Petya ransomware + EternalBlue


In this short post i want to share a first quick reversing of petya+eternalblue dll, md5: 3936bda83b590512fa2cfef8acf6c294. It is a first look at it, i hope the information here it is correct.

temp.jpg

It seems there is a bit of confussion about Petya propagation. From my point of view it is using eternalBlue exploit:

Here it is the point where Petya is creating the SMB attack:

temp.jpg

If you search exploits available on internet you can find similarities, for example:

https://github.com/worawit/MS17-010/blob/master/eternalblue_exploit7.py

 

At this point the malware is decrypting the shellcode:

temp.jpg

how you can see it is only doing a xor byte, 0xCC of 0x977 bytes.

I have extracted that part of data and i have done the xor decryption, and here it is the resulting data (password: infected):

https://github.com/vallejocc/Malware-Analysis/blob/master/shellcode_petya/petya_shellcode.rar

If we open the shellcode with IDA we can see it is a doublePulsar shellcode:

temp.jpg

We can compare it with wannacry shellcode:

temp.jpg

As we can see it is the same shellcode.

 

Collecting targets

Petya improves the way that the worm code collects targets for the SMB attack.

It is using GetExtendedTcpTable to enum active TCP connections and probably collect targets from the results:

temp.jpg

It calculates the current network to scan it for targets:

temp.jpg

It calls to DhcpEnumSubnets / DhcpEnumSubnetClients:

temp.jpg

 

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s