Current location: home page > Industry trends >Text content

[win] detailed analysis report of new variants of Petya blackmail software - reprinted

Dazzle Yi Four years ago (2017-06-28) Industry trends one thousand one hundred and fifteen

Introduction to new varieties of Petya

According to twitter, Ukrainian government agencies have been attacked on a large scale, including the computer of Ukraine's deputy prime minister tencent The computer housekeeper has confirmed that the virus is a variant of Petya blackmail virus. After poisoning, Petya blackmail virus will scan the machines in the intranet and spread to the intranet machines through the eternal blue vulnerability to achieve the purpose of rapid transmission. There are foreign countries security The researchers believe that the Petya ransom virus variant can spread through email attachments, using vulnerable DOC documents to attack. After poisoning, the virus will be modified system When the computer restarts, the virus code will take over the computer before the windows operating system and perform malicious operations such as encryption. After the computer restarts, a disguised interface will be displayed. This interface is actually displayed by viruses. The interface pretends to be in the process of disk scanning, but actually encrypting the disk data.

 [win] detailed analysis report on new varieties of Petya blackmail software

When the encryption is complete, the virus requires the victim to pay $300 worth of bitcoin before returning the decryption key.

 [win] detailed analysis report on new varieties of Petya blackmail software

Communication channel analysis possible communication channel - mailbox communication

According to the official information of Ukraine Cert, the email attachment is considered to be the source of the virus attack. The email attachment is a doc document. The document triggers the attack through the vulnerability cve-2017-0199. The computer housekeeper also traces the source of the similar email attack in China. The earliest occurrence of the similar email attack occurred in the morning of June 27. In the actual test process, the whole attack process is not completely reproduced.

 [win] detailed analysis report on new varieties of Petya blackmail software

Possible communication channel - Medoc

Many security research institutions believe that the source of Petya's attack is Medoc Software The update service for was hijacked.


Detailed functional analysis of infection process analysis

1. Write MBR

 [win] detailed analysis report on new varieties of Petya blackmail software

Sector 0 ~ 0x21 stores the MBR and microkernel code data of the virus, while the original MBR is encrypted in sector 0x22.


2. Encrypt files

1) Traversing partition

 [win] detailed analysis report on new varieties of Petya blackmail software

2) File type to encrypt

 [win] detailed analysis report on new varieties of Petya blackmail software

3) File encryption process

 [win] detailed analysis report on new varieties of Petya blackmail software

3. Mode of communication

1) It may spread in LAN through management share, and then remote command execution can be realized by wmic.

C:\Windows\dllhost.dat \\10.141.2.26 -accepteula -s -d C:\Windows\System32\rundll32.exe "C:\Windows\perfc.dat",##1 60 "RCAD\ryngarus.ext:FimMe21Pass!roy4""RCAD\svcomactions:3GfmGeif"

 [win] detailed analysis report on new varieties of Petya blackmail software

c:\windows\system32\wbem\wmic.exe /node:"IP_ ADDR" /user:"User" /password:"PWD" process call create "c:\windows\system32\rundll32.exe" \"c:\windows\perfc.dat\" #1

 [win] detailed analysis report on new varieties of Petya blackmail software

2) Propagation via the eternalblue and eternal romance vulnerabilities

 [win] detailed analysis report on new varieties of Petya blackmail software

Before launching an attack, the program attempts to obtain a list of IP addresses that can be attacked

 [win] detailed analysis report on new varieties of Petya blackmail software

In order to obtain: the IP of TCP connection, the IP of local ARP cache and the IP address of server in LAN. After collecting these addresses, further attacks are carried out.


Disk encryption and blackmail details

Main function description:

1. System restart, malicious MBR loading;

2. Detect whether the disk is encrypted, if not, display the forged disk detection interface and encrypt MFT;

3. Display the red blackmail interface, let the user input the secret key;


Detailed analysis:

After MBR starts, copy the data of sector 1-21 to 8000 address, and JMP executes 8000 address code

 [win] detailed analysis report on new varieties of Petya blackmail software

The disk is encrypted by reading the marker bit

 [win] detailed analysis report on new varieties of Petya blackmail software

If the disk is not encrypted, the forged disk detection interface is displayed and MFT is encrypted

 [win] detailed analysis report on new varieties of Petya blackmail software

After encryption, read the blackmail statement after the sector

 [win] detailed analysis report on new varieties of Petya blackmail software

Display the obtained statement on the screen

 [win] detailed analysis report on new varieties of Petya blackmail software

Get the secret key from the screen and verify it

 [win] detailed analysis report on new varieties of Petya blackmail software

Safety advice

1. Download and install firefly in time, and use blackmail virus immune tools to prevent the disease in advance. (download address of immunization tool

2. Complete the patch in time.

3. In case of suspicious files, especially the attachments in unfamiliar e-mails, do not open them easily. First, upload them to the Hubble analysis system (HTTPS: / / Habo. QQ. COM /).


reference material

1, http://www.freebuf.com/articles/system/138567.html

2, https://securelist.com/schroedingers-petya/78870/

3, https://www.malwaretech.com/2017/06/petya-ransomware-attack-whats-known.html

4, https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html

5, http://blog.checkpoint.com/2017/06/27/global-ransomware-attack-spreading-fast/

6, https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759



Comment

 visitor

Welcome to participate in the discussion. Please express your views and exchange your views here.
Call for istwar