Hacking Book | Free Online Hacking Learning


an tian's analysis report on new varieties of blackmail software "petya"

Posted by bassolino at 2020-02-27

At 21:00 on June 27, 2017, Beijing time, anti cert paid close attention to the information about the computer virus attack on the computer of the Bank of Ukraine and other relevant institutions and heads of government. Based on the threat information of all parties, Ukraine (Deputy Prime Minister Pavlo) is the most seriously affected country Rozenko, the state savings bank, private bank and other banks, UKR poshta, state Telecom, municipal subway, borispor airport in Kiev, the Ukrainian capital, Kyiv energy, and other countries are affected to varying degrees, including Russia (Rosneft), Spain, France, the United Kingdom, and Denmark Mai, India, the United States (law firm DLA Piper) and other countries.

In view of the particularity of the target under attack, in order to avoid the impact of correlation on the domestic key information infrastructure, Antan decided to launch A-level security risk early warning to deal with it. After several hours of analysis and judgment, the transmission mode of the virus has a greater risk. However, in view of the strong regional characteristics of the initial release of the virus, at the same time, China has made great efforts in the emergency work of "wannacry" At present, the virus has not spread in a large area in China, so it is suggested to reduce the event to B level.

Different from the traditional behavior of blackmailing software to encrypt files, "Petya" is a blackmail method using disk encryption. Its earlier version only encrypts MBR and disk allocation table, and pretends to encrypt the whole disk. Whether the current version can complete the full encryption is still under verification by the analysis team of Antan.

In view of the geographical sensitivity of the initial outbreak area, the proliferation ability of a certain strength and the special attack time point, Antan currently believes that this incident can not completely exclude the malicious code attack event with simple economic purpose, nor can it directly judge that it is a targeted attack against a specific area. Although the virus has not been widely spread in China at this stage, its complex means of transmission has greater security risks.

At the same time, Antai reminded the customer: in view of the samples will use the local password to try to log in to other computers for propagation, so the system security configuration reinforcement including password strength and timely system patch strategy can better prevent the virus. The immune tools released by an Tian on the devil's cave worms are still effective against the virus.

After the collection of multi-party Threat Intelligence, the direct relationship between samples is still unclear. After the follow-up analysis of some key sample files, it is found that the attack is a new variant of the blackmail virus "peya". It is suspected that the combination of email, downloader and worm is adopted in this variant. From the reasoning analysis, the virus uses the RTF format attachment of cve-2017-0199 vulnerability to launch the mail, and then releases the downloader to obtain the virus matrix, forming the initial diffusion node, and then spreads through ms17-010 (eternal blue) vulnerability and weak password of the system. At the same time, it is preliminarily analyzed that it may have the ability to extract the machine password in the domain after infecting the domain controller. Therefore, it has a certain penetration ability to the internal network and a greater threat to the internal network security than the previously widely concerned wanna cry. The mode of combination of multiple communication means will become the normal mode of blackmail software communication.

The blackmail module is a DLL file. After the file is loaded, it traverses the user's disk file (except under the directory of C: \ windows), and encrypts the file with the specified suffix name. After the encryption, the original file name and extension are not modified. This file modifies the MBR and, at the same time, adds a scheduled task to shut down the computer after waiting for a period of time. When the user turns on the computer, the blackmail interface and information will be displayed and cannot enter the system.

According to Microsoft's report "new ransomware, old technologies: Petya adds worm capabilities" [1], the startup process of the sample indicates that the sample is loaded and called by ezvit.exe, the upgrade process of Medoc, and the command line parameters executed by the sample are:

C:\Windows\system32\rundll32.exe C:\ProgramData\perfc.dat #1 30

Figure 3-1 sample execution flow chart

3.1 sample label

Table 2-1 binary executable

Name of virus




Processor architecture


file size

353 KB (362360 bytes)

file format


time stamp

June 26, 2017 16:49:11 + 01:00

digital signature


Shell type


Compiler language

Microsoft Visual C++

Vt first upload time

June 27, 2017

Vt test results

38 / 61

3.2 detailed analysis of samples

3.2.1 authority promotion and content loading

After the sample is loaded, try to upgrade the permissions you have. The required permissions are as follows.

