Maze
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Maze has communicated to hard-coded IP addresses via HTTP.[2] |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Maze has created a file named "startup_vrun.bat" in the Startup folder of a virtual machine to establish persistence.[3] |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
The Maze encryption process has used batch scripts with various commands.[1][3] |
| Enterprise | T1486 | Data Encrypted for Impact |
Maze has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. Maze has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files.[1] |
|
| Enterprise | T1568 | Dynamic Resolution |
Maze has forged POST strings with a random choice from a list of possibilities including "forum", "php", "view", etc. while making connection with the C2, hindering detection efforts.[2] |
|
| Enterprise | T1564 | .006 | Hide Artifacts: Run Virtual Instance |
Maze operators have used VirtualBox and a Windows 7 virtual machine to run the ransomware; the virtual machine's configuration file mapped the shared network drives of the target company, presumably so Maze can encrypt files on the shared drives as well as the local machine.[3] |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Maze has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg.[2] It has also disabled Windows Defender's Real-Time Monitoring feature and attempted to disable endpoint protection services.[3] |
| Enterprise | T1070 | Indicator Removal on Host |
Maze has used the "Wow64RevertWow64FsRedirection" function following attempts to delete the shadow volumes, in order to leave the system in the same state as it was prior to redirection.[2] |
|
| Enterprise | T1490 | Inhibit System Recovery |
Maze has attempted to delete the shadow volumes of infected machines, once before and once after the encryption process.[2][3] |
|
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Maze operators have created scheduled tasks masquerading as "Windows Update Security", "Windows Update Security Patches", and "Google Chrome Security Update" designed to launch the ransomware.[3] |
| Enterprise | T1106 | Native API |
Maze has used several Windows API functions throughout the encryption process including IsDebuggerPresent, TerminateProcess, Process32FirstW, among others.[2] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
Maze has decrypted strings and other important information during the encryption process. Maze also calls certain functions dynamically to hinder analysis.[2] |
|
| .001 | Binary Padding |
Maze has inserted large blocks of junk code, including some components to decrypt strings and other important information for later in the encryption process.[2] |
||
| Enterprise | T1057 | Process Discovery | ||
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Maze has injected the malware DLL into a target process.[2][3] |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Maze has created scheduled tasks using name variants such as "Windows Update Security", "Windows Update Security Patches", and "Google Chrome Security Update", to launch Maze at a specific time.[3] |
| Enterprise | T1489 | Service Stop |
Maze has stopped SQL services to ensure it can encrypt any database.[3] |
|
| Enterprise | T1218 | .007 | System Binary Proxy Execution: Msiexec |
Maze has delivered components for its ransomware attacks using MSI files, some of which have been executed from the command-line using |
| Enterprise | T1082 | System Information Discovery |
Maze has checked the language of the infected system using the "GetUSerDefaultUILanguage" function.[2] |
|
| Enterprise | T1614 | .001 | System Location Discovery: System Language Discovery |
Maze has checked the language of the machine with function |
| Enterprise | T1049 | System Network Connections Discovery |
Maze has used the "WNetOpenEnumW", "WNetEnumResourceW", "WNetCloseEnum" and "WNetAddConnection2W" functions to enumerate the network resources on the infected machine.[2] |
|
| Enterprise | T1529 | System Shutdown/Reboot |
Maze has issued a shutdown command on a victim machine that, upon reboot, will run the ransomware within a VM.[3] |
|
| Enterprise | T1047 | Windows Management Instrumentation |
Maze has used WMI to attempt to delete the shadow volumes on a machine, and to connect a virtual machine to the network domain of the victim organization's network.[2][3] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0037 | FIN6 |