{"id":2309,"date":"2017-06-30T14:31:33","date_gmt":"2017-06-30T21:31:33","guid":{"rendered":"https:\/\/www.acalvio.com\/?p=2309"},"modified":"2017-06-30T14:31:33","modified_gmt":"2017-06-30T21:31:33","slug":"technical-analysis-of-petya","status":"publish","type":"post","link":"https:\/\/acalvio.p2staging.us\/index.php\/2017\/06\/30\/technical-analysis-of-petya\/","title":{"rendered":"Technical Analysis of Petya"},"content":{"rendered":"

Acalvio Threat Research Labs<\/b>
\n 
\nPetya is the most recent ransomware strain. It originated in Ukraine [1] and is spreading across Europe. This blog summarizes our technical analysis of Petya. <\/span>
\nTechnical Analysis<\/b>
\nIn addition to the encryption and ransomware functionality, the Petya malware has very B aggressive spreading capabilities. The dropper analyzed was a VB6 packed binary which contains the malicious DLL. All of the functionality is executed from the DLLb\u0000\u0019s unnamed and only B exported function.<\/span>
\nAll of the file encryption is located in the MBR code. The MBR is overwritten and the old MBR is saved on the physical disk at location 0x4400 (xorb\u0000\u0019ed with 0x07).<\/span>
\nA fixtool could easily clean up the overwritten MBR on any Petya infected machine.<\/span>
\nThe ransomwareb\u0000\u0019s aggressive spreading behavior is performed via the ETERNALBLUE smb exploit. The binary uses a global object containing dynamically populated entries for attackable targets. This global object is populated by several methods and is used by a thread which enumerates the object attacking each entry in the object\/array synchronously.<\/span>
\nThe malware also attempts to propagate via WMI (presumably network share copy\/execute remote task) to adjacent network hosts.<\/span>
\nCredentials for spreading via WMI are obtained via CredEnumerate calls which are stored in a global object, accessed by the spreading WMI function<\/span>
\nThe targets are chosen exhaustively:<\/span><\/p>\n