Manuel Statik Analiz (LLM Okumali) — Makop Ransomware | Tehdit: KRITIK

Dosya Kimligi

SHA256d9bed1a2f69d9c144006a97ee6eedaaa9cd94e9428e54d93f85c4a7f1898eab7
Orijinal Adencry.exe
Boyut29.629 byte
PDB YoluC:\Users\oooop\Documents\rsa_file\encry\encry\obj\Release\encry.pdb
Dil.NET Framework 4.8

C2 / Fidye Iletisim Bilgileri

Iletisim E-postasinew_pings@tutanota.com
OdemeBitcoin (BTC) — fiyat iletisim hizina gore degisir

Sifreleme Mekanizmasi

Binary icerisinde RSA public key cleartext olarak bulunmaktadir. Bu anahtar dosyalarin sifrelenmesinde kullanilan oturum anahtarini sifrelemeye yarar. Ozel anahtar (private key) yalnizca saldirgan elindedir.
<RSAKeyValue>
  <Modulus>uD0zxzuH/SE5Yw8ib0amuwGuy8VHnFcqs4n97ShPx4/D0f9IstPpCTvg4SijYm9v...
  (tam anahtar 2048-bit RSA)</Modulus>
  <Exponent>AQAB</Exponent>
</RSAKeyValue>

Fidye Notu (Cleartext String'ten Okundu)

FILE RECOVERY.txt ve DECRYPT-FILES.html

YOUR FILES ARE ENCRYPTED !!!
TO DECRYPT, FOLLOW THE INSTRUCTIONS:
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.

Free decryption as guarantee: Before paying you can send us up to 1 file for free decryption.
The total size of files must be less than 1Mb (non archived)...

Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
If you delete a file with an extension (_TMP) This will cause this file to permanently damage!!!!

Write us to the e-mail: new_pings@tutanota.com

Hedeflenen Dosya Turleri — Ozellikle Veritabanlari!

Makop bu ornekte ozellikle veritabani dosyalarini hedeflemektedir:

KategoriHedeflenen Uzantilar
SQLitesqlite, sqlite3, sqlitedb, db-journal, db-shm, db-wal
PostgreSQLpqsql, pgdump, pgdata
MySQL/MariaDBmysql, mariadb, database
MongoDBmongodb
MS Accessaccdb, accdc, accde
Digerparquet, geojson, proto, swift

Anti-Kurtarma Komutlari (Binary String'ten)

vssadmin.exe delete shadows /all /quite   (Shadow copy silme — "quiet" yazim hatasi)
/c net stop wscsvc                         (Windows Security Center servisi durdurma)
SELECT * FROM SystemRestore               (WMI ile restore noktalari sorgulama)
DeleteAllRestorePoints                    (Tum restore noktalarini silme)

Gelistirici Izi

PDB yolu gelistiricinin makinasindaki tam proje konumunu ortaya koymaktadir:

C:\Users\oooop\Documents\rsa_file\encry\encry\obj\Release\encry.pdb
Kullanici adi: oooop
Proje: rsa_file/encry (RSA tabanli sifreleyici)

IOC

SHA256d9bed1a2f69d9c144006a97ee6eedaaa9cd94e9428e54d93f85c4a7f1898eab7
Iletisimnew_pings@tutanota.com
Fidye NotuFILE RECOVERY.txt, DECRYPT-FILES.html
Sifrelenme Eki_TMP (gecici)
PDB Kullanicioooop
Anti-Kurtarmavssadmin delete shadows, net stop wscsvc

Nasil Kaldirilir / Once Yapilmasi Gerekenler?

  1. Sistemi agdan hemen ayirin — diger sistemlere yayilmayi onleyin
  2. Shadow copy'lerin silinip silinmedigini kontrol edin
  3. Etkilenen dosyalari YENIDEN ADLANDIRMAYIN ya da silmeyin
  4. Yedeginiz varsa temiz sisteme geri yuklemeyi tercih edin (odeme yapilmamasi onerilir)
  5. Diger sistemlerdeki bu C:\Users\oooop patternine sahip PDB'li ornekler aransin

Makop — Malware Profile

Makop, 2020 yilinda Dogu Avrupa merkezli tehdit aktorleri tarafindan gelistirilmis bir fidye yazilimi ailesidir. RSA + AES hibrit sifreleme kullanir, veritabani dosyalarini (sqlite, postgresql, mysql, mongodb) ozellikle hedefler. Tutanota e-postasi uzerinden iletisim kurar ve Bitcoin odeme talep eder. vssadmin ile Shadow Copy siler.

Malware Type
Ransomware
Programming Language
C++
C2 Protocol
TCP
Target Systems
Windows

Technical Details

Ransomware ailesi: AES/RSA hibrid sifreleme, dosya uzantisi degistirme, shadow copy silme, C2 ile anahtar alis-verisi, fidye notu birakma, kullanici belgelerine odaklanma

Capabilities & Behavior

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

IOC List (1 indicators)

IOC — Makop
# SHA256 d9bed1a2f69d9c144006a97ee6eedaaa9cd94e9428e54d93f85c4a7f1898eab7
TypeValueNote
sha256 d9bed1a2f69d9c144006a97ee6eedaaa9cd94e9428e54d93f85c4a7f1898eab7

C2 Servers (1 recorded servers for this family)

Address Type Port Protocol Status Country
new_pings@tutanota.com domain &mdash; &mdash; inactive &mdash;

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
makopransomwarefidye-yazilimirsavssadmindatabase-sifreletutanotashadow-deletepdb-oooop