextRange(); | |
| range.moveToElementText(document.getElementById(containerid)); | |
| range.select().createTextRange(); | |
| document.execCommand("copy"); | |
| } else if (window.getSelection) { | |
| var range = document.createRange(); | |
| range.selectNode(document.getElementById(containerid)); | |
| window.getSelection().addRange(range); | |
| document.execCommand("copy"); | |
| alert("Base64 copied into the clipboard!") | |
| } | |
| } | |
| </script> | |
| <style> | |
| html{ margin:0; padding:0; width:100%; height:100%; } | |
| body { background: #000000; color: #ececec; font-family: Consolas }; | |
| .tooltip { | |
| position: relative; | |
| display: inline-block; | |
| border-bottom: 1px dotted black; | |
| } | |
| .tooltip .tooltiptext { | |
| visibility: hidden; | |
| width: 120px; | |
| background-color: #555; | |
| color: #fff; | |
| text-align: center; | |
| border-radius: 6px; | |
| padding: 5 px 0; | |
| position: absolute; | |
| z-index: 1; | |
| bottom: 125%; | |
| left: 50%; | |
| margin-left: -60px; | |
| opacity: 0; | |
| transition: opacity 0.3s; | |
| } | |
| .tooltip .tooltiptext::after { | |
| content: ""; | |
| position: absolute; | |
| top: 100%; | |
| left: 50%; | |
| margin-left: -5px; | |
| border-width: 5px; | |
| border-style: solid; | |
| border-color: #555 transparent transparent transparent; | |
| } | |
| .tooltip:hover .tooltiptext { | |
| visibility: visible; | |
| opacity: 1; | |
| } | |
| p#base64{ | |
| -ms-word-break: break-all; | |
| word-break: break-all; | |
| -webkit-hyphens: auto; | |
| -moz-hyphens: auto; | |
| -ms-hyphens: auto; | |
| hyphens: auto; | |
| } | |
| p#base64:hover{ | |
| cursor: hand; | |
| } | |
| </style> | |
| </head> | |
| <body> | |
| <table style="position: absolute;" width="100%"> | |
| <tr> | |
| <td style="width: 25%;"> | |
| <td style="width: 50%;"> | |
| <div style="text-align: center; font-size: 20px;"> | |
| <p><b>Maze ransomware</b></p> | |
| <p>*********************************************************************************************************************</p> | |
| <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> | |
| <p>*********************************************************************************************************************</p> | |
| </div> | |
| <div style="text-align: center; font-size: 18px;"> | |
| <p><b>What is going on?</b><br>Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system</p> | |
| <p>You can read more about this cryptosystem here: <a href=https://en.wikipedia.org/wiki/RSA_(cryptosystem)>https://en.wikipedia.org/wiki/RSA_(cryptosystem)</a></p> | |
| <p>The only way to recover (decrypt) your files is to buy decryptor with the unique private key</p> | |
| <p><u>Attention! Only we can recover your files! If someone tell you that he can do this, kindly ask him to proof!</u></p> | |
| <p>By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data.</p> | |
| <p>In order to either buy the private key or make test decryption contact us via email: <br> <u><b>%EMAIL_ADDRESS%</b></u> | |
| <p>Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies | |
| <p>If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one</p> | |
| <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> | |
| <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> | |
| <p>Base64: </p> | |
| </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">%BASE64_PLACEHOLDER%<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"></tr></table></body></html>jQMain e-mail: koreadec@tutanota.com<br>Reserve e-mail: yourrealdecrypt@airmail.cc | |
| 92.63.8.47 | |
| 92.63.32.2 | |
| 92.63.37.100 | |
| 92.63.194.20 | |
| 92.63.17.245 | |
| 92.63.32.55 | |
| 92.63.11.151 | |
| 92.63.194.3 | |
| 92.63.15.8 | |
| 92.63.29.137 | |
| 92.63.32.57 | |
| 92.63.15.56 | |
| 92.63.11.151 | |
| 92.63.32.52 | |
| 92.63.15.6 |