Petya malware

Forum for analysis and discussion about malware.

Petya malware

Postby geoffreyvdb » Thu Mar 24, 2016 5:50 pm

I thought this one was pretty interesting, modifies the MBR and encrypts fs content

https://www.virustotal.com/en/file/26b4 ... /analysis/
You do not have the required permissions to view the files attached to this post.
geoffreyvdb
 
Posts: 16
Joined: Mon Feb 22, 2016 1:00 pm
Reputation point: 4

Re: Petya malware

Postby EP_X0FF » Fri Mar 25, 2016 4:05 am

Rofl. At least something original.

All the magic happens after reboot (by forced ExitWindowsEx or NtRaiseHardError) as fake chkdisk output. Dropper itself does only preparation and writes actual encoder to starting sectors.

I remember five years ago we discussed first MBR ransom trojan and were doubt they will someday really encrypt anything. Well we were wrong.

Repairing file system on C:

The type of the file system is NTFS.
One of your disks contains errors and needs to be repaired. This process
may take several hours to complete.It is strongly recommended to let it
complete.

WARNING: DO NOT TURN OFF YOUR PC! IF YOU ABORT THIS PROCESS, YOU COULD
DESTROY ALL OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED
IN!

CHKDSK is repairing sector Please reboot your computer! Decrypting sector
You became victim of the PETYA RANSOMWARE!

The harddisks of your computer have been encrypted with an military grade
encryption algorithm. There is no way to restore your data without a special
key. You can purchase this key on the darknet page shown in step 2.

To purchase your key and restore your data, please follow these three easy
steps:

1. Download the Tor Browser at "https://www.torproject.org/". If you need
help, please google for "access onion page".
2. Visit one of the following pages with the Tor Browser:



3. Enter your personal decryption code there:



If you already purchased your key, please enter it below.

Key:
Incorrect key! Please try again.


Unpacked dropper and starting sectors with encoder program in attach.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Petya malware

Postby R136a1 » Fri Mar 25, 2016 1:42 pm

Its' getting better every day...

Image Image

Image

And of course, german security experts appear on the surface with brilliant comments:
Image
Source: http://www.heise.de/security/meldung/Er ... 50917.html

:?
User avatar
R136a1
 
Posts: 215
Joined: Wed Jul 13, 2011 4:30 pm
Location: Germany
Reputation point: 136

Re: Petya malware

Postby Fabian Wosar » Sat Mar 26, 2016 5:25 pm

Just some notes, that may or may not be helpful. Take all the information with a huge pinch of salt, as I have never done much boot loader reversing. Expect inaccuracies and some info may just be plain wrong.

The malicious MBR will essentially read 32 sectors starting from sector 0x22 to address 0x8000 and then continues execution there. The most relevant functions are located at 0x8430 which checks the typed in password as well as 0x8206 which is the decryption routine that is being called if the password passes validation.

Sector 0x36 contains information required by the malicious boot loader. The first byte indicates whether or not the system has been encrypted already. If it is 0, the malware runs the encryption. If it is 1, the system counts as already encrypted. The following 32 bytes are used to derive the XOR key stream that is used to encrypt the system's MFT. After encryption took place, the malware will zero it out and set the first byte to 1. I haven't figured out the exact purpose of the next 8 bytes yet, but after that you will find the payment portal URLs and the ID displayed to the user.

Sector 0x37 contains the first 512 bytes of the XOR key stream that was used to encrypt the MFT. It is obfuscated using XOR 0x37. It will decrypt the first 8 sectors of the MFT, but the key stream changes after 4096 bytes. From what I can tell the permutation depends on the password you type in, so I don't think there is a way to use just the information there without either the password or the 32 byte key from earlier to predict the entire key stream. From the looks of it, the only reason it is there at the moment seems to be to verify whether the typed in password is correct as the first 512 bytes generated by the password are compared to the partial key stream stored here to see if the user put in the correct password.

Sector 0x38 contains a backup of the original MBR, obfuscated using XOR 0x37 again.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com
Fabian Wosar
 
Posts: 88
Joined: Thu Aug 26, 2010 8:23 am
Location: Germany
Reputation point: 102

Re: Petya malware

Postby Artilllerie » Thu Mar 31, 2016 3:44 pm

Petya dll (IAT patched)

Image
You do not have the required permissions to view the files attached to this post.
User avatar
Artilllerie
 
Posts: 25
Joined: Thu Dec 13, 2012 11:32 am
Reputation point: 3

Re: Petya malware

Postby geoffreyvdb » Fri Apr 01, 2016 11:07 am

Fresh sample, new packing method
You do not have the required permissions to view the files attached to this post.
geoffreyvdb
 
Posts: 16
Joined: Mon Feb 22, 2016 1:00 pm
Reputation point: 4

Re: Petya malware

Postby geoffreyvdb » Tue Apr 05, 2016 6:33 am

geoffreyvdb
 
Posts: 16
Joined: Mon Feb 22, 2016 1:00 pm
Reputation point: 4

Re: Petya malware

Postby slipstream- » Sun Apr 10, 2016 6:59 pm

Someone supposedly made a decrypter. https://petya-pay-no-ransom.herokuapp.com/
slipstream-
 
Posts: 17
Joined: Tue Sep 23, 2014 7:42 pm
Reputation point: 17

Re: Petya malware

Postby slipstream- » Mon Apr 11, 2016 9:59 am

slipstream- wrote:Someone supposedly made a decrypter. https://petya-pay-no-ransom.herokuapp.com/


turns out, it's open source: https://github.com/leo-stone/hack-petya
slipstream-
 
Posts: 17
Joined: Tue Sep 23, 2014 7:42 pm
Reputation point: 17

Re: Petya malware

Postby rkhunter » Mon Apr 11, 2016 10:33 am

User avatar
rkhunter
 
Posts: 1146
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 5 guests