Maze sample

[marcofattorelli]

Hi i'm trying to unpack a maze sample ransom following your guide, but i'm stuck. Where can i contact you? (if it is possible)

[poxyran]

Hello Marco, sure. You can contact me at poxyratab [-] gmail or just write your doubts here. As you wish.

[marcofattorelli]

We've noticed that the sample uses various countermeasures against debugging: PEB check, hard coded processes hashes (ie. to kill procmon), getTickCount(). We've already patched them and now we're looking for the address of the allocated memory (in your guide 00180000) in order to do the dump. As you can see in the attached screenshot we've ran 3 times but in eax we didn't obtain nothing interesting. Are we doing something wrong? And at which point shall we do the dump? If you want i can share with you the sample. Thank you very much for your help.

[poxyran]

I don't remember any antidbg technique in the samples I've analyzed (at least until the point of dumping described in the tutorial), in fact, the unpacking process was very straightforward. It wasn't even necessary to use any kind of anti-* plugin. What sample are you looking at? (hash). Maybe you got a variant?.

[marcofattorelli]

This is the hash: 24da3ccf131b8236d3c4a8cc29482709531232ef9c9cba38266b908439dea063

[poxyran]

Got it. Give me some time to look at it and get back to you with the details.

[marcofattorelli]

Thank you very much!

[poxyran]

Just took a look at it and the sample doesn't seems to be packed. In fact, you can check the string references and see things like this:

And even if you look at the IAT, you'll see the presence of API calls that are very common in ransomware (find files, encrypt files, remote connection, etc):

However, the code looks really obfuscated. You'll need to deal with it in order to analyze the whole functioning of the sample.

Just in case, here's a snippet of the code at the EP of the Maze packer I've analyzed:

00C67927 > $  E8 8B4D0000   CALL 49cdc857.00C6C6B7
00C6792C   .  E9 00000000   JMP 49cdc857.00C67931
00C67931   >  6A 14         PUSH 14
00C67933   .  68 58BCC700   PUSH 49cdc857.00C7BC58
00C67938   .  E8 631A0000   CALL 49cdc857.00C693A0
00C6793D   .  E8 5C4F0000   CALL 49cdc857.00C6C89E
00C67942   .  0FB7F0        MOVZX ESI,AX
00C67945   .  6A 02         PUSH 2                                   ; /Arg1 = 00000002
00C67947   .  E8 1E4D0000   CALL 49cdc857.00C6C66A                   ; \49cdc857.00C6C66A
00C6794C   .  59            POP ECX
00C6794D   .  B8 4D5A0000   MOV EAX,5A4D
00C67952   .  66:3905 0000C>CMP WORD PTR DS:[C60000],AX
00C67959   .  74 04         JE SHORT 49cdc857.00C6795F
00C6795B   >  33DB          XOR EBX,EBX
00C6795D   .  EB 33         JMP SHORT 49cdc857.00C67992
00C6795F   >  A1 3C00C600   MOV EAX,DWORD PTR DS:[C6003C]
00C67964   .  81B8 0000C600>CMP DWORD PTR DS:[EAX+C60000],4550
00C6796E   .^ 75 EB         JNZ SHORT 49cdc857.00C6795B
00C67970   .  B9 0B010000   MOV ECX,10B
00C67975   .  66:3988 1800C>CMP WORD PTR DS:[EAX+C60018],CX
00C6797C   .^ 75 DD         JNZ SHORT 49cdc857.00C6795B
00C6797E   .  33DB          XOR EBX,EBX
00C67980   .  83B8 7400C600>CMP DWORD PTR DS:[EAX+C60074],0E
00C67987   .  76 09         JBE SHORT 49cdc857.00C67992
00C67989   .  3998 E800C600 CMP DWORD PTR DS:[EAX+C600E8],EBX
00C6798F   .  0F95C3        SETNE BL
00C67992   >  895D E4       MOV DWORD PTR SS:[EBP-1C],EBX
00C67995   .  E8 DD440000   CALL 49cdc857.00C6BE77

What you really need here with your sample is to de-obfuscate it rather than unpacking it (that's why you couldn't follow the tutorial). The first layers are gone. What's left is the core of the ransomware.

[poxyran]

Regarding de-obfuscation, you can check the following articles:

• https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/escape-from-the-maze/
• https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/escape-from-the-maze-part-2/
• https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/ --> this seems pretty good!

And these are some scripts that were created for the task (I think): https://github.com/Blueliv/maze-deobfuscation

[marcofattorelli]

The hash that I sent refers to the obfuscated sample (otherwise you couldn't find the correct one). I've already used a Blueliv script (it worked!). So the sample is already unpacked.. perfect! Thank you a lot and sorry for disturbing.

[poxyran]

No problem and good luck!