Petya SCS2017 en

Petya/NotPetya – the
analysis of the mysterious

malware which has attacked
Ukraine
Hasherezade (@hasherezade)
Agenda
•The outbreak
•Behavioral analysis
•Is it Petya?
•Is it ransomware?
•The propagation mechanism
•The conditional features
•Conclusions
Overview - how it
all started
The outbreak
27th June...
The outbreak
• 27th June in Ukraine, affecting also neighboring

countries, i.e. Poland
• Source of the infection: M.E.Doc – tax accounting
software company in Ukraine
• Initial vector: a malicious update
• As it turned out, the attackers resided on the
M.E.Doc servers months before the outbreak
A malware with various names
• The authors didn’t name the malware at first.
• Among the researchers it was refered as:
Petya, Petya.A, NotPetya, ExPetr, Nyetya, EternalPetya,
Petna, GoldenEye, PetrWrap...
• In the later annoucements, attackers refered to it
as Petya.A/NotPetya
https://www.youtube.com/watch?v=Vor9sWpJQHw
Behavioral analysis
Behavior of the malware: High level attack
1. Encrypts files with selected extensions (using AES +
RSA)
3ds 7z accdb ai asp aspx avhd back bak c cfg conf cpp cs ctl dbf disk djvu doc docx
dwg eml fdb gz h hdd kdbx mail mdb msg nrg ora ost ova ovf pdf php pmf ppt pptx pst
pvi py pyc rar rtf sln s ql tar vbox vbs vcb vdi vfd vmc vmdk vmsd vmx vsdx vsv work
xls xlsx xvd zip
2. Drops a ransom note:
3. Reboot is scheduled:
4. We can see the malware scanning our LAN, in
order to spread to other machines...
5. Master Boot Record is overwritten with the
malicious bootloader and the kernel, that is meant
to deploy the low level attack after the reboot
Behavior of the malware: Low level attack
1. When the machine boots again, the malicious
kernel is loaded...
This CHKDKS is
fake! In reality the
malware encrypts
MFT using Salsa20
algorithm
Behavior of the malware: Low level attack
2. After encrypting the MFT, the ransom demand is
shown on the screen:
The low level
attack looks exactly
like Petya, but the
skull and the
malware name are
missing...
Behavior summary
1. High level attack: encrypts files with selected

extensions
2. Low level attack: encrypts Master File Table,
making disk inaccassible
3. Spreads itself on other machines in the LAN (using
i.e. NSA’s „Eternal” exploits)
A new Petya/Goldeneye?
Last year’s edition of Petya:
Do you remember last year’s Petya?
Almost all ransomware encrypts files

one by one – Petya can do it as well
But Petya has a unique feature: it attacks a

bootloader, and then encrypts low-level
structures on the disk (Master File Table) –
making disk unreadable
https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-
demystifying-the-malware-family/
• Petya comes in 3 flavors:

Red, Green and golden
(Goldeneye)
• Each version introduced
improvements
• Latest versions were not
decryptable
•Dropper (Windows EXE),
• overwrites the disk’s beginning with
Petya kernel
• Encrypts files with selected

extensions, one by one
•Petya kernel
• perform the disk encryption (MFT)
Behavior summary

extensions
Let’s have a
look inside...
The components involved
• 71b6a493388e7d0b40c83ce903bc6b04 – the main DLL
installed as: C:\Windows\perfc.dat
Run by: rundll32.exe <path>,#1
• aeee996fd3484f28e5cd85fe26b6bdcd – a legitimate app incorporated by the

malware: PsExec
• Mimikatz-like components for stealing credentials (they are used for further
spreading the malware in the LAN)
• 2813d34f6197eb4df42c886ec7f234a1 – 32 bit version
• 7e37ab34ecdcc3e77e24522ddfd4852d – 64 bit version
• f3471d609077479891218b0f93a77ceb – the low level part (Petya MBR + kernel)

Petya or not? Comparing the code...
•The kernel of the new malware compared with the one from the latest Petya
(Goldeneye)
Differences exists, but

they are minor. The
code base is the same
as Goldeneye Petya
Conclusion: it is a Petya
Petya or not? Comparing the code...
•Let’s take a closer look at the differences...
Missing
optimizations. This
assembly code can
never be
generated if the
code was
recompiled.
Conclusion: it is a Petya, but not a legitimate strain – not recompiled from the original source. The Petya kernel
was pirated and stolen from the original author.
https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-
piece-package/
Ransomware or not?
•Yes, because it demaned a ransom and successfuly collected money
•Not really, because paying the ransom cannot help a victim
The victim ID is a
random string,
generated BEFORE the
encryption key is made
Conclusion: the attackers deliberately

decided not to preserve the key
https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/
Ransomware or not?
Conclusion: the attackers deliberately decided not to preserve the key.
But why?
• Unfinished work with a dummy text left?
• Proof of the destructive intentions?
Ransomware or not? – Unfinished work?
• Sometimes it happens, i.e. Satana ransomware, that was deployed in wild on a
small scale, was also unfinished...
It reads user input, but

never process it.
Original MBR cannot
be recovered.
https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/
Ransomware or not? – Unfinished work?
• The authors of Petya.A/NotPetya tried to reimplement some features of the
original Petya by their own, i.e. preserving the original MBR obfuscated by XOR
with 0x7
Accurate imitation of
The original
the original Petya’s
MBR is
behavior
preserved in
the sector 34
Conclusion: redundant efforts in case of

destructive intentions
Ransomware or not? – Destructive intentions ?
• Disruption attacks on Ukraine already happened in the past, so it may be their
continuation...
• However: if the ransomware is just a cover, why the authors didn’t finish the
cover? The fact of not preserving the key could be easily obfuscated, i.e.
pretending that it is sent to a dead CnC server...
https://en.wikipedia.org/wiki/December_2015_Ukraine_power_grid_cyberattack
What is new?

