vulnersCom / Petya_ransomware.md

Save vulnersCom/65fe44d27d29d7a5de4c176baba45759 to your computer and use it in GitHub Desktop.

#petya #petrWrap #notPetya

Win32/Diskcoder.Petya.C

Ransomware attack.

About

This gist was built by the community of the researchers and was scribed by Kir and Igor from the QIWI/Vulners. We are grateful for the help of all those who sent us the data, links and information. Together we can make this world a better place!

Gist updates

• Got new info? Email at isox@vulners.com or @isox_xx
• Some wrong info? Leave the comment, we will fix it!

Recent news, blog posts and mentions

Research list

Helpful vaccine (not killswitch!)

Looks like if you block C:\Windows\perfc.dat from writing/executing - stops #Petya. Is used for rundll32 import. https://twitter.com/HackingDave/status/879779361364357121 

Local kill switch - create file "C:\Windows\perfc" It kills WMI vector. Still need to patch MS17-010 for full protection. 

Credits:

• HackingDave
• Amit Serper (amit@cybereason.com)
• Positive Technologies

Group Policy Preferences to deploy the NotPetya vaccine

SCCM vaccine

Ransom

Infected with #Petya? DON'T PAY RANSOM, You wouldn't get your files back. Email used by criminals has been Suspended.

Bitcoin wallet monitoring

Samples:

• https://yadi.sk/d/QT0l_AYg3KXCqc
• https://yadi.sk/d/S0-ZhPY53KWc84
• https://yadi.sk/d/Zpkm88sp3KWc8v
• https://yadi.sk/d/WemMDKVy3KXPcy

Archive password: virus

Thanks to the https://twitter.com/OxFemale for the initial malware body.

Source code:

• Archive password: virus

Thanks to the @Sn0wFX_:

• svchost.exe
• 027cc450ef5f8c5f653329641ec1fed9.exe in pseudocode
• RTF payload data

Initial vector:

• Ukraine «М.Е. Doc» software
• Additionally, the initial attack vector by FireEye
• Here is the patch that mitigates the attack vector, CVE-2017-0199

Ransomware includes:

• Modified EternalBlue exploit
• A vulnerability in a third-party Ukrainian software product
• A second SMB network exploit

Origin (NO PROOF):

Petya was known to be RaaS (Ransomware-as-a-Service), selling on Tor hidden services. Looks like WannaCry copycat. Attribution will be hard. https://twitter.com/x0rz/status/879733138792099842

AvP Bypass

Confirmed AvP bypasing trick is being used by Petya ransomware to evade 6 popular anti-virus signatures (script) https://twitter.com/hackerfantastic/status/880012620698451968

Vulnerabilities/Vectors/Actions:

PSEXEC: %PROGRAMDATA%\dllhost.dat is dropped and is legit PSEXEC bin Remote WMI, “process call create \"C:\\Windows\\System32\\rundll32.exe \\\"C:\\Windows\\perfc.dat\\\" #1” Log clean, «wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:» Creates a scheduled task that reboots 1 hour after infection. If task removed before the hour, does not reschedule and can buy time Petya also attempts to kill Exchange & MySQL if they are running. If you host either of these services and notice them die, this is including in it's infection process (svchost.exe) // by Mike "Bones" Flowers: Exec: C:\\windows\\system32\\cmd.exe Params: /c taskkill.exe /f /im Microsoft.Exchange.* Exec: C:\\windows\\system32\\cmd.exe Params: /c taskkill.exe /f /im MSExchange* Exec: C:\\windows\\system32\\cmd.exe Params: /c taskkill.exe /f /im sqlserver.exe Exec: C:\\windows\\system32\\cmd.exe Params: /c taskkill.exe /f /im sqlwriter.exe Exec: C:\\windows\\system32\\cmd.exe Params: /c taskkill.exe /f /im mysqld.exe 

The new ransomware can also spread using an exploit for the Server Message Block (SMB) vulnerability CVE-2017-0144 (also known as EternalBlue), which was fixed in security update MS17-010 and was also exploited by WannaCrypt to spread to out-of-date machines. In addition, this ransomware also uses a second exploit for CVE-2017-0145 (also known as EternalRomance, and fixed by the same bulletin) Machines that are patched against these exploits (with security update MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) or have disabled SMBv1 (https://support.microsoft.com/kb/2696547) are not affected by this particular spreading mechanism 

Test local account behavior [NOT TESTED]:

Don't know if you have also noticed, but it only encrypted the MFT records for my test user account profile folders, the default Windows accounts Administrator, default user etc were all untouched, my test account was local so I don't know what behaviour would be expected for domain account profile folders.