Table 3-2 authority promoted by sample

Permission name

Content of permission


Permission to shut down the computer


Permissions to modify and debug other user process memory


Permissions equivalent to the operating system kernel

Next, the sample will traverse the process list to find out whether a specific process exists. And delete the file after reading its contents into memory. The sample also has a variety of loading methods. For example, load using WMI.

Figure 3-2 command to load samples using WMI

At the same time, the system process information will be obtained to determine whether there are avp.exe, ns.exe and ccsvchst.exe processes, which are the processes of anti-virus software Kaspersky and Norton respectively, and the flag bit will be set. In the subsequent infection operation, make the corresponding judgment: if there is ns.exe or ccsvchst.exe process, the operation of vulnerability infection will not be executed; if there is avp.exe process, the MBR will not be infected.

3.2.2 modify MBR

The sample has the behavior of modifying the partition table after loading. After obtaining the disk information through DeviceIoControl, write the code displaying the blackmail information to the first physical disk.

Figure 3-3 modify MBR code

The original MBR content will be encrypted with XOR 0x7 and saved to 0x4400.

Figure 3-4 encrypting the original MBR

Modified MBR content analysis:

The sample first uses the extended read operation, reading one sector to memory at a time, reading 0x20 times.

Figure 3-5 read the first 20 bytes of the disk

Then read the sector structure information of the first 16 disks to determine whether it is an NTFS file system.

Figure 3-6 read disk information

Figure 3-7 judging the disk serial number

Display the forged CHKDSK screen.

Figure 3-8 shows the forged CHKDSK screen

Read and modify MFT records on the disk.

Figure 3-9 read sector data (NTFS header)

Figure 3-10 finding MFT records

Figure 3-11 reading and modifying records

Calculate and display percentages.

Figure 3-12 progress of computing encryption

Figure 3-13 forged CHKDSK interface

Figure 3-14 code of forged CHKDSK interface

After the record encryption is completed, jump to the blackmail information page and wait for the user to enter the key. Try to decrypt the files on the disk after the user enters the key.

Figure 3-15 encrypted blackmail interface

3.2.3 plan task creation

The sample adds the shutdown action to the scheduled task as a command line. Force the system to shut down after a period of time.

Figure 3-16 add code for scheduled tasks

3.2.4 encryption

The sample is encrypted using Microsoft's encryption library. The encryption algorithm used is RSA + AES (Microsoft enhanced RSA and AES cryptographic provider).

The public key used is hard coded in the program.

Figure 3-17 public key used for encryption

All folders under all drive letters are encrypted except for the C: \ windows directory. The encrypted file format is as follows.

Figure 3-18 encrypted file format

3.2.5 communication

>The sample will first determine whether the target is a server with NT system or a domain control server.

Figure 3-19 judge whether it is a domain control server

If so, the addresses of devices in the DHCP subnet are enumerated and stored for subsequent attacks.

Figure 3-20 enumerate the addresses of devices in the DHCP subnet

Next, the sample traverses the credentials of type termsrv in the system and attempts to connect network resources based on the credentials.

Figure 3-21 credentials of type termsrv in traversal system

3.2.6 log clearing

This sample uses the wevtutil tool of windows to clear the logs. The command line is shown below.

Figure 3-22 log clear command

4.1 impact on operating system

"Petya" blackmail software affects the operating system: Windows XP and above;

4.2 if not infected

1. Mail prevention

Due to the first spread of the "peya" blackmail software variant through email, we should be alert to phishing email. It is recommended that you do not open the email with unknown attachment or click the link when you receive the email with unknown link.

2. Update operating system patch (MS)


3. Update Microsoft Office / WordPad remote execution code vulnerability (cve-2017-0199) patch


4. Disable WMI service

How to disable: https://zhidao.baidu.com/question/91063891.html

5. Change empty password and weak password

If there is an empty command or weak password in the operating system, please change the password to a high-strength password in time.

6. Immune tools

The immune tool of wanncry developed by Antan is still effective for this event.

