Author Archives: jeff

Petya Ransomware Information

Published / by jeff / Leave a Comment

#petya #petrWrap #notPetya


Ransomware attack.


This gist was built by the community of the researchers and was scribed by Kir and Igor from the QIWI/Vulners.
We are grateful for the help of all those who sent us the data, links and information.
Together we can make this world a better place!

Gist updates

Recent news, blog posts and mentions

Recent news from THN/Threatpost/Blogs

Research list

Helpful vaccine (not killswitch!)

Looks like if you block C:\Windows\perfc.dat from writing/executing - stops #Petya. Is used for rundll32 import.
Local kill switch - create file "C:\Windows\perfc"
It kills WMI vector. Still need to patch MS17-010 for full protection.


Group Policy Preferences to deploy the NotPetya vaccine

SCCM vaccine


Infected with #Petya? DON’T PAY RANSOM, You wouldn’t get your files back. Email used by criminals has been Suspended.

Bitcoin wallet monitoring


Archive password: virus

Thanks to the for the initial malware body.

Source code:

  • Archive password: virus

Thanks to the @Sn0wFX_:

Initial vector:

Ransomware includes:

  • Modified EternalBlue exploit
  • A vulnerability in a third-party Ukrainian software product
  • A second SMB network exploit

Origin (NO PROOF):

Petya was known to be RaaS (Ransomware-as-a-Service), selling on Tor hidden services. Looks like WannaCry copycat. Attribution will be hard.

AvP Bypass

Confirmed AvP bypasing trick is being used by Petya ransomware to evade 6 popular anti-virus signatures (script)



PSEXEC: %PROGRAMDATA%\dllhost.dat is dropped and is legit PSEXEC bin

Remote WMI, “process call create \"C:\\Windows\\System32\\rundll32.exe \\\"C:\\Windows\\perfc.dat\\\" #1”

Log clean, «wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:»

Creates a scheduled task that reboots 1 hour after infection. If task removed before the hour, does not reschedule and can buy time

Petya also attempts to kill Exchange & MySQL if they are running.  If you host either of these services and notice them die, this is including in it's infection process (svchost.exe) // by Mike "Bones" Flowers:

Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im Microsoft.Exchange.*
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im MSExchange*
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im sqlserver.exe
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im sqlwriter.exe
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im mysqld.exe
The new ransomware can also spread using an exploit for the Server Message Block (SMB) vulnerability CVE-2017-0144 (also known as EternalBlue), which was fixed in security update MS17-010 and was also exploited by WannaCrypt to spread to out-of-date machines. In addition, this ransomware also uses a second exploit for CVE-2017-0145 (also known as EternalRomance, and fixed by the same bulletin)

Machines that are patched against these exploits (with security update MS17-010 or have disabled SMBv1 ( are not affected by this particular spreading mechanism

Test local account behavior [NOT TESTED]:

Don’t know if you have also noticed, but it only encrypted the MFT records for my test user account profile folders, the default Windows accounts Administrator, default user etc were all untouched, my test account was local so I don’t know what behaviour would be expected for domain account profile folders.

100% on the sample used by me and on a standalone computer, user files were encrypted prior to reboot and the malware was not able to escalate privileges to deploy the MFT encryption payload, no instructions were deposited about recovering these files

Possible IP addresses:

Email:         // by WhiteWolfCyber    // by WhiteWolfCyber      // by WhiteWolfCyber

Email forms and attachment:

The subject in this case are formed like that (for targed ""):

The body:
Hello targed.emailName,

You will be billed $ 2,273.42 on your Visa card momentarily.
Go through attachment to avoid it.
Password is 6089

With appreciation!

