Petya Ransomware Initial Analysis
The document below is an initial level analysis of the recent Petya Ransomware (2017). We will also discuss an analysis of a dll variant of the ransomware.
Encrypt the target machine and ask for ransom (in Bitcoins) to decrypt it.
First, this document does not contain all of the indicators but will explain the specimen process. The analysis objective is to do some code analysis in a dissembler and then perform a dynamic analysis as well to see artifacts while the malware is in action.
The Petya variant is using an expired Microsoft Certificate.
Since the objective of this ransomware is to encrypt the target machine, I prefer to do some static analysis (i.e. to analyze malware without running it) in IDA Pro and check whether we can see any interesting functions.
- Dll is loaded into IDA pro, and as expected it stops at dll Entry Point(main() for dll).
The specimen is using the function below, calling CreateToolhelp32snapshot followed by Process32First and Process 32 Next. This means the specimen is enumerating the victim machine for running processes.
The authors have XOR’ed the Process Names they are reviewing. After a bit of deobfuscation, it turned out that they are checking for the following AV
- Kaspersky, Norton Security, Symantec.
Based on SeDebugPrivilege permissions, the malware will call three APIs to encrypt the files using AES encryption in memory.
After that specimen, it deletes its activities by deleting Setup, System, Security and Application Event Logs using weutil. It also used fsutil to delete the USN change journal(to remove traces of any update to volume.)
- Notice wevutil cl and fsutil /D command below
For lateral movement, Petya does the following:
- It tries to make a connection to admin$ with a call to WNetAddConnection with a null username and password, which means that specimen is using current user credentials which will exploit shared local administrator accounts.
- After the connection is made, the malware will create a copy of itself using CreateFile() and WriteFile()
- Then the newly created file is executed using an embedded utility which the specimen extracts as dllhost.dat (C:Windows) on the target system. This dllhost.dat file uses %s -acceptula -s, which is a silent option for PSEXEC. Submitting dllhost.dat files to VirtuTotal reveals it as PSEXEC.
- If above approach fails, then the malware will try to execute the dllhost.dat file using WMIC.exe.
- The specimen also uses DHcpEnumSubnets, DHCPSubnetINfo, DHCPSubnetCLients to enumerate all the clients in the domain.
- If the specimen gets SEDebugPrivilege, then the specimen will also access the physical device.
- The specimen collects all the files as listed below.
- Below is some of the text of Petya banner that we will see once the target system is encrypted
- Below is the Fake CHKDSK message.
- Since this is a dll, it needs to be run with rundll32 like below
- As soon as the task is created, it creates a Scheduled task to shut down the system. I have observed that it gives a buffer of around one hour before the scheduled tasks kick in. In this buffer period, malware will get a hold of the whole system and also try to enumerate the network, since just before the shutdown, malware will delete itself and if it immediately shuts itself down, then it misses the chance to spread in the network.
- As stated above, the specimen tries to map admin share to other machines on the network.
Following are the processes created by the specimen.
As mentioned above in static analysis
- It creates a scheduled task
- Creates a tmp file in AppData local folder
- Creates dllhost.dat file in C:Windows
- I also noticed that the specimen will delete the malicious file (petya.dll) in this case and will copy to C:Windows. Those who are still following the document will know why I mentioned this point. (Later in Kill Switch)
- There are a whole lot of CreateFile events by this specimen since it needs to get hold of the files in the system to encrypt.
After the scheduled tasks kick in, then as expected the FAKECHKDSK message will appear.
Defeating Petya process(trial)
I thought to try a couple of techniques to avoid either the encryption process or to stop the malware from running altogether.
I tried using the Cisco MBRFilter driver utility which per Cisco will prevent any attempts to overwrite MBR record.
This did not work for me, and Petya successfully encrypted my system even with this driver running L.
- There is some news of a Kill Switch of Petya of including perfc file in C:Windows directory. I blindly followed the news and created following perfc* app files in read only mode.
But it did not work, and Petya again encrypted my device. Reading the code reveals that the specimen is looking for the exact same file which is run as a specimen. In our case it is petya.dll. So I created a new Petya.dll app file and make it read only
And this time it worked. I could see the malware process created but then deleted itself after it saw the existence of petya.dll. There was no creation of a scheduled task as is mentioned above.
To be on the safe side, I restarted my system, and it came back in good shape.
So, this is the initial Analysis. I will work on the credential extraction process in this malware and will also review what stack parameters can be seen in the debugger.