Download address: https://www.anti.com/tools.html

4.3 if infected

The term "Petya" is the name of the women of Eastern Europe, from the Slavic language family; it is also used as the name of a light frigate of the former Soviet Union. It can be said that this malicious code shows certain geographical characteristics from the beginning. The consequences of the peya virus are special in ransomware. It will lead to the computer system can not enter the normal system start-up process, which can achieve the purpose of blackmail, it can also be used as a kind of damage load. Because of its encryption sector, disguised as a disk check process of system roll out problems, this social worker skill can ensure that it completes the whole encryption process. Once it is used as a damage load, it can also achieve the same effect that the system can not bootstrap due to previous damage guidance records such as power failure [1] in Ukraine and Sony attack event. In view of the special time point of this incident, the analysis team of Antan believes that at present, it can not be concluded that this incident is a malicious code attack incident with the purpose of economic blackmail, and more further analysis is needed.

In 2016's annual report on basic threats [3], Antan compared the "communication entry in worm era to the communication entry in extortion software", and predicted its composite propagation trend. The new version of "peya" further saw that the way of spreading infection through e-mail into the internal network and within the network may bring more benefits than the way similar to wannacry worm The more serious consequence is the simple way of scanning and implanting. But at the same time, it's worth noting that Petya does not use 0day vulnerability or even 1day vulnerability, but it's an old vulnerability. Other communication methods also take advantage of basic configuration problems like weak password / empty password. These problems once again show that system policy reinforcement and timely patch upgrading are required means of security.

It is the basic means of traditional directed attack to apt attack to sweep the internal network through single point injection of entry like email or browser, and then horizontal movement. However, due to the concealment of apt attack, similar attacks exist for many years, which does not effectively drive the improvement of intranet security governance. But extortion virus attack, is also has the serious consequence, but one kind of consequence highly visible security risk at the same time. From wanncry to Petya, it exposes the ineffective protection of many information systems.

In the face of this situation, rather than exaggerating the capabilities and threats of the virus itself, it is better to seriously consider whether the basic work of security is solid. Its response can not be more based on disaster response, data recovery or even decryption, but must be based on the prevention as far as possible in advance, to minimize the vulnerable nodes.

On February 17, 2017, general secretary Xi Jinping pointed out that "strengthening the early warning and monitoring of network security, ensuring the safety of big data, and realizing all-weather perception and effective protection all day long" can be said that the basic requirements of "effective" protection for key information technology facilities are pointed out at the national security forum. If situational awareness is the top value of information security, effective protection is its basic ability. Without effective protection of this basic disk, Threat Intelligence and other capabilities and means, it will not be able to dock, land and form value.

Since 2015, according to the judgment that ransomware has become a business model of underground economy and will inevitably promote its large-scale spread and outbreak, Antan has added strategies such as "encryption behavior identification" and "bait file" to terminal defense smart armour products. Using the smart armour version of October 2016, it can effectively intercept the emerging ones such as wanncry without upgrading the virus library and modules The encryption behavior of the software. From the product system of Antan, it is our consistent pursuit to achieve effective protection and value output.

《New ransomware, old techniques: Petya adds worm capabilities》


Comprehensive analysis report of attacks on Ukraine's power system


Antan: review and Prospect of network security threats in 2016


Antan is a leading manufacturer focusing on threat detection and defense technology. The company's mission is to enhance users' core ability to deal with network threats and improve users' awareness of threats. Relying on a series of core technologies and expert teams such as independent and advanced threat detection engines, Antan provides users with endpoint protection, traffic monitoring, in-depth analysis, Threat Intelligence and situation awareness and other related products, solutions and services.

More than 100 well-known security and IT companies around the world choose Antai as their testing partner. Antai's anti-virus engine provides security protection for nearly 100000 network devices and network security devices and nearly 600 million mobile phones around the world. Antan mobile detection engine is the first Chinese product in the world to win the annual av-test award.

In the case of synthesizing the existing multi-party Threat Intelligence, it is still unable to establish a complete connection with the relevant samples. Some samples have other behaviors such as spreading Botnet, which cause certain interference to the analysis. In the absence of on-site evidence collection support, interference items cannot be effectively filtered. Therefore, all suspected relevant information collected at this stage is displayed as follows: