Detecting “Petya/NotPetya” with RSA NetWitness® Endpoint and RSA NetWitness® Packets

By Alex Cox, Christopher Elisan and Erik Heuser, RSA Research

A Ransomware variant known as “Petya/NotPetya” began making the rounds on June 27, 2017. This ransomware takes a different approach to denying access to the victim’s files. Instead of the usual displaying of a message and letting the victim browse to really see that the target files are encrypted, this ransomware locks the user out of the whole system. It does so by modifying the system’s Master Boot Record (MBR) and making the first boot sector code jump to the malicious code. This is a classic trick employed by boot-sector malware. As a result, the system is under the control of the ransomware and cannot be rebooted back to the Microsoft Windows operating system.  

After every reboot or startup, the boot sector code is passed to the malware, displaying a splash page as seen in Figure 1.


Figure 1: “Petya/NotPetya” splash page

After the victim presses a key, it displays the message as seen in Figure 2.

Figure 2: “Petya/NotPetya” Ransomware

Unlike other ransomware attacks, wherein the victim can still use the system to purchase the decryption key, the only way for a “Petya/NotPetya” victim to do this is to use another system.

Infection Vector
RSA Research traced the initial infection vectors to these primary sources: 

  • A subverted update file for a Ukrainian accounting software package that is mandated for use by the Ukrainian Government, which infects the machine that pulls the subverted file from the software company’s update site.
  • Propagation via the EternalBlue (also used in WannaCry) and EternalRomance exploits.
  • Lateral movement via credentials stolen from the target host (on like configured hosts, this would allow infection of patched hosts).

“Petya/NotPetya” Dissected
Below is a detailed analysis of “Petya/NotPetya” ransomware.

Sample Metadata
File Name:   64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1.dll

File Size: 362360 bytes

MD5:       e285b6ce047015943e685e6638bd837e

SHA1:       9717cfdc2d023812dbc84a941674eb23a2a8ef06

PE Time:   0x5945EFBD [Sun Jun 18 03:13:01 2017 UTC]

Sections (5):

Name       Entropy    MD5

.text          6.55          ac2bb78f4833ba7912cc59cf212ccbe5

.rdata      6.99          dd0dc0f90617202ff84c3bfe64150483

.data       5.43           5216f0c62d1fd41b1d558e129e18d0fe

.rsrc        8.0            f07e68575f50a62382d99e182baa05d5

.reloc     4.77           facab7a1f0a7f93668b076a8c88dbb8f

“Petya/NotPetya” uses a single ordinal to begin execution and, as engineered, is tracked by RSA NetWitness® Endpoint. It immediately opens the disk and overwrites the MBR and the NTFS boot record (discussed below). It then schedules a task to shut down and reboot the computer exactly one hour after the malware first launched. There are no persistence mechanisms other than the MBR and NTFS boot record.

Figure 3 “Petya/NotPetya” Execution Process

RSA NetWitness Endpoint is also designed to discover floating DLL’s roughly the same size as the original DLL allocated inside the RunDLL32.exe’s address space and four suspicious threads. RSA NetWitness Endpoint is built to tag these as suspicious due to the allocated segments of memory having the execute bit turned on and not part of the regular code segments mapped into memory by the Windows loader. In fact, instead of shellcode, an entire DLL has been mapped and run.

Figure 4 Floating DLL with Suspicious Threads

By digging into the binary itself, we find code appearing to ask the discovered DHCP server, as well as the IP address information on the DHCP address range.

Figure 5 Enumeration of DHCP address space

This is detected in RSA NetWitness Endpoint and RSA NetWitness® Packet suite in several ways. RSA NetWitness Packet is designed to identify this as a rogue DHCP server given this behavior is uncommon for a client application.

Figure 6 Rogue DHCP Server

Figure 7 Malware Sending Request Parameter List Option

RSA NetWitness Endpoint is engineered to identify this through the SMB/RPC connections to all the machine IPs available in the DHCP servers’ configured range.

Figure 8 Network Tracking Data for NEW

RSA NetWitness Endpoint is also built to pull the MBR and the NTFS boot record to see the changes this malware has made. The MBR appears to be destroyed, the code areas, partition tables, boot signatures and other portions of the modern MBR are replaced with the Figure 9.

Figure 9 OverWritten MBR

This is an ongoing investigation, and more will be posted as we continue our research.


Learn more about RSA NetWitness Suite capabilities here, and how to mitigate outbreaks here.

No Comments