When WannaCry came out last month, many were taken by surprise of the exploit of NSA tools for SMB. Especially because a patch was launched by Microsoft for the same in March. Everyone who didnt patch lost your computer. In the days and weeks that followed everyone said PATCH PATCH PATCH! to remain safe and ensure backups. You would think people would have patched by now or disabled SMB altogether?
Now entering Petya Ransomware, also attributed by some as Golden Eye variant.
Unlike most ramsonware, the new GoldenEye variant has two layers of encryption: one that individually encrypts target files on the computer and another one that encrypts NTFS structures. This approach prevents victims computers from being booted up in a live OS environment and retreiving stored information or samples.
Just like Petya, GoldenEye encrypts the the entire hard disk drive and denies the user access to the computer. However, unlike Petya, there is no workaround to help victims retrieve the decryption keys from the computer. The ransomware is found to be spreading via SMB and WMIC. Some reports suggest to prevent infection we should block WMIC.
Additionally, after the encryption process is complete, the ransomware has a specialized routine that forcefully crashes the computer to trigger a reboot that renders the computer unusable until the $300 ransom is paid.
Indicators of Compromise:
category |
type |
value |
Payload delivery |
filename|sha1 |
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745|34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d |
External analysis |
link |
https://www.hybrid-analysis.com/search?query=027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 |
Payload delivery |
filename|sha256 |
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745|027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 |
|
|
|
Payload delivery |
filename|md5 |
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745|71b6a493388e7d0b40c83ce903bc6b04 |
Payload delivery |
x509-fingerprint-sha1 |
4d6f357f0e6434da97b1afc540fb6fdd0e85a89f |
Payload installation |
filename|md5 |
%WINDIR%\dllhost.dat|aeee996fd3484f28e5cd85fe26b6bdcd |
Payload installation |
filename|sha1 |
C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll|532bea84179e2336caed26e31805ceaa7eec53dd |
Payload installation |
filename|sha512 |
\\192.168.56.11\ADMIN$\PSEXESVC.EXE|cefeb349970c7d7f1bdef4123b4cb71f1a76c4ce8197d9dbb10c5f5d0bb0e86cffe51829f0a9c7590e4072194a503eb4bff507dcdb992df08c154c818fb4f431 |
Payload delivery |
x509-fingerprint-sha1 |
3036e3b25b88a55b86fc90e6e9eaad5081445166 |
Payload delivery |
x509-fingerprint-sha1 |
3ea99a60058275e0ed83b892a909449f8c33b245 |
Payload delivery |
x509-fingerprint-sha1 |
9617094a1cfb59ae7c1f7dfdb6739e4e7c40508f |
Payload installation |
filename|sha512 |
C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll|e8ebf30488b9475529d3345a00c002fe44336718af8bc99879018982bbc1172fc77f9fee12c541bab9665690092709ef5f847b40201782732c717c331bb77c31 |
Payload delivery |
filename|sha512 |
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745|072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f |
Payload installation |
filename|md5 |
C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll|9a7ffe65e0912f9379ba6e8e0b079fde |
Payload installation |
filename|md5 |
\\192.168.56.11\ADMIN$\PSEXESVC.EXE|5f6e775124efbd810c58f349d3f96400 |
Payload installation |
filename|sha1 |
\\192.168.56.11\ADMIN$\PSEXESVC.EXE|766d70566b38c5fbf8b2e891c2f70f146561789f |
Payload installation |
filename|sha256 |
\\192.168.56.11\ADMIN$\PSEXESVC.EXE|eccd88bfc2be71e0ee7926fa4bed4e72a2db864328f2351d301f67bfe19e26bc |
Payload installation |
filename|sha256 |
C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll|4b336c3cc9b6c691fe581077e3dd9ea7df3bf48f79e35b05cf87e079ec8e0651 |
Payload installation |
filename|sha256 |
%TEMP%\FE04.tmp|41cb22109da26a6ff5464d6915db81c1c60f9e0808d8dbd63df1550b86372165 |
Payload installation |
filename|md5 |
%TEMP%\FE04.tmp|5733d78651a308b8dfacb41a7ec2b99a |
Payload installation |
filename|sha256 |
%WINDIR%\dllhost.dat|f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5 |
Payload installation |
filename|sha1 |
%TEMP%\FE04.tmp|98f9ade6d75c887d06b0343b506aebd948a61818 |
Payload installation |
filename|sha512 |
%TEMP%\FE04.tmp|a10227d5090014f7c5e9ed8911823a622fb599683ab6a1e18706138e49dda98d3228ce4a74e3e8f0dfe2c6f8f81a6811eedf8d17f589f22cfcd60fe2c895c272 |
Payload installation |
filename|sha512 |
%WINDIR%\dllhost.dat|e7c0b64ca5933c301f46dc3b3fd095bcc48011d8741896571bf93af909f54a6b21096d5f66b4900020dcaece6ab9b0e1d1c65791b8b5943d2e4d5bab28340e6f |
Payload installation |
filename|sha1 |
%WINDIR%\dllhost.dat|cd23b7c9e0edef184930bc8e0ca2264f0608bcb3 |
Artifacts dropped |
pdb |
c:\src\Pstools\psexec\SVC\Release\psexesvc.pdb |
Persistence mechanism |
regkey|value |
HKCU\SOFTWARE\SYSINTERNALS\PSEXEC\EULAACCEPTED|01000000 |
Artifacts dropped |
pdb |
c:\src\Pstools\psexec\EXE\Release\psexec.pdb |
Artifacts dropped |
yara |
<yara><yarahits><rule author=”Florian Roth” description=”Tiny tool with suspicious function imports. (Rule based on WinEggDrop Scanner samples)” name=”Tiny_Network_Tool_Generic”><strings><hit><value>KERNEL32.DLL</value></hit><hit><value>LoadLibraryA</value></hit><hit><value>GetProcAddress</value></hit><hit><value>ADVAPI32.DLL</value></hit><hit><value>USER32.DLL</value></hit><hit><value>FreeSid</value></hit><hit><value>To</value></hit></strings></rule></yarahits></yara> |
Affected Countries:
Russia, Ukraine,France, Netherlands, USA, UK, India, Japan
Affected Sectors:
Financial Institutions, Telecoms, Power and Utility, Airlines and Transportation, Energy , Oil & Gas
References:
https://labs.bitdefender.com/2017/06/massive-goldeneye-ransomware-campaign-slams-worldwide-users
http://www.independent.co.uk/news/world/europe/ukraine-cyber-attack-hackers-national-bank-state-power-company-airport-rozenko-pavlo-cabinet-a7810471.html
https://www.nytimes.com/reuters/2017/06/27/business/27reuters-ukraine-cyber-attacks-ukrenergo.html
http://www.bbc.com/news/technology-40416611
Header image from: https://3.bp.blogspot.com/-Z9KXBRVMLAg/WVJqrHoMqdI/AAAAAAAAtWc/daYeKHPIzwoiwG30oaiSWGhJkkT39PjmQCLcBGAs/s1600/petya-ransomware.png