{"id":49783,"date":"2017-07-03T11:49:32","date_gmt":"2017-07-03T06:19:32","guid":{"rendered":"https:\/\/www.vskills.in\/certification\/blog\/?p=49783"},"modified":"2024-04-03T13:22:11","modified_gmt":"2024-04-03T07:52:11","slug":"notpetya-technical-analysis","status":"publish","type":"post","link":"https:\/\/www.vskills.in\/certification\/blog\/notpetya-technical-analysis\/","title":{"rendered":"NotPetya Technical Analysis"},"content":{"rendered":"

\"\"<\/a><\/p>\n

NotPetya Technical Analysis<\/h1>\n

NotPetya (or \u201cNyetna\u201d as it has also been named) spreads to other systems on the network without use of the ETERNALBLUE\/ETERNALROMANCE SMBv1 exploits. (Although the code contains the ability to spread by this exploit as well, so patching is still imperative).<\/p>\n

The malware harvests SMB and user credentials from the infected host and uses those credentials to connect to other systems on the network, propagating the malware. Therefore, it potentially only takes one infected machine in an organization to take down all systems in the network. In this post, we will go more into depth on the functionality and destructive capabilities of NotPetya.<\/p>\n

Disk Destruction – NotPetya Technical Analysis<\/h3>\n

Although initially labeled as ransomware due to the ransom message that is displayed after infection, it appears now that NotPetya functions more as a destructive wiper-like tool than actual ransomware.<\/p>\n

Initially, analysis showed many similarities with Petya ransomware samples from 2016, but further research indicated the malware had been modified to cause data destruction. NotPetya overwrites sectors of the physical hard drive and C: volume, but does not contain the ability to restore the files, rendering recovery impossible even if the ransom is paid.<\/p>\n

Using the Windows API DeviceIoControl, the malware is able to obtain direct read and write access to the physical hard drive, without interaction with the operating system (provided it has the proper administrative permissions).<\/p>\n

This allows the code to determine the number of disks and partitions on the system, unmount a mounted volume (even if in use), and determine the drive geometry for the drives on the system (i.e., the number of sectors, bytes per sector, etc.). The malware uses this access to destroy data critical to the operating system. NotPetya also has the ability to replace the OS bootloader with custom code embedded in the binary.<\/p>\n

NotPetya \u201cVaccine\u201d or \u201cKill Switch\u201d – NotPetya Technical Analysis<\/h3>\n

NotPetya contains a check upon initial execution that attempts to determine whether the victim system has already been infected. It has been stated that creating a file named \u201cperfc\u201d or \u201cperfc.dat\u201d in the root of the hard drive will cause the malware to halt execution, touting this as a \u201cvaccine\u201d or \u201ckill switch\u201d to prevent the spread of the malware.<\/p>\n

However, while the original name of the file was \u201cperfc.dat\u201d and so this check will work successfully to prevent execution of this variant, a simple file name change will render this protection useless.<\/p>\n

NotPetya Analysis and Techniques<\/h3>\n

The analyzed samples of NotPetya are 32-bit Windows DLLs with an original file name of \u201cperfc.dat.\u201d Although the initial infection vector has not been confirmed, there is evidence that the updater process of the Ukrainian tax software MEDoc was responsible for execution of some of the initial infections.<\/p>\n

As noted before, although the malware can utilize the SMBv1 exploit to spread to unpatched machines, it also contains other propagation techniques capable of infecting even patched machines. This is critical to note, as means that just one infected system on a network can spread across the enterprise. The methods of propagation discussed below are as follows:<\/p>\n

Exploitation of machines vulnerable to the ETERNALBLUE\/ETERNALROMANCE SMVv1 exploit
\nUsing harvested credentials from the victim system to infect systems on the network by logging into SMB (any version) shares on the remote system<\/p>\n

Unlike Windows executables, DLLs such as the NotPetya sample contain \u201cexport functions\u201d that are called by external programs to execute functionality. These export functions are contained in a table within the DLL that lists the functions by name and \u201cordinal\u201d number.<\/p>\n

DLLs have a default export function, but in the case of perfc.dat, a call to this function will not execute the malware. Instead, the perfc.1 function must be called by ordinal rather than name, as seen below. Malware often employs this technique to hinder analysis efforts.<\/p>\n

C:\\Windows\\System32\\rundll32.exe “C:\\Windows\\perfc.dat”,#1<\/p>\n

Upon initial execution, perfc.dat performs a check for the following privileges of the running process.<\/p>\n

The malware sets a global flag that indicates which of these privileges are owned by the process. The privileges granted determine the path of code execution as it relates to the propagation, encryption, and wiping methodologies employed.<\/p>\n

After checking for privileges, the malware then enumerates all running processes on the victim, looking for three specific antivirus products: Kaspersky, Symantec, and Norton Security. The executable names are encrypted using a custom XOR algorithm.<\/p>\n

The result of this check determines the execution path of the malware during propagation to remote systems. The results from both the privilege check and the AV check are stored in bitmasked global variables for reference throughout the program. The flags indicating whether Kaspersky, Symantec, or Norton are running.<\/p>\n

After this flag value is set, the malware can determine which antivirus is installed by performing a bitwise AND operation on the flag with a constant. This method of \u201cbitmasking\u201d allows the malware to store multiple values in a single variable. For more information on this technique and how it is used by NotPetya, see the \u201cBitmasking\u201d section at the end of this post.<\/p>\n

The malware then checks privileges and performs the following if SeDebugPrivilege is granted:<\/p>\n