NotPetya Ransomware analysis

NotPetya is a ransomware and a wiper used in a cyberattack which targeted Ukraine on the 27th of June.
Like WannaCry, this malware can spread using the known exploit Eternal Blue. In addition to that, this malware implements some other techniques to compromise Windows operating systems of the same network even if they are patched with the MS17-010 Patch.
By using these advanced lateral movement techniques, this malware infected thousands of computers in over 65 countries.


NotPetya Execution Flow

The diagram below represents an overview of how NotPetya spreads in the local networks and damages systems:


Infected computer

The initial infection of NotPetya is done in several ways.

The first way is a phishing e-mail with a malicious document which exploits the vulnerability CVE-2017-0199. This document downloads and executes a VBA script on the system. This script will then downloads and executes the final malicious payload.
Below a sample of the phishing email:

Hello target.emailName,
You will be billed $ 2,273.42 on your Visa card momentarily.
Go through attachment to avoid it.
Password is 6089

With appreciation!
Prince

Attached file name: Scan_targed.emailName.doc

Source: https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759#email-forms-and-attachment

The second way is by spreading an infected update of a big financial software called ME-DOC. A hacker group has pushed a malicious update on the update manager of ME-DOC, a software used by more than 80% of Ukrainian companies and caused a lot of damage for most of them. Ukraine has been the epicenter of this cyberattack because of this malicious update.

The third possible way is an infection by lateral movement done by an infected computer on the same local network, even on patched computers.

SAFE-Cyberdefense SAFE Endpoint will block this step of the attack
A malicious file sent by e-mail will be analyzed, detected as malicious and blocked.
The analysis engine will detect malicious part of the update and block its execution.

Thanks to the security policies, applications and programs have a limited access to the network. The program will not be able to spread over the network.


Execute perfc.dll

After being infected, the malicious file “perfc.dll” will be loaded by rundll32 using the following command line.

rundll32.exe <PathToDLL>\perfc.dll, #1

Filename
perfc.dll
FiletypeDLL
Size (Bytes)362 360
Compilation date18 June 2017
HashMD5: 71b6a493388e7d0b40c83ce903bc6b04
SHA1: 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
SHA256: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
SignatureInvalid "Microsoft" certificate
Virus totalperfc.dll
Information about perfc.dll

The perfc.dll file uses a fake Microsoft certificate to bypass some Anti-Virus signature checks.
Code example: https://github.com/HackerFantastic/Public/blob/master/tools/bypassavp.sh

If the file is not started by an administrator, some execution steps will not be executed, but most of the time the malware is executed as an administrator because of the lateral movement.

SAFE-Cyberdefense SAFE Endpoint will block this step of the attack
The analysis engine will detect this file as malicious and the process will never be created.


Check if already infected

To check if the computer is already infected, the malware checks first if the file perfc (DLL named without the extension) exists in the folder C:\Windows. If the file is present, the DLL will stop itself.

This check cannot be used as a kill switch since the filename of the DLL can be different. However, this check can be used as a cure against this specific malware.

NotPetya check if already installedVaccin check

If a computer is infected in your network, you can create the file with the name of the DLL without the extension in the Windows folder to prevent the infection.


Malicious action on the MBR

The malicious activity starts here, after checking if the computer is already infected.
The DLL tries to write a new MBR to set the ransom note screen. If this attempt doesn’t work or if Kaspersky Anti-Virus is found in the process list, then the ten first sectors of the disk are erased.

To check anti-virus presence on the computer, the malicious program checks the hash of each process with a homemade hash function and compares them with Anti-Virus hashes.

HashProcess Name
0x2E214B44avp.exe (Kaspersky)
0x651B3005NS.exe (Norton Security)
0x6403527EccSvcHst.exe (Symantec)
Process Hash searched

Below a table of Anti-virus and flags association:

Process FoundReturned Value
None0xFFFFFFFF
Kaspersky0xFFFFFFF7
Norton Or Symantec0xFFFFFFFB
Kaspersky && (Norton Or Symantec)0xFFFFFFF3
Anti-Virus Flags

By checking the flags, the malware verifies if Kaspersky is present. If it’s the case, the ten first sectors of the first physical drive are wiped. This wipe corrupts the MBR and the MFT. The Master File Table is a big table that contains metadata on files on the disk. After the wipe, the operating system is broken.

NotPetya Wipe functionWipe function

If Kaspersky is not found in the list, a new MBR is written on the disk to display the ransom note after a reboot.


Network enumeration

Like WannaCry, NotPetya tries to replicate itself on computers of the same local network. To establish a map of potential targets, this malware uses different Windows API: DhcpEnumSubnetClients, WnetOpenEnum and NetServerEnum

These APIs allow to list all clients with IP addresses of the same DHCP range of the infected computer, all network resources connected to the computer and also the domain controller.

NotPetya Network scanNetwork scan of NotPetya

The network ARP scan takes about 15 minutes to scan 255 hosts.

SAFE-Cyberdefense SAFE Endpoint will block this step of the attack
Thanks to the security policies, applications and programs have a limited access to the network.


Credential theft

Once the network listing is done, NotPetya will steal some credentials to be able to connect remotely into the accessible computers listed before.

To steal credentials, the malware uses a minimal implementation of Mimikatz stored in its resource. The resource is extracted to a TMP file and executed with a named pipe as a parameter to send the Mimikatz output to the main process.

