Malware Analysis Report: NotPetya

Executive Summary

Mitre Att&ck Matrix

Figure 1.1 — MITRE ATT&CK Navigator

Threat intel insights

Figure 2.1 — Percentage of NotPetya Infections per country

Technical Analysis

Exploits/Vulnerabilities and lateral movement

Figure 3.1 — IPC$ Functionality seen within NotPetya

Privilege escalation

Figure 4.1 — Showcasing GetTickCount, SeShutdownPrivilege, SeDebugPrivilege
Figure 4.2 — Showcasing DesiredAccess = TOKEN_ADJUST_PRIVILEGES

Network enumeration

Figure 5.1 — Showcasing IP, Subnet mask Collection
Figure 5.2 — Showcasing DhcpEnumSubnets, DhcpGetSubnetInfo

Resources analysis and examination

Figure 6.1 — Showcasing creation of new .tmp file and GUID
Figure 6.2 — Resource 3 Dllhost.dat creation
Figure 6.3 — Resource4 SMB Payload

Remote execution

Encryption algorithms

Figure 7.1 — NotPetya Imports RSA-2048 public key and encrypts AES-128 key with the public key
Figure 7.2 — NotPetya releasing handle of AES-128 key
Figure 7.3 — README.txt Ransom Note
Figure 7.4 — Get System Directory, Open C Volume
Figure 7.5 — Read Partition Information
Figure 7.6 — Modify MBR and Dismount Volume

Forced System Shutdown and Anti-Analysis

Figure 8.1 — Showcasing the schtasks command in Ollydbg

Anti-reversing techniques

Figure 9.1 — NotPetya Checks the following AV products

Recommended Actions

Conclusion

Yara Signature

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store