Attached file name:


Targeted extensions by @GasGeverij





Droppers sent via email by WhiteWolfCyber:


Codexgigas team:


SNORT rules for the detection by Positive Technologies (

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test: 2, >, 0x0008, 52, relative, little; pcre: "/\xFFSMB2\x00\x00\x00\x00.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/"; flowbits: set, SMB.Trans2.SubCommand.Unimplemented; reference: url,; classtype: attempted-admin; sid: 10001254; rev: 2;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] ETERNALBLUE (WannaCry, Petya) SMB MS Windows RCE"; flow: to_server, established; content: "|FF|SMB3|00 00 00 00|"; depth: 9; offset: 4; flowbits: isset, SMB.Trans2.SubCommand.Unimplemented.Code0E; threshold: type limit, track by_src, seconds 60, count 1; reference: cve, 2017-0144; classtype: attempted-admin; sid: 10001255; rev: 3;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Trans2 Sub-Command 0x0E. Likely ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; content: "|0E 00|"; distance: 52; within: 2; flowbits: set, SMB.Trans2.SubCommand.Unimplemented.Code0E; reference: url,; classtype: attempted-admin; sid: 10001256; rev: 2;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Petya ransomware perfc.dat component"; flow: to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content: "|70 00 65 00 72 00 66 00 63 00 2e 00 64 00 61 00 74 00|"; distance:0; classtype:suspicious-filename-detect; sid: 10001443; rev: 1;)

alert tcp any any -> $HOME_NET 445 (msg:"[PT Open] SMB2 Create PSEXESVC.EXE"; flow:to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content:"|50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45|"; distance:0; classtype:suspicious-filename-detect; sid: 10001444; rev:1;)

Sagan log analysis rules for the detection by Quadrant Information Security ( – Note: These are NOT Snort/Suricata rules! See for more details:

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA256 hash detected - Open source"; meta_content: "%sagan%",64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206,ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5; meta_nocase; classtype: trojan-activity; reference: url,; reference: url,; sid:5003121; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA1 hash detected - Open source"; meta_content: "%sagan%",34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,101cc1cb56c407d5b9149f2c3b8523350d23ba84,a809a63bc5e31670ff117d838522dec433f74bee,d5bf3f100e7dbcc434d7c58ebf64052329a60fc2,aba7aa41057c8a6b184ba5776c20f7e8fc97c657,bec678164cedea578a7aff4589018fa41551c27f,078de2dc59ce59f503c63bd61f1ef8353dc7cf5f,0ff07caedad54c9b65e5873ac2d81b3126754aac,51eafbb626103765d3aedfd098b94d0e77de1196,82920a2ad0138a2a8efc744ae5849c6dde6b435d,1b83c00143a1bb2bf16b46c01f36d53fb66f82b5,7ca37b86f4acc702f108449c391dd2485b5ca18c,2bc182f04b935c7e358ed9c9e6df09ae6af47168,9288fb8e96d419586fc8c595dd95353d48e8a060,736752744122a0b5e
cdc8; meta_nocase; classtype: trojan-activity; reference: url,; reference: url,; sid:5003122; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery MD5 hash detected - Open source"; meta_content: "%sagan%",71b6a493388e7d0b40c83ce903bc6b04,415fe69bf32634ca98fa07633f4118e1,0487382a4daf8eb9660f1c67e30f8b25,a1d5895f85751dfe67d19cccb51b051a; meta_nocase; classtype: trojan-activity; reference: url,; reference: url,; sid:5003123; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya detected by filename - Open source"; meta_content: "%sagan%",myguy.xls,myguy.exe,BCA9D6.EXE,Order-20062017.doc,myguy.xls.hta; meta_nocase; classtype: trojan-activity; reference: url,; reference: url,; sid:5003124; rev:1;)


Fix suggest by @MrAdz350

If you can boot to a Windows ISO prior to Frist reboot you can use bootrec tool to prevent MBR overwriting as per

Information about MBRFilter

Just correlating all the useful information I can find with regards to the latest Petya Ransomware attack.