100% on the sample used by me and on a standalone computer, user files were encrypted prior to reboot and the malware was not able to escalate privileges to deploy the MFT encryption payload, no instructions were deposited about recovering these files

Possible IP addresses:

185.165.29.78 84.200.16.242 111.90.139.247 95.141.115.108 

Email:

wowsmith123456@posteo.net iva76y3pr@outlook.com // by WhiteWolfCyber carmellar4hegp@outlook.com // by WhiteWolfCyber amanda44i8sq@outlook.com // by WhiteWolfCyber gabrielai59bjg@outlook.com christagcimrl@outlook.com amparoy982wa@outlook.com rachael052bx@outlook.com sybilm0gdwc@outlook.com christian.malcharzik@gmail.com 

Email forms and attachment:

The subject in this case are formed like that (for targed "targed.emailName@targedDomain.com"): targed.emailName The body: Hello targed.emailName, You will be billed $ 2,273.42 on your Visa card momentarily. Go through attachment to avoid it. Password is 6089 With appreciation! Prince Attached file name: Scan_targed.emailName.doc 

Analysis:

• https://virustotal.com/fr/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/
• https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
• https://www.hybrid-analysis.com/sample/fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206?environmentId=100
• https://www.hybrid-analysis.com/sample/ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6?environmentId=100
• https://twitter.com/PolarToffee/status/879709615675641856

Targeted extensions by @GasGeverij

.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip. 

IOCs

securelist.com

0df7179693755b810403a972f4466afb 42b2ff216d14c2c8387c8eabfb1ab7d0 71b6a493388e7d0b40c83ce903bc6b04 e285b6ce047015943e685e6638bd837e e595c02185d8e12be347915865270cca 

blogs.technet.microsoft.com

34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d 9717cfdc2d023812dbc84a941674eb23a2a8ef06 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf 56c03d8e43f50568741704aee482704a4f5005ad 

talosintelligence.com

027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998 

Droppers sent via email by WhiteWolfCyber:

9B853B8FE232B8DED38355513CFD4F30 CBB9927813FA027AC12D7388720D4771 22053C34DCD54A5E3C2C9344AB47349A702B8CFDB5796F876AEE1B075A670926 1FE78C7159DBCB3F59FF8D410BD9191868DEA1B01EE3ECCD82BCC34A416895B5 EEF090314FBEC77B20E2470A8318FC288B2DE19A23D069FE049F0D519D901B95 

Codexgigas team:

a809a63bc5e31670ff117d838522dec433f74bee bec678164cedea578a7aff4589018fa41551c27f d5bf3f100e7dbcc434d7c58ebf64052329a60fc2 aba7aa41057c8a6b184ba5776c20f7e8fc97c657 0ff07caedad54c9b65e5873ac2d81b3126754aac 51eafbb626103765d3aedfd098b94d0e77de1196 078de2dc59ce59f503c63bd61f1ef8353dc7cf5f 7ca37b86f4acc702f108449c391dd2485b5ca18c 2bc182f04b935c7e358ed9c9e6df09ae6af47168 1b83c00143a1bb2bf16b46c01f36d53fb66f82b5 82920a2ad0138a2a8efc744ae5849c6dde6b435d 

msuice

41f75e5f527a3307b246cadf344d2e07f50508cf75c9c2ef8dc3bae763d18ccf 

SNORT rules for the detection by Positive Technologies (ptsecurity.com):

