A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #28122  by EP_X0FF
 Fri Mar 25, 2016 4:05 am
Rofl. At least something original.

All the magic happens after reboot (by forced ExitWindowsEx or NtRaiseHardError) as fake chkdisk output. Dropper itself does only preparation and writes actual encoder to starting sectors.

I remember five years ago we discussed first MBR ransom trojan and were doubt they will someday really encrypt anything. Well we were wrong.
Repairing file system on C:

The type of the file system is NTFS.
One of your disks contains errors and needs to be repaired. This process
may take several hours to complete.It is strongly recommended to let it


CHKDSK is repairing sector Please reboot your computer! Decrypting sector
You became victim of the PETYA RANSOMWARE!

The harddisks of your computer have been encrypted with an military grade
encryption algorithm. There is no way to restore your data without a special
key. You can purchase this key on the darknet page shown in step 2.

To purchase your key and restore your data, please follow these three easy

1. Download the Tor Browser at "https://www.torproject.org/". If you need
help, please google for "access onion page".
2. Visit one of the following pages with the Tor Browser:

3. Enter your personal decryption code there:

If you already purchased your key, please enter it below.

Incorrect key! Please try again.
Unpacked dropper and starting sectors with encoder program in attach.
pass: malware
(5.66 KiB) Downloaded 142 times
pass: malware
(28.83 KiB) Downloaded 135 times
 #28134  by Fabian Wosar
 Sat Mar 26, 2016 5:25 pm
Just some notes, that may or may not be helpful. Take all the information with a huge pinch of salt, as I have never done much boot loader reversing. Expect inaccuracies and some info may just be plain wrong.

The malicious MBR will essentially read 32 sectors starting from sector 0x22 to address 0x8000 and then continues execution there. The most relevant functions are located at 0x8430 which checks the typed in password as well as 0x8206 which is the decryption routine that is being called if the password passes validation.

Sector 0x36 contains information required by the malicious boot loader. The first byte indicates whether or not the system has been encrypted already. If it is 0, the malware runs the encryption. If it is 1, the system counts as already encrypted. The following 32 bytes are used to derive the XOR key stream that is used to encrypt the system's MFT. After encryption took place, the malware will zero it out and set the first byte to 1. I haven't figured out the exact purpose of the next 8 bytes yet, but after that you will find the payment portal URLs and the ID displayed to the user.

Sector 0x37 contains the first 512 bytes of the XOR key stream that was used to encrypt the MFT. It is obfuscated using XOR 0x37. It will decrypt the first 8 sectors of the MFT, but the key stream changes after 4096 bytes. From what I can tell the permutation depends on the password you type in, so I don't think there is a way to use just the information there without either the password or the 32 byte key from earlier to predict the entire key stream. From the looks of it, the only reason it is there at the moment seems to be to verify whether the typed in password is correct as the first 512 bytes generated by the password are compared to the partial key stream stored here to see if the user put in the correct password.

Sector 0x38 contains a backup of the original MBR, obfuscated using XOR 0x37 again.