Malware Analysis Analysis of Petwrap Ransomware

Orion

Level 2
Thread author
Verified
Apr 8, 2016
83
Unlike WannaCry this attack DOES NOT SCAN THE INTERNET, it spreads on the local subnet and after completion it REBOOTS & ENCRYPTS drive.
New ransomware outbreak

So yesterday I was on twitter during the Night time and there were reports all Over the place about a new petya ransomware possibly using eternalblue.
Ransomware includes: Modified EternalBlue exploit A vulnerability in a third-party Ukrainian software product A second SMB network exploit


So I decided to grab a sample and do some insight on this malware.
#EternalBlue, the malware has an x86 payload as shown in the screenshot below.
The new #Petya ransomware can do lateral movement via WMI and PSExec. Drops dllhost.dat, which is really signed PSExec
The attackers xored (0xcc) the shellcode (eb) to make sure the signature does not automatically get detected by anti-virus.
Logs are also being deleted.After a restart either by the user or by the task that was scheduled,it throws up a fake chkdsk screen like petya then it gives you the ransom message.
the amount of IPs it scans is dependant on subnet mask, but still limited to local network.
65 different file types are targeted by the ransomware.
.3ds,.7z,.accdb,.ai,.asp,.aspx,.avhd,.back,.bak,.c,.cfg,.conf,.cpp,.cs,.ctl,.dbf,.disk,.djvu,.doc,.docx,.dwg,.eml,.fdb,.gz,.h,.hdd,.kdbx,.mail,.mdb,.msg,.nrg,.ora,.ost,.ova,.ovf,.pdf,.php,.pmf,.ppt,.pptx,.pst,.pvi,.py,.pyc,.rar,.rtf,.sln,.sql,.tar,.vbox,.vbs,.vcb,.vdi,.vfd,.vmc,.vmdk,.vmsd,.vmx,.vsdx,.vsv,.work,.xls,.xlsx,.xvd,.zip


If you are infected with the latest Petya/Whatever you want to call it, restoring your MBR will not fix anything. MFT is still encrypted.Do NOT turn off your computer as soon as chkdsk screen appears if you want to save your files.
 

Attachments

  • Capture.PNG
    Capture.PNG
    19.3 KB · Views: 490
  • Capture2.PNG
    Capture2.PNG
    42.1 KB · Views: 526
  • Capture3.PNG
    Capture3.PNG
    55.6 KB · Views: 514
  • Capture4.PNG
    Capture4.PNG
    68.3 KB · Views: 520
  • Capture5.PNG
    Capture5.PNG
    5 KB · Views: 521
  • Capture6.PNG
    Capture6.PNG
    25.1 KB · Views: 508
  • Capture7.PNG
    Capture7.PNG
    13.7 KB · Views: 505
  • DDWGcsIVYAETHTU.jpg
    DDWGcsIVYAETHTU.jpg
    60 KB · Views: 487
  • file exxts.jpg
    file exxts.jpg
    43.5 KB · Views: 498
  • ransom.PNG
    ransom.PNG
    18.7 KB · Views: 506
  • DDWdUMrUIAAFOyz.jpg
    DDWdUMrUIAAFOyz.jpg
    119.3 KB · Views: 424
Last edited:

Orion

Level 2
Thread author
Verified
Apr 8, 2016
83
Essentially what happened is MeDoc (big financial software) was hacked and they pushed out the malware via the update feature.Drops dllhost.dat, which is really signed PSExec
 

Attachments

  • mail.PNG
    mail.PNG
    11.9 KB · Views: 527
  • schd.PNG
    schd.PNG
    14.4 KB · Views: 468
  • killwsitch.PNG
    killwsitch.PNG
    13.5 KB · Views: 531
Last edited:

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
Impressive Orion, very well written and through.
This is a in depth look and thank you for this educational post ;)
 
  • Like
Reactions: Sunshine-boy

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
Actually its my first time ever posting such stuff.Excuse the clutter.
Then your a natural at it, keep this up these are the types of posts that enrich a community.
At the bottom of the next one you do you could add a little "personal insights" section too for your own observations.
Thanks for your quality contribution brother.
 
  • Like
Reactions: Sunshine-boy

Orion

Level 2
Thread author
Verified
Apr 8, 2016
83
Do not pay the #Petya ransom. You will not get your files back. The email address used is blocked!
 

Attachments

  • DDV9fNOXsAQzWzl.jpg
    DDV9fNOXsAQzWzl.jpg
    37.9 KB · Views: 461
  • Like
Reactions: _CyberGhosT_

Daniel Keller

Level 2
Verified
Dec 28, 2016
86
It seems it uses winmgmt service to spread over the network. So not just smb1 is the problem here...
 

Orion

Level 2
Thread author
Verified
Apr 8, 2016
83
It seems it uses winmgmt service to spread over the network. So not just smb1 is the problem here...

I have already mentioned it in the analysis.The malware waits for 10-60 minutes after the infection to reboot the system. Reboot is scheduled using system facilities with “at” or “schtasks” and “shutdown.exe” tools.
 

Attachments

  • schroedinger_petya_03.png
    schroedinger_petya_03.png
    11.7 KB · Views: 462
  • Like
Reactions: Daniel Keller

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top