extensions
The infector
Similarly to WannaCry
•Two ways of spreading: ransomware, that used
ETERNALBLUE
1. Using exploits leaked from the NSA:

ETERNALBLUE, ETERNALROMANCE +
DOUBLEPULSAR injector with minor
modifications
2. Using conventional tools: PsExec, Wmic
Conclusion: the infector is written by

professionals
https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
https://www.esentire.com/blog/a-closer-look-at-petyasnotpetyas-network-spreading-code/
The infector: finding network targets
•Targets are collected on a global list
•Multiple sources:
1. command line argument (-h <ip>)
2. Scanning ports 139 and 445 in LAN
3. DHCP servers and clients (DhcpEnumServerClients)
4. Cached ARP entries (GetIpNetTable)
5. Active TCP connections (GetExtendedTcpTable)

Conclusion: very scrupulous in finding
6. ActiveDirectory domain (NetServerEnum) network targets
The infector: dumping credentials
•The malware comes with a mimikatz-based tool for dumping credentials
used for
credentials are lateral
sent to the movements
malware over a
pipe...
Conditional paths
Conditional paths
The malware has several paths of
execution. The flags are set
depending on:
• options1: based on privileges
• options2: Installed AV products:

avp.exe (Kaspersky), ccSvcHst.exe
(Symantec), NS.exe (Norton
Security) Conclusion: the behavior of the malware
may vary on various machines
https://blog.nviso.be/2017/06/30/recovering-custom-hashes-for-the-petyanotpetya-malware/
Conditional paths avp.exe detected ->
options2 &= 0xFFFFFFF7
• Does it always deploy the low-level = -9 (4th bit is cleared)
attack?
8 = 1000b (check 4-th bit)
• No, if avp.exe (Kaspersky AV) is
If avp
detected, it does not write the Petya detected,
the buffer is
kernel at the beginning of the disk... written, but
not filled
Instead, it overwrites those sectors with Petya’s
code
with random data
• No MFT encryption deployed
https://securelist.com/no-free-pass-for-expetr/79008/
Conditional paths
avp.exe detected -> options2 &= 0xFFFFFFF7 =
The options that are set are -9 (4th bit is cleared)
NS.exe or ccSvcHst.exe detected -> options2
fewer than the options that are &= 0xFFFFFFFB = -5 (3rd bit is cleared)
checked...
Options2 checked:
1,2,4,8,16
Conclusion: some of the conditional flags

are not implemented – it may be a hint that
the malware is not finished and got
released prematurely (tests?)
Possible help?
Decrypting Master File Table (Salsa20)
• Bruteforcing the key is not possible
• Plaintext attack on the ciphertext:
• Possible due to an error in implementation of Salsa20.
• Yet, may be difficult in real life scenarios...
• There is a tool by CrowdStrike: https://www.crowdstrike.com/blog/decrypting-

notpetya-tools-for-recovering-your-mft-after-an-attack/
• Forensically carving files out of the disk... Conclusion: there is no perfect solution
allowing to recover MFT and got all the data
back.
Decrypting files (AES + RSA)
• Bruteforcing the key is not possible
• Attackers were willingly to sell the key:
Conclusion: there is no solution at the

moment, as nobody bought the key
Conclusions
Conclusions
Looking at the code we can find many

inconsistencies, that triggers doubts.
- Was it a state sponsored attack on Ukraine?
- Was it just an attack of unfinished ransomware?
Links
https://securelist.com/a-kings-ransom-it-is-not/79057/
https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-
adds-worm-capabilities/
https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-
package/
https://labsblog.f-secure.com/2017/06/30/what-good-is-a-not-for-profit-eternal-petya/
Questions? Remarks?
More:
https://blog.malwarebytes.com/?s=eternalpetya
Thank you!

Petya SCS2017 en

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Petya SCS2017 en

Uploaded by

Copyright:

Available Formats

Petya/NotPetya – the

analysis of the mysterious

• 27th June in Ukraine, affecting also neighboring

1. High level attack: encrypts files with selected

Almost all ransomware encrypts files

But Petya has a unique feature: it attacks a

• Petya comes in 3 flavors:

• Encrypts files with selected

1. High level attack: encrypts files with selected

• aeee996fd3484f28e5cd85fe26b6bdcd – a legitimate app incorporated by the

• f3471d609077479891218b0f93a77ceb – the low level part (Petya MBR + kernel)

Differences exists, but

•Not really, because paying the ransom cannot help a victim

Conclusion: the attackers deliberately

• Unfinished work with a dummy text left?

• Proof of the destructive intentions?

It reads user input, but

Conclusion: redundant efforts in case of

1. High level attack: encrypts files with selected

1. Using exploits leaked from the NSA:

2. Using conventional tools: PsExec, Wmic

Conclusion: the infector is written by

2. Scanning ports 139 and 445 in LAN

3. DHCP servers and clients (DhcpEnumServerClients)

4. Cached ARP entries (GetIpNetTable)

5. Active TCP connections (GetExtendedTcpTable)

• options1: based on privileges

• options2: Installed AV products:

• No MFT encryption deployed

Conclusion: some of the conditional flags

• Plaintext attack on the ciphertext:

• Possible due to an error in implementation of Salsa20.

• Yet, may be difficult in real life scenarios...

• There is a tool by CrowdStrike: https://www.crowdstrike.com/blog/decrypting-

• Attackers were willingly to sell the key:

Conclusion: there is no solution at the

Looking at the code we can find many

You might also like