Malware Analysis Petya ransomware analysis preview

L

LabZero

Thread author
Well guys, these days I'm quite busy because of study, but I thought to analyze Petya ransomware.
Petya is a very complex malware that runs on the Windows system and it inserts itself into the MBR, editing the boot loader replacing it. After having caused the restart of the machine, generating a fake BSOD (blue screen), the ransomware shows a fake error control at the level of the file system (chkdsk).
In reality, the screen is caused by Petya who, in the meantime, is encrypting the entire contents of the Master File Table (MFT).

As the title, this is a preview and here with you I want to decide how to perform this analysis, and I think I will continue in a detailed way in the next thread.

The first step is to analyze the executable by using an analyzer that can give us various information like the sections, the entry rva, entry point, and much more. It is particularly useful by analyzing the PE and in the majority of cases, it may also find any packers, but in my case it is enough Detect It Easy.

According to Detect It Easy, the sample is written in C/C++ and it seems to be obfuscated, therefore, a static analysis of the malicious executable is not very useful for understanding the dynamics.

I might try it with a disassembler that allows to decode the mnemonic codes of the executable, obtain the code of the assembler program and the list of imported functions, the references of all the lines, such as call/jump to and from, such as call/jump range, and the other, thus allowing to disassemble almost all of the executable files (I said "almost" because many samples have the relocation table changed to confuse the disassemblers), giving a listing of the executable code and its resources. Here you can go in the "Imported functions" and see all of the API that are called.
It is possible to see the exported functions and, if a line is called a CALL or a JUMP, it is possible to find a comment like: referenced by call/jump at address xxxxxxxx, and this is a good thing.
But, as I said above, Petya seems to be obfuscated in order to make it more difficult to recognition and to confirm if it is obfuscated or packed, it is possible to use UPX In Remnux, but I do not take this complex and not very useful way in my opinion, because it may be necessary to wrap the file, and then realign the PE and the whole of the import table....

Well, then I might use a tool to monitor what Petya makes during its execution.
File monitors, Registry monitors, API Monitors for, respectively: the file access, access to the registry and its keys, the use of the API.

But this is not what I exactly want because I am interested in the infection of the MBR/ MFT.
So, to provide a readable/hex version of the MBR, I could also use a hexadecimal editor.

Hex editors let you edit a file byte-by-byte, by entering the hex values (range from 00 to FF hex). These editors are useful for modifying the executable file: it is enough to examine the code with the debugger, check the mnemonic codes of the assembler instructions, search the executable file and change them with the mnemonic codes of the instructions that I want to enter.
But in my case a hex editor, of course, is also useful to check the dynamics events during the infection.

For now I stop here, and in the next thread I'll perform the dynamic analysis of Petya.:)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top