Petya Ransomware the new WannaCry?

Posted June 27, 2017

In Backdoor, Business, Exploits, Malware, News, Ransomware, Threat Intelligence

When WannaCry came out last month, many were taken by surprise of the exploit of NSA tools for SMB. Especially because a patch was launched by Microsoft for the same in March. Everyone who didnt patch lost your computer. In the days and weeks that followed everyone said PATCH PATCH PATCH! to remain safe and ensure backups. You would think people would have patched by now or disabled SMB altogether?

Now entering Petya Ransomware, also attributed by some as Golden Eye variant.

Unlike most ramsonware, the new GoldenEye variant has two layers of encryption: one that individually encrypts target files on the computer and another one that encrypts NTFS structures. This approach prevents victims computers from being booted up in a live OS environment and retreiving stored information or samples.

Just like Petya, GoldenEye encrypts the the entire hard disk drive and denies the user access to the computer. However, unlike Petya, there is no workaround to help victims retrieve the decryption keys from the computer. The ransomware is found to be spreading via SMB and WMIC. Some reports suggest to prevent infection we should block WMIC.

Additionally, after the encryption process is complete, the ransomware has a specialized routine that forcefully crashes the computer to trigger a reboot that renders the computer unusable until the $300 ransom is paid.

Indicators of Compromise:

category	type	value
Payload delivery	filename\|sha1	027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745\|34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
External analysis	link	https://www.hybrid-analysis.com/search?query=027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
Payload delivery	filename\|sha256	027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745\|027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

Payload delivery	filename\|md5	027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745\|71b6a493388e7d0b40c83ce903bc6b04
Payload delivery	x509-fingerprint-sha1	4d6f357f0e6434da97b1afc540fb6fdd0e85a89f
Payload installation	filename\|md5	%WINDIR%\dllhost.dat\|aeee996fd3484f28e5cd85fe26b6bdcd
Payload installation	filename\|sha1	C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll\|532bea84179e2336caed26e31805ceaa7eec53dd
Payload installation	filename\|sha512	\\192.168.56.11\ADMIN$\PSEXESVC.EXE\|cefeb349970c7d7f1bdef4123b4cb71f1a76c4ce8197d9dbb10c5f5d0bb0e86cffe51829f0a9c7590e4072194a503eb4bff507dcdb992df08c154c818fb4f431
Payload delivery	x509-fingerprint-sha1	3036e3b25b88a55b86fc90e6e9eaad5081445166
Payload delivery	x509-fingerprint-sha1	3ea99a60058275e0ed83b892a909449f8c33b245
Payload delivery	x509-fingerprint-sha1	9617094a1cfb59ae7c1f7dfdb6739e4e7c40508f
Payload installation	filename\|sha512	C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll\|e8ebf30488b9475529d3345a00c002fe44336718af8bc99879018982bbc1172fc77f9fee12c541bab9665690092709ef5f847b40201782732c717c331bb77c31
Payload delivery	filename\|sha512	027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745\|072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f
Payload installation	filename\|md5	C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll\|9a7ffe65e0912f9379ba6e8e0b079fde
Payload installation	filename\|md5	\\192.168.56.11\ADMIN$\PSEXESVC.EXE\|5f6e775124efbd810c58f349d3f96400
Payload installation	filename\|sha1	\\192.168.56.11\ADMIN$\PSEXESVC.EXE\|766d70566b38c5fbf8b2e891c2f70f146561789f
Payload installation	filename\|sha256	\\192.168.56.11\ADMIN$\PSEXESVC.EXE\|eccd88bfc2be71e0ee7926fa4bed4e72a2db864328f2351d301f67bfe19e26bc
Payload installation	filename\|sha256	C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll\|4b336c3cc9b6c691fe581077e3dd9ea7df3bf48f79e35b05cf87e079ec8e0651
Payload installation	filename\|sha256	%TEMP%\FE04.tmp\|41cb22109da26a6ff5464d6915db81c1c60f9e0808d8dbd63df1550b86372165
Payload installation	filename\|md5	%TEMP%\FE04.tmp\|5733d78651a308b8dfacb41a7ec2b99a
Payload installation	filename\|sha256	%WINDIR%\dllhost.dat\|f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5
Payload installation	filename\|sha1	%TEMP%\FE04.tmp\|98f9ade6d75c887d06b0343b506aebd948a61818
Payload installation	filename\|sha512	%TEMP%\FE04.tmp\|a10227d5090014f7c5e9ed8911823a622fb599683ab6a1e18706138e49dda98d3228ce4a74e3e8f0dfe2c6f8f81a6811eedf8d17f589f22cfcd60fe2c895c272
Payload installation	filename\|sha512	%WINDIR%\dllhost.dat\|e7c0b64ca5933c301f46dc3b3fd095bcc48011d8741896571bf93af909f54a6b21096d5f66b4900020dcaece6ab9b0e1d1c65791b8b5943d2e4d5bab28340e6f
Payload installation	filename\|sha1	%WINDIR%\dllhost.dat\|cd23b7c9e0edef184930bc8e0ca2264f0608bcb3
Artifacts dropped	pdb	c:\src\Pstools\psexec\SVC\Release\psexesvc.pdb
Persistence mechanism	regkey\|value	HKCU\SOFTWARE\SYSINTERNALS\PSEXEC\EULAACCEPTED\|01000000
Artifacts dropped	pdb	c:\src\Pstools\psexec\EXE\Release\psexec.pdb
Artifacts dropped	yara	<yara><yarahits><rule author=”Florian Roth” description=”Tiny tool with suspicious function imports. (Rule based on WinEggDrop Scanner samples)” name=”Tiny_Network_Tool_Generic”><strings><hit><value>KERNEL32.DLL</value></hit><hit><value>LoadLibraryA</value></hit><hit><value>GetProcAddress</value></hit><hit><value>ADVAPI32.DLL</value></hit><hit><value>USER32.DLL</value></hit><hit><value>FreeSid</value></hit><hit><value>To</value></hit></strings></rule></yarahits></yara>