Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Petna / Eternalblue Petya
Petna / Eternalblue Petya
Main DLL: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
Hashes below via McAfee article:
Main DLL: 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
PSEXEC.EXE: f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5
64-bit EXE: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
32-bit EXE: eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998
Hashes below via Kaspersky article:
DLL: 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0
Names in the media: Petna, NotPetya, EternalPetya, PetyaBlue, PetyaWrap, Petrwrap, SortaPetya, Nyetya, Expetr, Pnyetya
Tips for users:
* don't pay, files won't be decrypted
* if you realize that a machine got infected, shut it down immediately, don't reboot, ask an expert for help
* infection prevention via: Windows-Patches, no admin rights for standard user, up-to-date AV
* vaccination script is linked below, but use with caution; vaccines are often detected by security software.
Contact email (has been locked down):
BTC address: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
Payment will not get any files back, because the contact email is blocked!
Initial infection vector: The ransomware spread via MEDoc updates:
It was suspected that the update servers of a financial software called MEDoc were hacked.
This tweet states a malicious email led to update server propagation via MEDoc:
A second initial infection vector may have been a whaterhole attack on (see:
Spreading through LAN (not Internet!):
* EternalBlue and EternalRomance
* code similar to Mimikatz dumps credentials
* scans the local network for admin$ shares, copies itself across the network, executes with psexec
* wmic used to find remote shares to spread to
Petya or not Petya: The boot loader code is the same as in version 3 of green Petya, the high-level code (dropper and user mode portion prev. Misha) is different:
User mode encryption component (prev. Mischa): Yes, this component exists.
Target extensions:
The ransomware does not rename any files.
Low-level encryption component: The MFT is encrypted.
Petna is deemed uncrackable by hasherezade:
Reboot via 2 methods:
* scheduled task shutdown.exe /r /f
* NtRaiseHardError
KillSwitch: No, this does not exist. People claiming there is one are just jumping on the PR wagon. They are actually referring to a possible vaccine (not confirmed yet whether that works).
Vaccination script:
Ukraine government:
Russian oil giant Rosneft:
Rotterdam port:
Targets in spain:
Supermarket in Kharkov, Ukraine:
Ukraine ATM:
Merck pharma giant, USA:
Kiev metro station:
Mars, Nivea, and Auchan offices in Urkaine:
Chernobyl's radiation monitoring:
The Ukraine is pretty humorous about their situation:
Home users have not been the target yet.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.