ASB-2017.0093.2 - UPDATE ALERT [Win] Ongoing ransomware campaign with worm capabilities "Petya" 2017-06-28

Printable version
PGP/GPG verifiable version

Hash: SHA256

                         AUSCERT Security Bulletin

  A new Ransomware variant with worm like capabilities has infected many
          companies in Europe and a couple in the United States.
                               28 June 2017


        AusCERT Security Bulletin Summary

Product:              Microsoft Windows
Operating System:     Windows
Resolution:           Patch/Upgrade
CVE Names:            CVE-2017-0144 CVE-2017-0199 
Member content until: Friday, July 28 2017
Reference:            ASB-2017.0033.2

Revision History:     June 28 2017: Major updates and added Indicators of 
   				    Compromise (IoC)
                      June 28 2017: Initial Release


        A new Ransomware variant with worm like capabilities has infected
        many companies in Europe and a couple in the United States.
        The media is calling it "Petya" but it is not similar to the Petya
        variants seen before. [1]
        Cisco's TALOS group have given the following additional details on the
        propagation methods[6].
        "As part of the propagation process, the malware enumerates all visible 
        machines on the network via the NetServerEnum and then scans for an open
        TCP 139 port. This is done to compile a list of devices that expose this
        port and may possibly be susceptible to compromise.
        The malware has three mechanisms used to propagate once a device is 
        EternalBlue - the same exploit used by WannaCry.
        Psexec - a legitimate Windows administration tool.
        WMI - Windows Management Instrumentation, a legitimate Windows 
        These mechanisms are used to attempt installation and execution of 
        perfc.dat on other devices to spread laterally.
        For systems that have not had MS17-010 applied, the EternalBlue exploit
        is leveraged to compromise systems. We have written about this 
        previously in our coverage of WannaCry.
        Psexec is used to execute the following instruction (where w.x.y.z is an
        IP address) using the current user's windows token to install the 
        malware on the networked device. Talos is still investigating the 
        methods in which the "current user's windows token" is retrieved
        from the machine.
        C:\WINDOWS\dllhost.dat \\w.x.y.z -accepteula -s -d C:\Windows\System32\rundll32.exe C:\Windows\perfc.dat,#1
        WMI is used to execute the following command which performs the same 
        function as above, but using the current user's username and password 
        (as username and password). Talos is still investigating how the 
        credentials are retrieved from the machine at this time.
        Wbem\wmic.exe /node:"w.x.y.z" /user:"username" /password:"password" "process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\perfc.dat\" #1"


        According to our colleagues at BI.ZONE-CERT and the Hybrid Analysis
        report of the malware sample [2]:
        "The malware clears system logs using the following command:
        "wevtutil cl Setup & wevtutil cl System & wevtutil cl Security &
        wevtutil cl Application & fsutil usn deletejournal /D %c:" to make
        further analysis more difficult.
        It also writes its code to Hard Drive MBR, initiates system reload and
        adds reload commands to Windows planner ("schtasks" and "at"
        After the system is reloaded the malware downloads its code from MBR
        and encrypts data on the hard drive (File allocation table is
        encrypted, we are currently investigation what else is being encrypted).
        If the computer is shut down before the reload, MBR can be
        reestablished with "bootrec /FixMbr" command. (in Vista+, for Windows
        XP "fixmbr" can be used).
        In case the privileges are not high enough to rewrite MBR, the files
        are encrypted without a system reload. The list of file types that
        are encrypted:


        Most Anti-Virus vendors now have signatures for this ransomware sample
        but other samples with similar characteristics may not have proper
        detection rates. [3]
        We recommend patching for the MS17-010 (CVE-2017-0144) vulnerability of
        all your Windows machines if it has not be done yet. [4]
        Microsoft has also advised on how to disable smbv1 which can be
        an additional mitigation. [5]
        A potential (unverified by AusCERT) kill switch has been found within
        the samples:
        The creation of the file "C:\Windows\perfc". [7]
        Additional information shows that the killswitch requires the following:
        "Simply, all that is needed are 3 files 
        (perfc, perfc.dll, and perfc.dat) to already exist on the Windows 
        machine, under C:\Windows, with READONLY permissions." [8]
        We would like to stress that paying the ransom will not result in the
        decryption key being handed over.


        category		type		value																comment
        Artifacts dropped	named pipe	{df458642-df8b-4131-b02d-32064a2f4c19}	
        Payload delivery	sha256		02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f								64-bit EXE
        Payload delivery	sha256		eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998								32-bit EXE
        Payload delivery	sha256		64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1								main 32-bit DLL
        Payload delivery	sha256		027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745								main 32-bit DLL   =>  Ref: petwrap.exe
        Network activity	ip-dst	
        Network activity	domain	
        Network activity	ip-dst	
        Network activity	domain	
        Network activity	domain	
        Network activity	ip-dst	
        Network activity	ip-dst	
        Payload delivery	filename	dllhost.dat	
        Internal reference	text		"Initial Information provided by CIRCL.LU"
        Network activity	url		http[:]//french-cooking[.]com/myguy[.]exe											Ref: myguy.xls
        Payload delivery	filename	myguy.xls	
        Network activity	url		http[:]//84[.]200[.]16[.]242/myguy[.]xls											Ref : Order-20062017.doc
        Payload delivery	filename	Order-20062017.doc	
        Artifacts dropped	filename	myguy[1].hta	
        Payload delivery	sha256		fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206								Ref : Order-20062017.doc
        Payload delivery	sha256		ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6								Ref : myguy.xls
        Artifacts dropped	filename	C:\0487382a4daf8eb9660f1c67e30f8b25.hta												Ref : myguy.xls
        Payload delivery	filename	petwrap.exe															Ref : Downloaded exe from activity of myguy.xls
        Artifacts dropped	filename	C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll							Ref : petwrap.exe
        External analysis	link	Ref : Order-20062017.doc
        Antivirus detection	link			Ref : Order-20062017.doc
        External analysis	link	Ref : myguy.xls
        Antivirus detection	link			Ref : myguy.xls
        External analysis	link	Ref : petwrap.exe
        Antivirus detection	link			Ref : petwrap.exe
        Network activity	url		http://84[.]200[.]16[.]242/Profoma[.]xls											2nd Stage
        Network activity	url		http://84[.]200[.]16[.]242/Lucky[.]exe												2nd Stage


        [1] Petya Ransomware Outbreak Goes Global

        [2] petwrap.exe

        [3] 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

        [4] Microsoft Security Bulletin MS17-010 - Critical

        [5] How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and
            Windows Server

        [6] Unverified kill switch for WMI pivot

        [7] PETYA KillSwitch

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.


« Back to bulletins