Malware Analysis Report: NotPetya

Executive Summary

Mitre Att&ck Matrix

Figure 1.1 — MITRE ATT&CK Navigator

Threat intel insights

Targets

Figure 2.1 — Percentage of NotPetya Infections per country

Motivations

Attributions

Technical Analysis

Main Malware

Exploits/Vulnerabilities and lateral movement

Figure 3.1 — IPC$ Functionality seen within NotPetya

Privilege escalation

Figure 4.1 — Showcasing GetTickCount, SeShutdownPrivilege, SeDebugPrivilege
Figure 4.2 — Showcasing DesiredAccess = TOKEN_ADJUST_PRIVILEGES

Network enumeration

Figure 5.1 — Showcasing IP, Subnet mask Collection
Figure 5.2 — Showcasing DhcpEnumSubnets, DhcpGetSubnetInfo

Resources analysis and examination

Figure 6.1 — Showcasing creation of new .tmp file and GUID
Figure 6.2 — Resource 3 Dllhost.dat creation
Figure 6.3 — Resource4 SMB Payload

Remote execution

Encryption algorithms

Algorithms used: RSA and AES

Figure 7.1 — NotPetya Imports RSA-2048 public key and encrypts AES-128 key with the public key
Figure 7.2 — NotPetya releasing handle of AES-128 key
Figure 7.3 — README.txt Ransom Note

Destroying the master boot record

Figure 7.4 — Get System Directory, Open C Volume
Figure 7.5 — Read Partition Information
Figure 7.6 — Modify MBR and Dismount Volume

Forced System Shutdown and Anti-Analysis

Forced system shutdown

Figure 8.1 — Showcasing the schtasks command in Ollydbg

Anti-Analysis

Anti-reversing techniques

Anti-Antivirus checking

Figure 9.1 — NotPetya Checks the following AV products

Recommended Actions

Conclusion

Yara Signature

References

--

--

--

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Security Incidents in October

The Privacy Awakens: Test Your Device and Gain Your Bounty

Twitter: New Security Boss for the company is one of the most well-known Hackers

Open Web Sandbox AMA Recap: NEAR HUB — An Immersive Social Portal To Everything NEAR

How to Hard Reset Xiaomi Mi Max 2

Hard Reset Xiaomi

The NFT hacker returns 88 ETH ($368,000) to CreatureToadz

$3M Raised during InsurAce Strategic Round

A new era of data privacy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ben Lee

Ben Lee

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.

More from Medium

Malware Analysis: Utntweep

Lunaverse: In-Depth Analysis

Skilvul, Mentor on Demand

Sales Analysis