<Ignored Process>
 rundll32.exe C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll",#1" (PID: 2880)
 cmd.exe " /TR "%WINDIR%\system32\shutdown.exe /r /f" /ST 07:45" (PID: 2724) 
 schtasks.exe " /TR "%WINDIR%\system32\shutdown.exe /r /f" /ST 07:45" (PID: 2720) 
 FE04.tmp %TEMP%\FE04.tmp" \\.\pipe\{E532AB34-D5C5-4AA8-9511-A05572AE75BC}" (PID: 1968) 
 dllhost.dat %WINDIR%\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll",#1 10 "%OSUSER%-PC\%OSUSER%:123456"" (PID: 2512) 1/59 Seen in another context
 cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: (PID: 2072) 
 wevtutil.exe wevtutil cl Setup (PID: 2204) 
 wevtutil.exe wevtutil cl System (PID: 2128) 
 wevtutil.exe wevtutil cl Security (PID: 4016) 
 wevtutil.exe wevtutil cl Application (PID: 3988) 
 fsutil.exe fsutil usn deletejournal /D C: (PID: 1368) 
 shutdown.exe %WINDIR%\system32\shutdown.exe" /r /f" (PID: 2796)


Petya ransomware successful in spreading because it combines both a client-side attack (CVE-2017-0199) and a network based threat (MS17-010)

Another good analysis from Kaspersky

How does the ransomware spread?

To capture credentials for spreading, the ransomware uses custom tools, a la Mimikatz. These extract credentials from the lsass.exe process. After extraction, credentials are passed to PsExec tools or WMIC for distribution inside a network.

Other observed infection vectors include:

  • A modified EternalBlue exploit, also used by WannaCry.
  • The EternalRomance exploit – a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445 (Note: patched with MS17-010).
  • An attack against the update mechanism of a third-party Ukrainian software product called MeDoc.

IMPORTANT: A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC.

Schroedinger’s Pet(ya)


Cloaking Itself in Legitimate Code

Petya uses memory injection as an evasive technique to bypass existing defenses. Attackers often use this method to hide in legitimate processes on the endpoint by injecting malicious code into the memory of non-malicious applications. Sometimes referred to as fileless malware, these threats avoid being detected by file-based detection tools, as the malicious code manipulates the memory stack to achieve malicious actions without actually placing the malicious program on the file system.

In the case of Petya, the executable creates another instance of itself and injects decrypted code into it.



Google Capture the Flag 2017

Published / by jeff / Leave a Comment

Google has announced its capture the flag for 2017.  Offering rewards for the winners and also participation if you are creative with your write up for the challenges you complete, so this should give many more individuals a chance of getting something for their effort, other than the enjoyment of course.

Qualification starts on the 17th of June, whereas if you can score enough points you can be invited to the final which will be held at google where you are then competing in another exercise in order to be declared the winner.


Why do we host these competitions?

There are three main reasons why we host these competitions.

First, as we’ve seen with our Vulnerability Reward Program, the security community’s efforts help us better protect Google users, and the web as a whole. We’d like to give the people who solve a single challenge or two in a very clever way a chance to teach us and the security community, even if they don’t qualify for the finals. We also think that these challenges allows us to share with the world the types of problems our security team works on every day.


I do like these type of events as you get to see how creative people can be with problem solving, and usually many things we can learn from others as a result.


Patriotic Hackers

Published / by jeff / Leave a Comment

In what is somewhat of a mildly amusing statement, and I am sure not all of the conversation.  Suggests that its down to patriotic  individuals acting on behalf of themselves when they feel there are negative comments made about Russia.

It’s an interesting take on the subject.


Responding to a question about concerns in Germany that Russian hackers could meddle in that country’s upcoming federal elections, Putin said it was “theoretically possible” that “patriotic” hackers could attack those who “speak negatively about Russia.”

“At a government level, we are never engaged in this. That’s the most important thing,” Putin said at the televised meeting, which was held during Russia’s annual St. Petersburg International Economic Forum. He added that hackers could come “from any country in the world.”


Shadow Brokers Response Team – Retracted

Published / by jeff / Leave a Comment

As per my previous update, the idea behind what they wanted to do was a good one, but legally not so much.  Seems as humans we just cannot get around doing the right thing and being proactive.  We only understand how to react to when things go wrong.

Shadow Brokers Response Team

Published / by jeff / Leave a Comment


Q: What is going to be in the next dump?

TheShadowBrokers is not deciding yet. Something of value to someone. See theshadowbrokers’ previous posts. The time for “I’ll show you mine if you show me yours first” is being over. Peoples is seeing what happenings when theshadowbrokers is showing theshadowbrokers’ first. This is being wrong question. Question to be asking “Can my organization afford not to be first to get access to theshadowbrokers dumps?”


