{"id":3053,"date":"2024-09-25T21:11:36","date_gmt":"2024-09-25T21:11:36","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=3053"},"modified":"2025-07-29T07:00:49","modified_gmt":"2025-07-29T07:00:49","slug":"petya-petwrap-ransomware-with-logical-kill-switch-threat-intel-update-2","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/petya-petwrap-ransomware-with-logical-kill-switch-threat-intel-update-2\/","title":{"rendered":"Threat Intel Update"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"372\" height=\"318\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/goldeneye.webp\" alt=\"\" class=\"wp-image-3054\"\/><\/figure>\n<\/div>\n\n\n<p>SHA256 hashes<br><br>&#8211; 8143d7d370015ccebcdaafce3f399156ffdf045ac8bedcc67bdffb1507be0b58<br><br>&#8211; 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745&nbsp;<br><br>&#8211; f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5<br><br>&#8211; 41cb22109da26a6ff5464d6915db81c1c60f9e0808d8dbd63df1550b86372165<br><br>&#8211; 0a3706fd283a5c87340215ce05e0bdbc958d20d9ca415f6c08ec176f824fb3c0<br><br>&#8211; eccd88bfc2be71e0ee7926fa4bed4e72a2db864328f2351d301f67bfe19e26bc<br><\/p>\n\n\n\n<p><strong>Prevention Yara Rule for the Perimeter Protection<\/strong><br><br>rule NotPetya_Ransomware_Jun17 {<br><br>&nbsp; &nbsp;meta:<br><br>&nbsp; &nbsp; &nbsp; description = &#8220;Detects new NotPetya Ransomware variant from June 2017&#8221;<br><br>&nbsp; &nbsp; &nbsp; date = &#8220;2017-06-27&#8221;<br><br>&nbsp; &nbsp; &nbsp; hash1 = &#8220;027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745&#8221;<br><br>&nbsp; &nbsp;strings:<br><br>&nbsp; &nbsp; &nbsp; $x1 = &#8220;Ooops, your important files are encrypted.&#8221; fullword wide<br><br>&nbsp; &nbsp; &nbsp; $x2 = &#8220;process call create \\&#8221;C:\\\\Windows\\\\System32\\\\rundll32.exe \\\\\\&#8221;C:\\\\Windows\\\\%s\\\\\\&#8221; #1 &#8221; fullword wide<br><br>&nbsp; &nbsp; &nbsp; $x3 = &#8220;-d C:\\\\Windows\\\\System32\\\\rundll32.exe \\&#8221;C:\\\\Windows\\\\%s\\&#8221;,#1 &#8221; fullword wide<br><br>&nbsp; &nbsp; &nbsp; $x4 = &#8220;Send your Bitcoin wallet ID and personal installation key to e-mail &#8221; fullword wide<br><br>&nbsp; &nbsp; &nbsp; $x5 = &#8220;fsutil usn deletejournal \/D %c:&#8221; fullword wide<br><br>&nbsp; &nbsp; &nbsp; $x6 = &#8220;wevtutil cl Setup &amp; wevtutil cl System&#8221; ascii<br><\/p>\n\n\n\n<p>&nbsp; &nbsp; &nbsp; $s1 = &#8220;%s \/node:\\&#8221;%ws\\&#8221; \/user:\\&#8221;%ws\\&#8221; \/password:\\&#8221;%ws\\&#8221; &#8221; fullword wide<br><br>&nbsp; &nbsp; &nbsp; $s4 = &#8220;\\\\\\\\.\\\\pipe\\\\%ws&#8221; fullword wide<br><br>&nbsp; &nbsp; &nbsp; $s5 = &#8220;schtasks %ws\/Create \/SC once \/TN \\&#8221;\\&#8221; \/TR \\&#8221;%ws\\&#8221; \/ST %02d:%02d&#8221; fullword wide<br><br>&nbsp; &nbsp; &nbsp; $s6 = &#8220;u%s \\\\\\\\%s -accepteula -s &#8221; fullword wide<br><br>&nbsp; &nbsp; &nbsp; $s7 = &#8220;dllhost.dat&#8221; fullword wide<br><br>&nbsp; &nbsp;condition:<br><br>&nbsp; &nbsp; &nbsp; uint16(0) == 0x5a4d and filesize &lt; 1000KB and ( 1 of ($x*) or 3 of them )<br><br>}<br><\/p>\n\n\n\n<p>rule NotPetya_Rel_Malware {<br><br>&nbsp; &nbsp;meta:<br><br>&nbsp; &nbsp; &nbsp; description = &#8220;Detects NotPetya related malware &#8211; karo.exe&#8221;<br><br>&nbsp; &nbsp; &nbsp; hash1 = &#8220;e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5&#8221;<br><br>&nbsp; &nbsp; &nbsp; hash2 = &#8220;7f081859ae2b9b59f014669233473921f1cac755f6c6bbd5dcdd3fafbe710000&#8221;<br><br>&nbsp; &nbsp; &nbsp; hash3 = &#8220;3e896599851231d11c06ee3f5f9677436850d3e7d745530f0a46f712e37ce082&#8221;<br><br>&nbsp; &nbsp;strings:<br><br>&nbsp; &nbsp; &nbsp; $s1 = &#8220;PublicKeyToken=3e56350693f7355e&#8221; fullword wide<br><br>&nbsp; &nbsp; &nbsp; $s2 = &#8220;karo.exe&#8221; fullword wide<br><br>&nbsp; &nbsp; &nbsp; $s3 = &#8220;IWshShell3&#8221; fullword ascii<br><br>&nbsp; &nbsp;condition:<br><br>&nbsp; &nbsp; &nbsp; ( uint16(0) == 0x5a4d and filesize &lt; 2000KB and all of them )<br><br>}<br><\/p>\n\n\n\n<p>rule NotPetya_Rel_Malware_3 {<br><br>&nbsp; &nbsp;meta:<br><br>&nbsp; &nbsp; &nbsp; description = &#8220;Detects NotPetya related malware &#8211; iosi.exe&#8221;<br><br>&nbsp; &nbsp; &nbsp; date = &#8220;2017-06-27&#8221;<br><br>&nbsp; &nbsp; &nbsp; hash1 = &#8220;2ddf8df2ee880dae54a7f52e4bf56f896bb3f873fb6b8fdb60cae4a3de16ff49&#8221;<br><br>&nbsp; &nbsp;strings:<br><br>&nbsp; &nbsp; &nbsp; $s1 = &#8220;PublicKeyToken=3e56350693f7355e&#8221; fullword wide<br><br>&nbsp; &nbsp; &nbsp; $s2 = &#8220;iosi.exe&#8221; fullword wide<br><br>&nbsp; &nbsp; &nbsp; $s3 = &#8220;WshExecStatus&#8221; fullword ascii<br><br>&nbsp; &nbsp; &nbsp; $s4 = &#8220;IsX64Process&#8221; fullword ascii<br><br>&nbsp; &nbsp;condition:<br><br>&nbsp; &nbsp; &nbsp; ( uint16(0) == 0x5a4d and filesize &lt; 2000KB and all of them )<br><\/p>\n\n\n\n<p><br><br>CVE-2017-0147 https:\/\/portal.msrc.microsoft.com\/en-us\/security-guidance\/advisory\/CVE-2017-0147<br><\/p>\n\n\n\n<p>Patch: MS17-010 https:\/\/technet.microsoft.com\/en-us\/library\/security\/MS17-010<br><\/p>\n\n\n\n<p>\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026..XXXXXXXXXXXXXXXXXX\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026.<br><br>&nbsp;<\/p>\n\n\n\n<p>On 2017-06-27<\/p>\n","protected":false},"excerpt":{"rendered":"<p>SHA256 hashes &ndash; 8143d7d370015ccebcdaafce3f399156ffdf045ac8bedcc67bdffb1507be0b58 &ndash; 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745&nbsp; &ndash; f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5 &ndash; 41cb22109da26a6ff5464d6915db81c1c60f9e0808d8dbd63df1550b86372165 &ndash; 0a3706fd283a5c87340215ce05e0bdbc958d20d9ca415f6c08ec176f824fb3c0 &ndash; eccd88bfc2be71e0ee7926fa4bed4e72a2db864328f2351d301f67bfe19e26bc Prevention Yara Rule for the Perimeter Protection rule NotPetya_Ransomware_Jun17 { &nbsp; &nbsp;meta: &nbsp; &nbsp; &nbsp; description = &ldquo;Detects new NotPetya Ransomware variant from June 2017&rdquo; &nbsp; &nbsp; &nbsp; date = &ldquo;2017-06-27&rdquo; &nbsp; &nbsp; &nbsp; hash1 = &ldquo;027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745&rdquo; &nbsp; &nbsp;strings: &nbsp; &nbsp; [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":3054,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-3053","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/3053","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=3053"}],"version-history":[{"count":6,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/3053\/revisions"}],"predecessor-version":[{"id":4357,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/3053\/revisions\/4357"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/3054"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=3053"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=3053"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=3053"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}