Filename%random%.tmp
FiletypeExecutable
Size (bytes)56 320
Compilation date6 June 2017
HashMD5: 7e37ab34ecdcc3e77e24522ddfd4852d
SHA1: 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
SHA256: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
SignatureNone
Virus totalPetya Mimikatz
Information about minimalist petya

Also, the CredEnumerateW API is used to steal other credentials stored in the credential store. If a credential starts with “TERMSRV/” and if it is a generic credential, then it is used to spread across the network.

SAFE-Cyberdefense SAFE Endpoint will block this step of the attack
The analysis engine will detect this file as malicious and the process will never be created.


Copy itself to available admin share

To spread, NotPetya tries to duplicate itself in the admin shares of accessible computers listed before. The target folder is \\[IP]\\admin$. To perform this action, the process needs the admin rights of the remote computers, that’s why the Mimikatz output has been saved to try to connect with all stolen credentials until it works. Before duplicating itself, the malware tests if the DLL already exists in the target folder.

NotPetya copy itself in admin shareNotPetya copies itself remotly

This check results as another cure against the DLL, if the DLL is present in the folder “C:\Windows” then the infection is stopped in the current remote machine.

SAFE-Cyberdefense SAFE Endpoint will block this step of the attack
Thanks to the security policies, applications and programs have a limited access to the network.


Use Psexec and Wmi to execute itself remotely

After copying itself into the admin shares, NotPetya will try to execute itself remotely using the Microsoft tool Psexec or using a Wmi console. In order to use this type of tools remotely, the admin credentials need to be specified, that’s why the output of the Mimikatz implementation gives the result in the pipe.

Psexec command line:

C:\Windows\dllhost.dat \\<IP address> -accepteula -s -d C:\Windows\System32\rundll32.exe "C:\Windows\<File>",#1

Wmic command line:

C:\Windows\System32\Wbem\Wmic.exe /node:<Server> /user:<Username> /Password:<Password> process call create "C:\Windows\System32\rundll32.exe "C:\Windows\<File>\" #1"

SAFE-Cyberdefense SAFE Endpoint will block this step of the attack
Thanks to the security policies, applications and programs have a limited access to the network.


Spread using Eternal Blue

Eternal Blue and Eternal Romance are implemented in NotPetya to spread in the local network.
This step of the attack is performed only if Symantec or Norton Anti-Virus process are not found in the process list.

If the process isn’t started as admin, Eternal Blue is started locally to escalate privileges to admin on the computer.

NotPetya Eternal Blue attackEternal blue exploit attempt

SAFE-Cyberdefense SAFE Endpoint will block this step of the attack
Thanks to the security policies, applications and programs have a limited access to the network.


Data encryption

The malware browse any folders and subfolders excluding C:\Windows to encrypt data using AES encryption, here is the list of targeted extensions:

.3ds .7z .accdb .ai .asp .aspx .avhd .back .bak .c .cfg .conf .cpp .cs .ctl .dbf .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .kdbx .mail .mdb .msg .nrg .ora .ost .ova .ovf .pdf .php .pmf .ppt .pptx .pst .pvi .py .pyc .rar .rtf .sln .s .ql .tar .vbox .vbs .vcb .vdi .vfd .vmc .vmdk .vmsd .vmx .vsdx .vsv .work .xls .xlsx .xvd .zip

The encrypted files keep the same name and only the content is modified.

SAFE-Cyberdefense SAFE Endpoint will block this step of the attack
The data protection provided by the SAFE Agent allows to protect data files against malicious access.


Events log deletion and reboot

After the encryption process, events log is deleted including Setup, System, Security, and Application logs, USN journal are also deleted for anti-forensic reasons. Here is the command line used to perform this action:

cmd /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D <Drive Letter>:

After all the cleaning steps, the program requests a system reboot to force the new MBR to take the lead.

SAFE-Cyberdefense SAFE Endpoint will block this step of the attack
The SAFE Agent limits access to Cmd and other administration tools to prevent malicious activities.


Ransom

After the reboot, if the MBR was successfully replaced, a fake check disk is displayed to the user:

NotPetya MBR fake activityFake chkdsk from NotPetya

After few seconds, the ransom note is displayed on the screen:

NotPetya MBR ransom noteMBR ransom note of NotPetya

If the Kaspersky Anti-virus has been found in the process list, the ten first sectors are rewritten and the system broken:

NotPetya MBR wipe resultResult of Wiping

If the MBR has not been affected, a basic ransom note is placed on each disk affected by the encryption step:

NotPetya ransom note

Petya ransom file

The ransom note asks $300 to decrypt the files. A bitcoin address is provided to pay the ransom:

Currently, the total number of bitcoins received on this address is around four which represents a total of $8,000 (July 2017). The amount is thirteen times less than WannaCry.


Conclusion

Like WannaCry, this ransomware uses the recent exploit Eternal Blue to spread in the local network by targeting the DHCP range and connected network resources. In addition to the exploit which works only on non-patched computers, this malware also uses some legit Microsoft tools like Psexec and Wmi to perform remote actions on accessible computers even if they are patched against Eternal Blue. This lateral movement technique can be done with the minimal Mimikatz implementation to steal all credentials found on the computer.

Thanks to the multi-layered security protection provided by the SAFE product, NotPetya was easily caught and blocked by our Agent. The associations of our multiple technologies allows us to provide the best protection against ransomwares and other cyberattacks.