Malware Analysis Report: NotPetya

Executive Summary

NotPetya is a malware that was discovered on June 17th 2017. It targeted many Windows Operating Systems using a SMB exploit named ‘Eternal Blue’ originally created by the National Security Agency (NSA). It encrypted data within compromised systems acting similar to a ransomware, displaying messages to send bitcoin for keys to decrypt the data. However, it also destroyed hard disks of such systems so data would be non-recoverable, leading the malware to be known as a form of wiper malware.

Mitre Att&ck Matrix

Figure 1.1 — MITRE ATT&CK Navigator

Threat intel insights

Targets

The malware has spread and infected numerous systems around the globe mainly in the countries of Ukraine, Russia and East Europe. The majority of its infections are however situated in Ukraine, affecting multiple Ukrainian businesses, state-enterprises, banks, transport and metro systems.

Figure 2.1 — Percentage of NotPetya Infections per country

Motivations

The threat actors created an initial infection vector through the exploitation of an update procedure for a third-party Ukrainian software product named ‘MEDoc’. MEDoc is a software mainly used for tax accounting purposes in multiple Ukrainian businesses and government, financial and energy sectors. We can safely say that the main motivation of the threat actors were to disrupt, hinder and sabotage multiple Ukrainian organizations and infrastructure to harm Ukraine’s economy.

Attributions

The US government has attributed NotPetya to APT Sandworm, a Russian-tied intelligence and cyber warfare group funded by the Russian Intelligence Directorate (GRU). Ukraine has been in conflict with Russia for a long time due to political trade deals with the European Union and from the Russian annexation of Crimea from Ukraine starting in 2014.

Technical Analysis

Main Malware

The malicious sample, not_petya.exe acts as the main malware through a compromised update of the tax accounting software ‘MEDoc’ used by many Ukraine organisations. It has a multitude of features after the initial infection vector including privilege escalation, network enumeration and propagation, encryption and MBR overwrite, forced system-shutdown and performing anti-analysis techniques to make the malware harder to detect and analyze.

Exploits/Vulnerabilities and lateral movement

Figure 3.1 — IPC$ Functionality seen within NotPetya

Privilege escalation

The malware first attempts to find and store how long it has been since the system has started in milliseconds via the GetTickCount API. The malware then tries to gain more privileges within the operating system through the following table:

Figure 4.1 — Showcasing GetTickCount, SeShutdownPrivilege, SeDebugPrivilege
Figure 4.2 — Showcasing DesiredAccess = TOKEN_ADJUST_PRIVILEGES

Network enumeration

The malware attempts to gather network and computer information on an infected machine such as IP addresses, subnet-masks, computer name and computer version by creating a thread via the CreateThread API and executing it to see if the malware can connect to SMB port 445.

Figure 5.1 — Showcasing IP, Subnet mask Collection
Figure 5.2 — Showcasing DhcpEnumSubnets, DhcpGetSubnetInfo

Resources analysis and examination

Notpetya contains several resources which we can extract via Resource-Hacker. A table of the resources can be seen below:

Figure 6.1 — Showcasing creation of new .tmp file and GUID
Figure 6.2 — Resource 3 Dllhost.dat creation
Figure 6.3 — Resource4 SMB Payload

Remote execution

The malware uses the following command for remote execution on the infected machine:

Encryption algorithms

Algorithms used: RSA and AES

RSA is an asymmetric algorithm using public and private keys for encryption and decryption. AES is different from RSA as it is a symmetric algorithm and uses one key for encryption and decryption.

Figure 7.1 — NotPetya Imports RSA-2048 public key and encrypts AES-128 key with the public key
Figure 7.2 — NotPetya releasing handle of AES-128 key
Figure 7.3 — README.txt Ransom Note

Destroying the master boot record

The malware gets the system directory and opens the C volume on the physical drive, calling to the API DeviceIOControl with the IoControlCode IOCTL_VOLUME_GET_VOLUME_DISK_CONTENTS to gather information of the location of the volume driver.

Figure 7.4 — Get System Directory, Open C Volume
Figure 7.5 — Read Partition Information
Figure 7.6 — Modify MBR and Dismount Volume

Forced System Shutdown and Anti-Analysis

Forced system shutdown

The malware gets the current time and version of an infected machine via the API’s GetLocalTime and GetTickCount. It will use the following command via cmd.exe to schedule a system shutdown/reboot of up to 60 minutes from the current time the malware was executed on the machine:

Figure 8.1 — Showcasing the schtasks command in Ollydbg

Anti-Analysis

The malware also tries to make it harder for analysts and users to find out what is happening on an infected machine by clearing event logs before a forceful shutdown/reboot process. It uses the following command via cmd.exe to clear the logs within the system:

Anti-reversing techniques

Anti-Antivirus checking

Notpetya has a form of anti-virus checking, examining anti-virus software within a system. If any of these processes are found, certain functionality of the malware such as encryption or network propagation via the SMB EternalBlue exploit may not occur.

Figure 9.1 — NotPetya Checks the following AV products

Recommended Actions

There are a multitude of ways we can prevent and mitigate NotPetya from spreading to other networks and machines.

Conclusion

NotPetya is a malicious malware that is incredibly complex and was used to successfully target multiple Ukrainian organisations and businesses.

Yara Signature

rule Notpetya

References

· https://www.justice.gov/opa/press-release/file/1328521/download

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ben Lee

Ben Lee

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.