Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Petna / Eternalblue Petya
Petna / Eternalblue Petya
Main DLL: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
Hashes below via McAfee article:
Main DLL: 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
PSEXEC.EXE: f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5
64-bit EXE: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
32-bit EXE: eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998
Hashes below via Kaspersky article:
DLL: 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0
Names in the media: Petna, NotPetya, EternalPetya, PetyaBlue, PetyaWrap, Petrwrap, SortaPetya, Nyetya, Expetr, Pnyetya
Tips for users:
* don't pay, files won't be decrypted
* if you realize that a machine got infected, shut it down immediately, don't reboot, ask an expert for help
* infection prevention via: Windows-Patches, no admin rights for standard user, up-to-date AV
* vaccination script is linked below, but use with caution; vaccines are often detected by security software.
Contact email (has been locked down):
BTC address: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
Payment will not get any files back, because the contact email is blocked!
Initial infection vector: The ransomware spread via MEDoc updates:
It was suspected that the update servers of a financial software called MEDoc were hacked.
This tweet states a malicious email led to update server propagation via MEDoc:
A second initial infection vector may have been a whaterhole attack on (see:
Spreading through LAN (not Internet!):
* EternalBlue and EternalRomance
* code similar to Mimikatz dumps credentials
* scans the local network for admin$ shares, copies itself across the network, executes with psexec
* wmic used to find remote shares to spread to
Petya or not Petya: The boot loader code is the same as in version 3 of green Petya, the high-level code (dropper and user mode portion prev. Misha) is different:
User mode encryption component (prev. Mischa): Yes, this component exists.
Target extensions:
The ransomware does not rename any files.
Low-level encryption component: The MFT is encrypted.
Petna is deemed uncrackable by hasherezade:
Reboot via 2 methods:
* scheduled task shutdown.exe /r /f
* NtRaiseHardError
KillSwitch: No, this does not exist. People claiming there is one are just jumping on the PR wagon. They are actually referring to a possible vaccine (not confirmed yet whether that works).
Vaccination script:
Ukraine government:
Russian oil giant Rosneft:
Rotterdam port:
Targets in spain:
Supermarket in Kharkov, Ukraine:
Ukraine ATM:
Merck pharma giant, USA:
Kiev metro station:
Mars, Nivea, and Auchan offices in Urkaine:
Chernobyl's radiation monitoring:
The Ukraine is pretty humorous about their situation:
Home users have not been the target yet.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment