Scenario: Org2 is a specialist technology company based in the UK. The Org2 IT security operations team responded to an alert from its corporate anti-virus provider that a copy of password stealing malware had been found on three of its domain controllers. This was a serious incident, and an investigation [...]
When WannaCry came out last month, many were taken by surprise of the exploit of NSA tools for SMB. Especially because a patch was launched by Microsoft for the same in March. Everyone who didnt patch lost your computer. In the days and weeks that followed everyone said PATCH PATCH PATCH! to remain safe and ensure backups. You would think people would have patched by now or disabled SMB altogether?
Now entering Petya Ransomware, also attributed by some as Golden Eye variant.
Unlike most ramsonware, the new GoldenEye variant has two layers of encryption: one that individually encrypts target files on the computer and another one that encrypts NTFS structures. This approach prevents victims computers from being booted up in a live OS environment and retreiving stored information or samples.
Just like Petya, GoldenEye encrypts the the entire hard disk drive and denies the user access to the computer. However, unlike Petya, there is no workaround to help victims retrieve the decryption keys from the computer. The ransomware is found to be spreading via SMB and WMIC. Some reports suggest to prevent infection we should block WMIC.
Additionally, after the encryption process is complete, the ransomware has a specialized routine that forcefully crashes the computer to trigger a reboot that renders the computer unusable until the $300 ransom is paid.
| category | type | value |
| Payload delivery | filename|sha1 | 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745|34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d |
| External analysis | link | https://www.hybrid-analysis.com/search?query=027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 |
| Payload delivery | filename|sha256 | 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745|027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 |
| Payload delivery | filename|md5 | 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745|71b6a493388e7d0b40c83ce903bc6b04 |
| Payload delivery | x509-fingerprint-sha1 | 4d6f357f0e6434da97b1afc540fb6fdd0e85a89f |
| Payload installation | filename|md5 | %WINDIR%\dllhost.dat|aeee996fd3484f28e5cd85fe26b6bdcd |
| Payload installation | filename|sha1 | C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll|532bea84179e2336caed26e31805ceaa7eec53dd |
| Payload installation | filename|sha512 | \\192.168.56.11\ADMIN$\PSEXESVC.EXE|cefeb349970c7d7f1bdef4123b4cb71f1a76c4ce8197d9dbb10c5f5d0bb0e86cffe51829f0a9c7590e4072194a503eb4bff507dcdb992df08c154c818fb4f431 |
| Payload delivery | x509-fingerprint-sha1 | 3036e3b25b88a55b86fc90e6e9eaad5081445166 |
| Payload delivery | x509-fingerprint-sha1 | 3ea99a60058275e0ed83b892a909449f8c33b245 |
| Payload delivery | x509-fingerprint-sha1 | 9617094a1cfb59ae7c1f7dfdb6739e4e7c40508f |
| Payload installation | filename|sha512 | C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll|e8ebf30488b9475529d3345a00c002fe44336718af8bc99879018982bbc1172fc77f9fee12c541bab9665690092709ef5f847b40201782732c717c331bb77c31 |
| Payload delivery | filename|sha512 | 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745|072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f |
| Payload installation | filename|md5 | C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll|9a7ffe65e0912f9379ba6e8e0b079fde |
| Payload installation | filename|md5 | \\192.168.56.11\ADMIN$\PSEXESVC.EXE|5f6e775124efbd810c58f349d3f96400 |
| Payload installation | filename|sha1 | \\192.168.56.11\ADMIN$\PSEXESVC.EXE|766d70566b38c5fbf8b2e891c2f70f146561789f |
| Payload installation | filename|sha256 | \\192.168.56.11\ADMIN$\PSEXESVC.EXE|eccd88bfc2be71e0ee7926fa4bed4e72a2db864328f2351d301f67bfe19e26bc |
| Payload installation | filename|sha256 | C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll|4b336c3cc9b6c691fe581077e3dd9ea7df3bf48f79e35b05cf87e079ec8e0651 |
| Payload installation | filename|sha256 | %TEMP%\FE04.tmp|41cb22109da26a6ff5464d6915db81c1c60f9e0808d8dbd63df1550b86372165 |
| Payload installation | filename|md5 | %TEMP%\FE04.tmp|5733d78651a308b8dfacb41a7ec2b99a |
| Payload installation | filename|sha256 | %WINDIR%\dllhost.dat|f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5 |
| Payload installation | filename|sha1 | %TEMP%\FE04.tmp|98f9ade6d75c887d06b0343b506aebd948a61818 |
| Payload installation | filename|sha512 | %TEMP%\FE04.tmp|a10227d5090014f7c5e9ed8911823a622fb599683ab6a1e18706138e49dda98d3228ce4a74e3e8f0dfe2c6f8f81a6811eedf8d17f589f22cfcd60fe2c895c272 |
| Payload installation | filename|sha512 | %WINDIR%\dllhost.dat|e7c0b64ca5933c301f46dc3b3fd095bcc48011d8741896571bf93af909f54a6b21096d5f66b4900020dcaece6ab9b0e1d1c65791b8b5943d2e4d5bab28340e6f |
| Payload installation | filename|sha1 | %WINDIR%\dllhost.dat|cd23b7c9e0edef184930bc8e0ca2264f0608bcb3 |
| Artifacts dropped | pdb | c:\src\Pstools\psexec\SVC\Release\psexesvc.pdb |
| Persistence mechanism | regkey|value | HKCU\SOFTWARE\SYSINTERNALS\PSEXEC\EULAACCEPTED|01000000 |
| Artifacts dropped | pdb | c:\src\Pstools\psexec\EXE\Release\psexec.pdb |
| Artifacts dropped | yara | <yara><yarahits><rule author=”Florian Roth” description=”Tiny tool with suspicious function imports. (Rule based on WinEggDrop Scanner samples)” name=”Tiny_Network_Tool_Generic”><strings><hit><value>KERNEL32.DLL</value></hit><hit><value>LoadLibraryA</value></hit><hit><value>GetProcAddress</value></hit><hit><value>ADVAPI32.DLL</value></hit><hit><value>USER32.DLL</value></hit><hit><value>FreeSid</value></hit><hit><value>To</value></hit></strings></rule></yarahits></yara> |
Russia, Ukraine,France, Netherlands, USA, UK, India, Japan
Financial Institutions, Telecoms, Power and Utility, Airlines and Transportation, Energy , Oil & Gas
https://labs.bitdefender.com/2017/06/massive-goldeneye-ransomware-campaign-slams-worldwide-users
https://www.nytimes.com/reuters/2017/06/27/business/27reuters-ukraine-cyber-attacks-ukrenergo.html
http://www.bbc.com/news/technology-40416611
Header image from: https://3.bp.blogspot.com/-Z9KXBRVMLAg/WVJqrHoMqdI/AAAAAAAAtWc/daYeKHPIzwoiwG30oaiSWGhJkkT39PjmQCLcBGAs/s1600/petya-ransomware.png
Single sign-on provider OneLogin has experienced a breach. If you or your company uses OneLogin to sign in to applications, or if you use any of their other services, you ...
This is a live tracker depicting Emotet and Trickbot beaconing as we track it in real time using our sensors around the world.