It seems there is a bit of confussion about Petya propagation. From my point of view it is using eternalBlue exploit:
Here it is the point where Petya is creating the SMB attack:
If you search exploits available on internet you can find similarities, for example:
https://github.com/worawit/MS17-010/blob/master/eternalblue_exploit7.py
At this point the malware is decrypting the shellcode:
how you can see it is only doing a xor byte, 0xCC of 0x977 bytes.
I have extracted that part of data and i have done the xor decryption, and here it is the resulting data (password: infected):
https://github.com/vallejocc/Malware-Analysis/blob/master/shellcode_petya/petya_shellcode.rar
If we open the shellcode with IDA we can see it is a doublePulsar shellcode:
We can compare it with wannacry shellcode:
As we can see it is the same shellcode.
Petya improves the way that the worm code collects targets for the SMB attack.
It is using GetExtendedTcpTable to enum active TCP connections and probably collect targets from the results:
Collecting targets
Petya improves the way that the worm code collects targets for the SMB attack.
It is using GetExtendedTcpTable to enum active TCP connections and probably collect targets from the results:
It calculates the current network to scan it for targets:
It calls to DhcpEnumSubnets / DhcpEnumSubnetClients:
No comments:
Post a Comment