Author Topic: Analysis of NotPetya Ransom attack.  (Read 1803 times)

0 Members and 1 Guest are viewing this topic.

Offline TrueIndian

  • Poster
  • *
  • Posts: 434
Analysis of NotPetya Ransom attack.
« on: June 29, 2017, 06:45:38 PM »
Online Malware Analysis Report: https://www.reverse.it/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
VirusTotal Report: https://www.virustotal.com/en/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/
Analysis mode: Static and Dynamic Analysis
Host Operating System: Windows 8.1 full patched with Avast free
Guest Operating System: Windows XP
Containment: VirtualBox
(Static Analysis) Analysis Tools Used: IDA Pro
(Static Analysis) Additional notes of events: Extension list of files that were going to encrypted.
Found evidences of post kernel exploitation too: IA32_SYSENTER_EIP after decoding kernel shellcode(Used a script from a analyst at twitter for IDA to do so). I confirm, this is more than just a WannaCry situation, Petya is not WannaCry,No kill switch, it does not spread between networks. it scans a /24 (max of 255 computers) on your LAN,NOT #Metasploit, which uses x64 shellcode #EternalBlue, the malware has an x86 payload
(Static Analysis) Analysis screenshots: Yes
(Dynamic Analysis) Analysis Tools Used: Process Hacker,Procmon
(Dynamic Analysis) Additional notes of events: Initial vector of infection is unknown rumor has it that its probably started spreading via spam then propagated with a dll execution.

Unlike wannacry this malware doesn't scan the internet to go ITW,This means the INITIAL INFECTION VECTOR into an organisation could be WebDAV, credential re-use, MS17-010 and potentially spearphishing too along with eternal Blue.

Malware creates a a scheduled task to shut down the system.IP's that the malware was connecting to when searching for the admin$ string.
(Dynamic Analysis) Analysis screenshots: Yes

Unlike WannaCry this attack DOES NOT SCAN THE INTERNET, it spreads on the local subnet and after completion it REBOOTS & ENCRYPTS drive.
New ransomware outbreak

So couple days bacl I was on twitter during the Night time and there were reports all Over the place about a new petya ransomware possibly using eternalblue.
Ransomware includes: Modified EternalBlue exploit A vulnerability in a third-party Ukrainian software product A second SMB network exploit


So I decided to grab a sample and do some insight on this malware.
#EternalBlue, the malware has an x86 payload as shown in the screenshot below.
The new #Petya ransomware can do lateral movement via WMI and PSExec. Drops dllhost.dat, which is really signed PSExec
The attackers xored (0xcc) the shellcode (eb) to make sure the signature does not automatically get detected by anti-virus.
Logs are also being deleted.After a restart either by the user or by the task that was scheduled,it throws up a fake chkdsk screen like petya then it gives you the ransom message.
the amount of IPs it scans is dependant on subnet mask, but still limited to local network.
65 different file types are targeted by the ransomware.
.3ds,.7z,.accdb,.ai,.asp,.aspx,.avhd,.back,.bak,.c,.cfg,.conf,.cpp,.cs,.ctl,.dbf,.disk,.djvu,.doc,.docx,.dwg,.eml,.fdb,.gz,.h,.hdd,.kdbx,.mail,.mdb,.msg,.nrg,.ora,.ost,.ova,.ovf,.pdf,.php,.pmf,.ppt,.pptx,.pst,.pvi,.py,.pyc,.rar,.rtf,.sln,.sql,.tar,.vbox,.vbs,.vcb,.vdi,.vfd,.vmc,.vmdk,.vmsd,.vmx,.vsdx,.vsv,.work,.xls,.xlsx,.xvd,.zip

If you are infected with the latest Petya/Whatever you want to call it, restoring your MBR will not fix anything. MFT is still encrypted.Do NOT turn off your computer as soon as chkdsk screen appears if you want to save your files.Essentially what happened is MeDoc (big financial software) was hacked and they pushed out the malware via the update feature.Drops dllhost.dat, which is really signed PSExec
Do not pay the #Petya ransom. You will not get your files back. The email address used is blocked! The malware waits for 10-60 minutes after the infection to reboot the system. Reboot is scheduled using system facilities with “at” or “schtasks” and “shutdown.exe” tools.

« Last Edit: June 29, 2017, 06:55:47 PM by TrueIndian »
Malware Hunter/Tester/Analysis
https://twitter.com/avman1995

“When I despair, I remember that all through history the way of truth and love have always won. There have been tyrants and murderers, and for a time, they can seem invincible, but in the end, they always fall. Think of it--always.”
― Mahatma Gandhi

Offline TrueIndian

  • Poster
  • *
  • Posts: 434
Re: Analysis of NotPetya Ransom attack.
« Reply #1 on: June 29, 2017, 06:46:46 PM »
Here are some screenshots.  :)
« Last Edit: June 29, 2017, 07:00:08 PM by TrueIndian »
Malware Hunter/Tester/Analysis
https://twitter.com/avman1995

“When I despair, I remember that all through history the way of truth and love have always won. There have been tyrants and murderers, and for a time, they can seem invincible, but in the end, they always fall. Think of it--always.”
― Mahatma Gandhi

Offline TrueIndian

  • Poster
  • *
  • Posts: 434
Re: Analysis of NotPetya Ransom attack.
« Reply #2 on: June 29, 2017, 06:48:20 PM »
Last set.
« Last Edit: June 29, 2017, 06:51:49 PM by TrueIndian »
Malware Hunter/Tester/Analysis
https://twitter.com/avman1995

“When I despair, I remember that all through history the way of truth and love have always won. There have been tyrants and murderers, and for a time, they can seem invincible, but in the end, they always fall. Think of it--always.”
― Mahatma Gandhi

Offline Valinorum

  • Avant-garde Bot
  • Advanced Poster
  • **
  • Posts: 874
  • Shadow Hide The Hunter
Re: Analysis of NotPetya Ransom attack.
« Reply #3 on: June 30, 2017, 10:13:31 AM »
Thank you very much, TrueIndian for your share. :)
"The curse of Captain Morgan has led us to this fate
So have no fear, and don't look back, the afterlife awaits"