PETYA/PetWrap Ransomware with logical Kill switch:- Threat Intel Update

Kill Switch Found?

Our research team has identified a potential “Kill Switch” for GoldenEye/Petya. That Kill Switch information follows.

GoldenEye/Petya uses Eternal Blue as an attack vector (CVE-2017-0143) spreading via SMB post-exploitation. It clears the windows event log using Wevtutil. The ransomware simply encrypts the Master Boot Record (MBR) of the machines. And by encrypting the MBR it doesn’t allow the Operating system to load. Running the peta sample , we can see that there might be logical Kill switch as well, where the Sample runs “rundl32.exe” process which further creates a file “perfc.dll” as shown below. And a manual file creation  actually stops the sample from execution.

The malicious DLL gets stored into the memory:-

Writes a file “perfc” in C:\Windows directory, which is a copy of the DLL file

•    Creates a schedule task for force restart

some malware file in SPAM emails(.xls,.rtf) has a PowerShell code to download and execute Petya payload,

      –    84.200.16.242/myguy.xls

Further from the recent sample, Petya 2017 only wipes the first sectors of the disk and not actually encrypting each and every file.

Once Malware reboots (Using schedule task) victims computers and encrypts the hard drive’s master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.

Indicator of Compromise

Domain Blocklist:-


hxxp://mischapuk6hyrn72[.]onion/

hxxp://petya3jxfp2f7g3i[.]onion/

hxxp://petya3sen7dyko2n[.]onion/

hxxp://mischa5xyix2mrhd[.]onion/MZ2MMJ

hxxp://mischapuk6hyrn72[.]onion/MZ2MMJ

hxxp://petya3jxfp2f7g3i[.]onion/MZ2MMJ

hxxp://petya3sen7dyko2n[.]onion/MZ2MMJ

hxxp://benkow[.]cc/71b6a493388e7d0b40c83ce903bc6b04.bin 

COFFEINOFFICE[.]XYZ

hxxp://french-cooking[.]com/

IP address Blocklist:-

95.141.115.108

185.165.29.78

84.200.16.242

111.90.139.247

Dropped Files path :-

– %WINDIR%\dllhost[.]dat

– “%WINDIR%\system32\shutdown.exe /r /f” /ST 07:45″”    [Scheduled task will be processed at specific time Interval]

– schtasks %ws/Create /SC once /TN “” /TR “%ws” /ST %02d:%02d

The ransomware attempts to encrypt files that corresponds to the following file extensions:

[.]3ds,[.]7z,[.]accdb,[.]ai,[.]asp,[.]aspx,[.]avhd,[.]back,[.]bak,[.]c,[.]cfg,[.]conf,[.]cpp,[.]cs,[.]ctl,[.]dbf,[.]disk,[.]djvu,[.]doc,[.]docx,[.]dwg,[.]eml,[.]fdb,[.]gz,[.]h,[.]hdd,[.]kdbx,[.]mail,[.]mdb,[.]msg,[.]nrg,[.]ora,[.]ost,[.]ova,[.]ovf,[.]pdf,[.]php,[.]pmf,[.]ppt,[.]pptx,[.]pst,[.]pvi,[.]py,[.]pyc,[.]rar,[.]rtf,[.]sln,[.]sql,[.]tar,[.]vbox,[.]vbs,[.]vcb,[.]vdi,[.]vfd,[.]vmc,[.]vmdk,[.]vmsd,[.]vmx,[.]vsdx,[.]vsv,[.]work,[.]xls,[.]xlsx,[.]xvd,[.]zip,[.]

SHA256 hashes

– 8143d7d370015ccebcdaafce3f399156ffdf045ac8bedcc67bdffb1507be0b58

– 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 

– f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5

– 41cb22109da26a6ff5464d6915db81c1c60f9e0808d8dbd63df1550b86372165

– 0a3706fd283a5c87340215ce05e0bdbc958d20d9ca415f6c08ec176f824fb3c0

– eccd88bfc2be71e0ee7926fa4bed4e72a2db864328f2351d301f67bfe19e26bc

Prevention Yara Rule for the Perimeter Protection

rule NotPetya_Ransomware_Jun17 {

   meta:

      description = “Detects new NotPetya Ransomware variant from June 2017”

      date = “2017-06-27”

      hash1 = “027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745”

   strings:

      $x1 = “Ooops, your important files are encrypted.” fullword wide

      $x2 = “process call create \”C:\\Windows\\System32\\rundll32.exe \\\”C:\\Windows\\%s\\\” #1 ” fullword wide

      $x3 = “-d C:\\Windows\\System32\\rundll32.exe \”C:\\Windows\\%s\”,#1 ” fullword wide

      $x4 = “Send your Bitcoin wallet ID and personal installation key to e-mail ” fullword wide

      $x5 = “fsutil usn deletejournal /D %c:” fullword wide

      $x6 = “wevtutil cl Setup & wevtutil cl System” ascii

      $s1 = “%s /node:\”%ws\” /user:\”%ws\” /password:\”%ws\” ” fullword wide

      $s4 = “\\\\.\\pipe\\%ws” fullword wide

      $s5 = “schtasks %ws/Create /SC once /TN \”\” /TR \”%ws\” /ST %02d:%02d” fullword wide

      $s6 = “u%s \\\\%s -accepteula -s ” fullword wide

      $s7 = “dllhost.dat” fullword wide

   condition:

      uint16(0) == 0x5a4d and filesize < 1000KB and ( 1 of ($x*) or 3 of them )

}

rule NotPetya_Rel_Malware {

   meta:

      description = “Detects NotPetya related malware – karo.exe”

      hash1 = “e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5”

      hash2 = “7f081859ae2b9b59f014669233473921f1cac755f6c6bbd5dcdd3fafbe710000”

      hash3 = “3e896599851231d11c06ee3f5f9677436850d3e7d745530f0a46f712e37ce082”

   strings:

      $s1 = “PublicKeyToken=3e56350693f7355e” fullword wide

      $s2 = “karo.exe” fullword wide

      $s3 = “IWshShell3” fullword ascii

   condition:

      ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )

}

rule NotPetya_Rel_Malware_3 {

   meta:

      description = “Detects NotPetya related malware – iosi.exe”

      date = “2017-06-27”

      hash1 = “2ddf8df2ee880dae54a7f52e4bf56f896bb3f873fb6b8fdb60cae4a3de16ff49”

   strings:

      $s1 = “PublicKeyToken=3e56350693f7355e” fullword wide

      $s2 = “iosi.exe” fullword wide

      $s3 = “WshExecStatus” fullword ascii

      $s4 = “IsX64Process” fullword ascii

   condition:

      ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )



CVE-2017-0147 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-0147

Patch: MS17-010 https://technet.microsoft.com/en-us/library/security/MS17-010

………………………..XXXXXXXXXXXXXXXXXX…………………………………………………………………….

Tags: No tags

Comments are closed.