Petya NotPetya Quick and Dirty Analysis

I'll leave the detailed version to hasherezade :)
This is a quick look at what the malware is about and what functions it uses.

Looks for physical drives on the infected computer.



Here's the bundled-in psexec, as dllhost.dat:

Here's another PE, looks like used to launch the runndll32.exe as perfc.dat:


Infection starts.



dllhost.dat > PsExec




System restart.

Encryption.














Provider: MS RSA AES


 This is where it starts in user-land.


All the familiar messages.





And here's all the WMI stuff.
Also, note that rundll32.exe is called by '%s' - perfc.dat in this case.










Running PSExec on the entire subnet, after accepting the EULA of course :)


 Extensions to be encrypted.





Looks out for the extensions it wants to encrypt (hard-coded, different to the ones seen earlier in Petya mid-2016).


Encryption part.












And here are all the encryption functions that are called.

Like I said earlier, this is a quick look into the malware not a detailed analysis. But it should give you some insight into how it works.


No comments:

Powered by Blogger.