{"id":3112,"date":"2024-10-13T07:18:08","date_gmt":"2024-10-13T07:18:08","guid":{"rendered":"https:\/\/lmntrix.com\/blog\/?p=3112"},"modified":"2025-07-29T07:02:03","modified_gmt":"2025-07-29T07:02:03","slug":"petya-petwrap-ransomware-with-logical-kill-switch-threat-intel-update","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/petya-petwrap-ransomware-with-logical-kill-switch-threat-intel-update\/","title":{"rendered":"PETYA\/PetWrap Ransomware with logical Kill switch:- Threat Intel Update"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

Kill Switch Found?<\/strong><\/p>\n\n\n\n

Our research team has identified a potential \u201cKill Switch\u201d for GoldenEye\/Petya. That Kill Switch information follows.<\/p>\n\n\n\n

GoldenEye\/Petya uses Eternal Blue as an attack vector (CVE-2017-0143) spreading via SMB post-exploitation. It clears the windows event log using Wevtutil. The ransomware simply encrypts the Master Boot Record (MBR) of the machines. And by encrypting the MBR it doesn\u2019t allow the Operating system to load. Running the peta sample , we can see that there might be logical Kill switch as well, where the Sample runs \u201crundl32.exe\u201d process which further creates a file \u201cperfc.dll\u201d as shown below. And a manual file creation  actually stops the sample from execution.<\/p>\n\n\n\n

The malicious DLL gets stored into the memory:-<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Writes a file \u201cperfc\u201d in C:\\Windows directory, which is a copy of the DLL file<\/p>\n\n\n\n

\u2022    Creates a schedule task for force restart<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

some malware file in SPAM emails(.xls,.rtf) has a PowerShell code to download and execute Petya payload,<\/p>\n\n\n\n

      \u2013    84.200.16.242\/myguy.xls<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Further from the recent sample, Petya 2017 only wipes the first sectors of the disk and not actually encrypting each and every file.

Once Malware reboots (Using schedule task) victims computers and encrypts the hard drive\u2019s master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.

Indicator of Compromise

Domain Blocklist:-<\/strong>

hxxp:\/\/mischapuk6hyrn72[.]onion\/

hxxp:\/\/petya3jxfp2f7g3i[.]onion\/

hxxp:\/\/petya3sen7dyko2n[.]onion\/

hxxp:\/\/mischa5xyix2mrhd[.]onion\/MZ2MMJ

hxxp:\/\/mischapuk6hyrn72[.]onion\/MZ2MMJ

hxxp:\/\/petya3jxfp2f7g3i[.]onion\/MZ2MMJ

hxxp:\/\/petya3sen7dyko2n[.]onion\/MZ2MMJ

hxxp:\/\/benkow[.]cc\/71b6a493388e7d0b40c83ce903bc6b04.bin 

COFFEINOFFICE[.]XYZ

hxxp:\/\/french-cooking[.]com\/

IP address Blocklist:-<\/strong>

95.141.115.108

185.165.29.78

84.200.16.242

111.90.139.247

Dropped Files path :-<\/strong>

\u2013 %WINDIR%\\dllhost[.]dat

\u2013 \u201c%WINDIR%\\system32\\shutdown.exe \/r \/f\u201d \/ST 07:45\u2033\u201d    [Scheduled task will be processed at specific time Interval]

\u2013 schtasks %ws\/Create \/SC once \/TN \u201c\u201d \/TR \u201c%ws\u201d \/ST %02d:%02d

The ransomware attempts to encrypt files that corresponds to the following file extensions:

[.]3ds,[.]7z,[.]accdb,[.]ai,[.]asp,[.]aspx,[.]avhd,[.]back,[.]bak,[.]c,[.]cfg,[.]conf,[.]cpp,[.]cs,[.]ctl,[.]dbf,[.]disk,[.]djvu,[.]doc,[.]docx,[.]dwg,[.]eml,[.]fdb,[.]gz,[.]h,[.]hdd,[.]kdbx,[.]mail,[.]mdb,[.]msg,[.]nrg,[.]ora,[.]ost,[.]ova,[.]ovf,[.]pdf,[.]php,[.]pmf,[.]ppt,[.]pptx,[.]pst,[.]pvi,[.]py,[.]pyc,[.]rar,[.]rtf,[.]sln,[.]sql,[.]tar,[.]vbox,[.]vbs,[.]vcb,[.]vdi,[.]vfd,[.]vmc,[.]vmdk,[.]vmsd,[.]vmx,[.]vsdx,[.]vsv,[.]work,[.]xls,[.]xlsx,[.]xvd,[.]zip,[.]\n\n\n\n