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test: 2, >, 0x0008, 52, relative, little; pcre: "/\xFFSMB2\x00\x00\x00\x00.(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/"; flowbits: set, SMB.Trans2.SubCommand.Unimplemented; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001254; rev: 2;) alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] ETERNALBLUE (WannaCry, Petya) SMB MS Windows RCE"; flow: to_server, established; content: "|FF|SMB3|00 00 00 00|"; depth: 9; offset: 4; flowbits: isset, SMB.Trans2.SubCommand.Unimplemented.Code0E; threshold: type limit, track by_src, seconds 60, count 1; reference: cve, 2017-0144; classtype: attempted-admin; sid: 10001255; rev: 3;) alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Trans2 Sub-Command 0x0E. Likely ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; content: "|0E 00|"; distance: 52; within: 2; flowbits: set, SMB.Trans2.SubCommand.Unimplemented.Code0E; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001256; rev: 2;) alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Petya ransomware perfc.dat component"; flow: to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content: "|70 00 65 00 72 00 66 00 63 00 2e 00 64 00 61 00 74 00|"; distance:0; classtype:suspicious-filename-detect; sid: 10001443; rev: 1;) alert tcp any any -> $HOME_NET 445 (msg:"[PT Open] SMB2 Create PSEXESVC.EXE"; flow:to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content:"|50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45|"; distance:0; classtype:suspicious-filename-detect; sid: 10001444; rev:1;) 

Sagan log analysis rules for the detection by Quadrant Information Security (quadrantsec.com) - Note: These are NOT Snort/Suricata rules! See http://sagan.io for more details:

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA256 hash detected - Open source"; meta_content: "%sagan%",64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206,ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003121; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA1 hash detected - Open source"; meta_content: "%sagan%",34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,101cc1cb56c407d5b9149f2c3b8523350d23ba84,a809a63bc5e31670ff117d838522dec433f74bee,d5bf3f100e7dbcc434d7c58ebf64052329a60fc2,aba7aa41057c8a6b184ba5776c20f7e8fc97c657,bec678164cedea578a7aff4589018fa41551c27f,078de2dc59ce59f503c63bd61f1ef8353dc7cf5f,0ff07caedad54c9b65e5873ac2d81b3126754aac,51eafbb626103765d3aedfd098b94d0e77de1196,82920a2ad0138a2a8efc744ae5849c6dde6b435d,1b83c00143a1bb2bf16b46c01f36d53fb66f82b5,7ca37b86f4acc702f108449c391dd2485b5ca18c,2bc182f04b935c7e358ed9c9e6df09ae6af47168,9288fb8e96d419586fc8c595dd95353d48e8a060,736752744122a0b5e e4b95ddad634dd225dc0f73,9288fb8e96d419586fc8c595dd95353d48e8a060,dd52fcc042a44a2af9e43c15a8e520b54128 cdc8; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003122; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery MD5 hash detected - Open source"; meta_content: "%sagan%",71b6a493388e7d0b40c83ce903bc6b04,415fe69bf32634ca98fa07633f4118e1,0487382a4daf8eb9660f1c67e30f8b25,a1d5895f85751dfe67d19cccb51b051a; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003123; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya detected by filename - Open source"; meta_content: "%sagan%",myguy.xls,myguy.exe,BCA9D6.EXE,Order-20062017.doc,myguy.xls.hta; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003124; rev:1;) 

Links

• Has sysinternal utilities signature
• Uses the The GetExtendedTcpTable function to get a list of available endpoints
• List of extensions targeted
• Indicates possible usage of PSEXEC, on windows that means the admin$ and c$ shares.
• It is confirmed that the sample 027cc. contains PSEXEC
• Friends in Ukraine are telling me this helps to recover from Petya (untested)
• Petya— Enhanced WannaCry? What we know so far.
• #Petya uses long #sleep functions: if infected you have 30-40 mins to turn off your computer to save it from ransom.
• Found evidences of post kernel exploitation too: IA32_SYSENTER_EIP after decoding kernel shellcode
• #Petya uses LSADump to get Admin password and infect all network. There is no need for #EternalBlue vulnerable PCs.
• Japan Computer Emergency Response Team Coordination Center Report

Fix suggest by @MrAdz350

If you can boot to a Windows ISO prior to Frist reboot you can use bootrec tool to prevent MBR overwriting as per https://neosmart.net/wiki/fix-mbr