Tuesday, June 27, 2017

Petya ransomware + EternalBlue

In this short post i want to share a first quick reversing of petya+eternalblue dll, md5: 3936bda83b590512fa2cfef8acf6c294. It is a first look at it, i hope the information here it is correct.






It seems there is a bit of confussion about Petya propagation. From my point of view it is using eternalBlue exploit:

Here it is the point where Petya is creating the SMB attack:





If you search exploits available on internet you can find similarities, for example:

https://github.com/worawit/MS17-010/blob/master/eternalblue_exploit7.py


At this point the malware is decrypting the shellcode:




how you can see it is only doing a xor byte, 0xCC of 0x977 bytes.

I have extracted that part of data and i have done the xor decryption, and here it is the resulting data (password: infected):

https://github.com/vallejocc/Malware-Analysis/blob/master/shellcode_petya/petya_shellcode.rar

If we open the shellcode with IDA we can see it is a doublePulsar shellcode:




We can compare it with wannacry shellcode:





As we can see it is the same shellcode.

Collecting targets


Petya improves the way that the worm code collects targets for the SMB attack.

It is using GetExtendedTcpTable to enum active TCP connections and probably collect targets from the results:



It calculates the current network to scan it for targets:



It calls to DhcpEnumSubnets / DhcpEnumSubnetClients:


No comments:

Post a Comment