SHA256 hashes

\u2013 8143d7d370015ccebcdaafce3f399156ffdf045ac8bedcc67bdffb1507be0b58

\u2013 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 

\u2013 f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5

\u2013 41cb22109da26a6ff5464d6915db81c1c60f9e0808d8dbd63df1550b86372165

\u2013 0a3706fd283a5c87340215ce05e0bdbc958d20d9ca415f6c08ec176f824fb3c0

\u2013 eccd88bfc2be71e0ee7926fa4bed4e72a2db864328f2351d301f67bfe19e26bc<\/p>\n\n\n\n

Prevention Yara Rule for the Perimeter Protection<\/strong>

rule NotPetya_Ransomware_Jun17 {

   meta:

      description = \u201cDetects new NotPetya Ransomware variant from June 2017\u201d

      date = \u201c2017-06-27\u201d

      hash1 = \u201c027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745\u201d

   strings:

      $x1 = \u201cOoops, your important files are encrypted.\u201d fullword wide

      $x2 = \u201cprocess call create \\\u201dC:\\\\Windows\\\\System32\\\\rundll32.exe \\\\\\\u201dC:\\\\Windows\\\\%s\\\\\\\u201d #1 \u201d fullword wide

      $x3 = \u201c-d C:\\\\Windows\\\\System32\\\\rundll32.exe \\\u201dC:\\\\Windows\\\\%s\\\u201d,#1 \u201d fullword wide

      $x4 = \u201cSend your Bitcoin wallet ID and personal installation key to e-mail \u201d fullword wide

      $x5 = \u201cfsutil usn deletejournal \/D %c:\u201d fullword wide

      $x6 = \u201cwevtutil cl Setup & wevtutil cl System\u201d ascii<\/p>\n\n\n\n

      $s1 = \u201c%s \/node:\\\u201d%ws\\\u201d \/user:\\\u201d%ws\\\u201d \/password:\\\u201d%ws\\\u201d \u201d fullword wide

      $s4 = \u201c\\\\\\\\.\\\\pipe\\\\%ws\u201d fullword wide

      $s5 = \u201cschtasks %ws\/Create \/SC once \/TN \\\u201d\\\u201d \/TR \\\u201d%ws\\\u201d \/ST %02d:%02d\u201d fullword wide

      $s6 = \u201cu%s \\\\\\\\%s -accepteula -s \u201d fullword wide

      $s7 = \u201cdllhost.dat\u201d fullword wide

   condition:

      uint16(0) == 0x5a4d and filesize < 1000KB and ( 1 of ($x*) or 3 of them )

}<\/p>\n\n\n\n

rule NotPetya_Rel_Malware {

   meta:

      description = \u201cDetects NotPetya related malware \u2013 karo.exe\u201d

      hash1 = \u201ce5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5\u201d

      hash2 = \u201c7f081859ae2b9b59f014669233473921f1cac755f6c6bbd5dcdd3fafbe710000\u201d

      hash3 = \u201c3e896599851231d11c06ee3f5f9677436850d3e7d745530f0a46f712e37ce082\u201d

   strings:

      $s1 = \u201cPublicKeyToken=3e56350693f7355e\u201d fullword wide

      $s2 = \u201ckaro.exe\u201d fullword wide

      $s3 = \u201cIWshShell3\u201d fullword ascii

   condition:

      ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )

}<\/p>\n\n\n\n

rule NotPetya_Rel_Malware_3 {

   meta:

      description = \u201cDetects NotPetya related malware \u2013 iosi.exe\u201d

      date = \u201c2017-06-27\u201d

      hash1 = \u201c2ddf8df2ee880dae54a7f52e4bf56f896bb3f873fb6b8fdb60cae4a3de16ff49\u201d

   strings:

      $s1 = \u201cPublicKeyToken=3e56350693f7355e\u201d fullword wide

      $s2 = \u201ciosi.exe\u201d fullword wide

      $s3 = \u201cWshExecStatus\u201d fullword ascii

      $s4 = \u201cIsX64Process\u201d fullword ascii

   condition:

      ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )<\/p>\n\n\n\n



CVE-2017-0147 https:\/\/portal.msrc.microsoft.com\/en-us\/security-guidance\/advisory\/CVE-2017-0147<\/p>\n\n\n\n

Patch: MS17-010 https:\/\/technet.microsoft.com\/en-us\/library\/security\/MS17-010<\/p>\n\n\n\n

\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026..XXXXXXXXXXXXXXXXXX\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026.<\/p>\n","protected":false},"excerpt":{"rendered":"

Kill Switch Found? Our research team has identified a potential “Kill Switch” for GoldenEye\/Petya. That Kill Switch information follows. GoldenEye\/Petya uses Eternal Blue as an attack vector (CVE-2017-0143) spreading via SMB post-exploitation. It clears the windows event log using Wevtutil. The ransomware simply encrypts the Master Boot Record (MBR) of the machines. And by encrypting the MBR […]<\/p>\n","protected":false},"author":1,"featured_media":3054,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-3112","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/3112","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=3112"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/3112\/revisions"}],"predecessor-version":[{"id":4359,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/3112\/revisions\/4359"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/3054"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=3112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=3112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=3112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}