So the Shadowbrokers will be releasing more allegedly NSA tools this coming month, as referenced in this story –

They are asking for Zcash to be used to purchase access to these latest exploits, which is around the $20k or so.  Now based on what happened in early May with Wannacry and the impact we saw in the UK, this is a concern for us all.  It did not take long from the initial release for someone to take advantage of these tools and weaponize them that had a large scale impact.  The positive side of this, is that now I believe many companies have had a wake up call and have learnt some lessons with regards to patching their systems and paying attention to when the security guy’s tell them to keep software and operating systems updated.

So now we have a couple of weeks until more tools are going to be released, I’m a bit indifferent if I agree with the current thinking of paying to get access to these tools.  This is a sound idea.  Get access to the exploits, research and work with vendors for them to be fixed, that is very commendable.  However it does open up a whole host of ethics and are we essentially going to be held to ransom everytime this happens in the future?  I’m not quite sure if this is the right approach.  With that said, there is the link below to the patreon page, that has more information and you can donate to the cause if you wish.


The group calling itself the Shadow Brokers have released several caches of exploits to date. These caches and releases have had a detrimental outcome on the Internet at large, one leak especially resulted in the now in-famous WannaCry ransomware worm – others have been used by criminal crackers to illegally access infrastructure. Many have been analysing the data to determine its authenticity and impact on infrastructure, as a community it has been expressed that the harm caused by exploits could have been mitigated against had the Shadow Brokers been paid for their disclosures.


This is an interesting read, that alludes to that the NSA did inform microsoft once the EnternalBlue software was stolen from the NSA.


The consequences of the NSA’s decision to keep the flaw secret, combined with its failure to keep the tool secure, became clear Friday when reports began spreading of a massive cyberattack in which the WannaCry software encrypted data on hundreds of thousands of computers and demanded a ransom to decrypt it.



UIWIX Ransomware

Published / by jeff / Leave a Comment

It was just a matter of time until other organisations or individuals followed the path set by WannaCry last weekend.

Seems there is another variant of ransomware doing the rounds which is exploiting the same loop hole as WannaCry is using port 445 to enumerate and infect other machines on your internal and then external networks.  It is exploiting the same SMB vulnerability (MS17-010).

Mitigation – Just need to  make sure you have the latest updates from microsoft.

If you see traffic to these domains, its likely not good!


SMB Vulnerability MS17-010 NSE – Script to detect MS17-010 (WannaCry Ransomware)

Published / by jeff / Leave a Comment

This is taken from the nmap seclist page.  A script for nmap has been written that should allow you to scan your network to determine if its vulnerable.  It may not be perfect but I am sure it will help someone out there.
Hey list,

I need some help testing the script smb-vuln-ms17-010. I tested it on a vulnerable win7 machine and it works as 
expected but I suspect there might be some issues with newer Windows versions and certain smb configurations (v2 
authentication protocols with signing enabled).

Don't forget to send me packet captures if you run into servers that are incorrectly marked as not vulnerable. 


description = [[
Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code
 execution vulnerability (ms2017-010).

The script connects to the $IPC tree, executes a transaction on FID 0 and
 checks if the error "STATUS_INSUFF_SERVER_RESOURCES" is returned to
 determine if the target is not patched against CVE2017-010.

Tested on a vulnerable Windows 7. We might have some issues with v2 protocols with
 signing enabled.


Paulino Calderon Pale || @calderpwn on Twitter ||

WannaCrypt Ransomware Part 2

Published / by jeff / Leave a Comment

It seems the initial wave has been stopped by Researchers, and then we had another one as detailed in the link below.

More good information and I suggest reading through it all if you have not done so already.  This is a bad weekend for business and infrastructure that is using older systems, but its been a good weekend for the infosec community in coming together and helping and sharing alot of good information with each other.


There is a tool you can run on a host that will stop the ransomware from encrypting your machine, however it will still attempt to spread over your network.

Download Here



wcrypt activity map