Dosya Kimligi
| SHA256 | d9bed1a2f69d9c144006a97ee6eedaaa9cd94e9428e54d93f85c4a7f1898eab7 |
|---|---|
| Orijinal Ad | encry.exe |
| Boyut | 29.629 byte |
| PDB Yolu | C:\Users\oooop\Documents\rsa_file\encry\encry\obj\Release\encry.pdb |
| Dil | .NET Framework 4.8 |
C2 / Fidye Iletisim Bilgileri
| Iletisim E-postasi | new_pings@tutanota.com |
|---|---|
| Odeme | Bitcoin (BTC) — fiyat iletisim hizina gore degisir |
Sifreleme Mekanizmasi
<RSAKeyValue> <Modulus>uD0zxzuH/SE5Yw8ib0amuwGuy8VHnFcqs4n97ShPx4/D0f9IstPpCTvg4SijYm9v... (tam anahtar 2048-bit RSA)</Modulus> <Exponent>AQAB</Exponent> </RSAKeyValue>
Fidye Notu (Cleartext String'ten Okundu)
YOUR FILES ARE ENCRYPTED !!!
TO DECRYPT, FOLLOW THE INSTRUCTIONS:
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee: Before paying you can send us up to 1 file for free decryption.
The total size of files must be less than 1Mb (non archived)...
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
If you delete a file with an extension (_TMP) This will cause this file to permanently damage!!!!
Write us to the e-mail: new_pings@tutanota.com
Hedeflenen Dosya Turleri — Ozellikle Veritabanlari!
Makop bu ornekte ozellikle veritabani dosyalarini hedeflemektedir:
| Kategori | Hedeflenen Uzantilar |
|---|---|
| SQLite | sqlite, sqlite3, sqlitedb, db-journal, db-shm, db-wal |
| PostgreSQL | pqsql, pgdump, pgdata |
| MySQL/MariaDB | mysql, mariadb, database |
| MongoDB | mongodb |
| MS Access | accdb, accdc, accde |
| Diger | parquet, geojson, proto, swift |
Anti-Kurtarma Komutlari (Binary String'ten)
vssadmin.exe delete shadows /all /quite (Shadow copy silme — "quiet" yazim hatasi) /c net stop wscsvc (Windows Security Center servisi durdurma) SELECT * FROM SystemRestore (WMI ile restore noktalari sorgulama) DeleteAllRestorePoints (Tum restore noktalarini silme)
Gelistirici Izi
PDB yolu gelistiricinin makinasindaki tam proje konumunu ortaya koymaktadir:
C:\Users\oooop\Documents\rsa_file\encry\encry\obj\Release\encry.pdb Kullanici adi: oooop Proje: rsa_file/encry (RSA tabanli sifreleyici)
IOC
| SHA256 | d9bed1a2f69d9c144006a97ee6eedaaa9cd94e9428e54d93f85c4a7f1898eab7 |
|---|---|
| Iletisim | new_pings@tutanota.com |
| Fidye Notu | FILE RECOVERY.txt, DECRYPT-FILES.html |
| Sifrelenme Eki | _TMP (gecici) |
| PDB Kullanici | oooop |
| Anti-Kurtarma | vssadmin delete shadows, net stop wscsvc |
Nasil Kaldirilir / Once Yapilmasi Gerekenler?
- Sistemi agdan hemen ayirin — diger sistemlere yayilmayi onleyin
- Shadow copy'lerin silinip silinmedigini kontrol edin
- Etkilenen dosyalari YENIDEN ADLANDIRMAYIN ya da silmeyin
- Yedeginiz varsa temiz sisteme geri yuklemeyi tercih edin (odeme yapilmamasi onerilir)
- Diger sistemlerdeki bu C:\Users\oooop patternine sahip PDB'li ornekler aransin
Makop — Malware Profile
Makop, 2020 yilinda Dogu Avrupa merkezli tehdit aktorleri tarafindan gelistirilmis bir fidye yazilimi ailesidir. RSA + AES hibrit sifreleme kullanir, veritabani dosyalarini (sqlite, postgresql, mysql, mongodb) ozellikle hedefler. Tutanota e-postasi uzerinden iletisim kurar ve Bitcoin odeme talep eder. vssadmin ile Shadow Copy siler.
Technical Details
Ransomware ailesi: AES/RSA hibrid sifreleme, dosya uzantisi degistirme, shadow copy silme, C2 ile anahtar alis-verisi, fidye notu birakma, kullanici belgelerine odaklanma
Capabilities & Behavior
IOC List (1 indicators)
# SHA256
d9bed1a2f69d9c144006a97ee6eedaaa9cd94e9428e54d93f85c4a7f1898eab7
| Type | Value | Note |
|---|---|---|
| sha256 | d9bed1a2f69d9c144006a97ee6eedaaa9cd94e9428e54d93f85c4a7f1898eab7 |
C2 Servers (1 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| new_pings@tutanota.com | domain | — | — | inactive | — |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.