Petya SCS2017 en
Petya SCS2017 en
https://www.youtube.com/watch?v=Vor9sWpJQHw
Behavioral analysis
Behavior of the malware: High level attack
1. Encrypts files with selected extensions (using AES +
RSA)
3ds 7z accdb ai asp aspx avhd back bak c cfg conf cpp cs ctl dbf disk djvu doc docx
dwg eml fdb gz h hdd kdbx mail mdb msg nrg ora ost ova ovf pdf php pmf ppt pptx pst
pvi py pyc rar rtf sln s ql tar vbox vbs vcb vdi vfd vmc vmdk vmsd vmx vsdx vsv work
xls xlsx xvd zip
https://www.youtube.com/watch?v=Vor9sWpJQHw
Behavior of the malware: High level attack
2. Drops a ransom note:
https://www.youtube.com/watch?v=Vor9sWpJQHw
Behavior of the malware: High level attack
3. Reboot is scheduled:
https://www.youtube.com/watch?v=Vor9sWpJQHw
Behavior of the malware: High level attack
4. We can see the malware scanning our LAN, in
order to spread to other machines...
5. Master Boot Record is overwritten with the
malicious bootloader and the kernel, that is meant
to deploy the low level attack after the reboot
https://www.youtube.com/watch?v=Vor9sWpJQHw
Behavior of the malware: Low level attack
1. When the machine boots again, the malicious
kernel is loaded...
This CHKDKS is
fake! In reality the
malware encrypts
MFT using Salsa20
algorithm
https://www.youtube.com/watch?v=Vor9sWpJQHw
Behavior of the malware: Low level attack
2. After encrypting the MFT, the ransom demand is
shown on the screen:
The low level
attack looks exactly
like Petya, but the
skull and the
malware name are
missing...
https://www.youtube.com/watch?v=Vor9sWpJQHw
Behavior summary
https://www.youtube.com/watch?v=Vor9sWpJQHw
A new Petya/Goldeneye?
Last year’s edition of Petya:
Do you remember last year’s Petya?
https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-
demystifying-the-malware-family/
Do you remember last year’s Petya?
https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-
demystifying-the-malware-family/
Do you remember last year’s Petya?
•Dropper (Windows EXE),
• overwrites the disk’s beginning with
Petya kernel
•Petya kernel
• perform the disk encryption (MFT)
https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-
demystifying-the-malware-family/
Behavior summary
https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-
demystifying-the-malware-family/
Let’s have a
look inside...
The components involved
• 71b6a493388e7d0b40c83ce903bc6b04 – the main DLL
installed as: C:\Windows\perfc.dat
Run by: rundll32.exe <path>,#1
• Mimikatz-like components for stealing credentials (they are used for further
spreading the malware in the LAN)
• 2813d34f6197eb4df42c886ec7f234a1 – 32 bit version
• 7e37ab34ecdcc3e77e24522ddfd4852d – 64 bit version
Conclusion: it is a Petya
Petya or not? Comparing the code...
•Let’s take a closer look at the differences...
Missing
optimizations. This
assembly code can
never be
generated if the
code was
recompiled.
Conclusion: it is a Petya, but not a legitimate strain – not recompiled from the original source. The Petya kernel
was pirated and stolen from the original author.
https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-
piece-package/
Ransomware or not?
•Yes, because it demaned a ransom and successfuly collected money
The victim ID is a
random string,
generated BEFORE the
encryption key is made
https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/
Ransomware or not?
Conclusion: the attackers deliberately decided not to preserve the key.
But why?
https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/
Ransomware or not? – Unfinished work?
• Sometimes it happens, i.e. Satana ransomware, that was deployed in wild on a
small scale, was also unfinished...
https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/
Ransomware or not? – Unfinished work?
• The authors of Petya.A/NotPetya tried to reimplement some features of the
original Petya by their own, i.e. preserving the original MBR obfuscated by XOR
with 0x7
Accurate imitation of
The original
the original Petya’s
MBR is
behavior
preserved in
the sector 34
• However: if the ransomware is just a cover, why the authors didn’t finish the
cover? The fact of not preserving the key could be easily obfuscated, i.e.
pretending that it is sent to a dead CnC server...
https://en.wikipedia.org/wiki/December_2015_Ukraine_power_grid_cyberattack
What is new?
https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
https://www.esentire.com/blog/a-closer-look-at-petyasnotpetyas-network-spreading-code/
The infector: finding network targets
•Targets are collected on a global list
•Multiple sources:
1. command line argument (-h <ip>)
https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
https://www.esentire.com/blog/a-closer-look-at-petyasnotpetyas-network-spreading-code/
The infector: dumping credentials
•The malware comes with a mimikatz-based tool for dumping credentials
used for
credentials are lateral
sent to the movements
malware over a
pipe...
https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
https://www.esentire.com/blog/a-closer-look-at-petyasnotpetyas-network-spreading-code/
Conditional paths
Conditional paths
The malware has several paths of
execution. The flags are set
depending on:
https://blog.nviso.be/2017/06/30/recovering-custom-hashes-for-the-petyanotpetya-malware/
Conditional paths avp.exe detected ->
options2 &= 0xFFFFFFF7
• Does it always deploy the low-level = -9 (4th bit is cleared)
attack?
8 = 1000b (check 4-th bit)
• No, if avp.exe (Kaspersky AV) is
If avp
detected, it does not write the Petya detected,
the buffer is
kernel at the beginning of the disk... written, but
not filled
Instead, it overwrites those sectors with Petya’s
code
with random data
https://securelist.com/no-free-pass-for-expetr/79008/
Conditional paths
avp.exe detected -> options2 &= 0xFFFFFFF7 =
The options that are set are -9 (4th bit is cleared)
NS.exe or ccSvcHst.exe detected -> options2
fewer than the options that are &= 0xFFFFFFFB = -5 (3rd bit is cleared)
checked...
Options2 checked:
1,2,4,8,16
• Forensically carving files out of the disk... Conclusion: there is no perfect solution
allowing to recover MFT and got all the data
back.
Decrypting files (AES + RSA)
• Bruteforcing the key is not possible
https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-
adds-worm-capabilities/
https://www.esentire.com/blog/a-closer-look-at-petyasnotpetyas-network-spreading-code/
https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-
package/
https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/
https://labsblog.f-secure.com/2017/06/30/what-good-is-a-not-for-profit-eternal-petya/
Questions? Remarks?
More:
https://blog.malwarebytes.com/?s=eternalpetya
Thank you!