Malware Analysis Report: NotPetya

Executive Summary

Mitre Att&ck Matrix

Figure 1.1 — MITRE ATT&CK Navigator

Threat intel insights

Targets

Figure 2.1 — Percentage of NotPetya Infections per country

Motivations

Attributions

Technical Analysis

Main Malware

Exploits/Vulnerabilities and lateral movement

Figure 3.1 — IPC$ Functionality seen within NotPetya

Privilege escalation

Figure 4.1 — Showcasing GetTickCount, SeShutdownPrivilege, SeDebugPrivilege
Figure 4.2 — Showcasing DesiredAccess = TOKEN_ADJUST_PRIVILEGES

Network enumeration

Figure 5.1 — Showcasing IP, Subnet mask Collection
Figure 5.2 — Showcasing DhcpEnumSubnets, DhcpGetSubnetInfo

Resources analysis and examination

Figure 6.1 — Showcasing creation of new .tmp file and GUID
Figure 6.2 — Resource 3 Dllhost.dat creation
Figure 6.3 — Resource4 SMB Payload

Remote execution

Encryption algorithms

Algorithms used: RSA and AES

Figure 7.1 — NotPetya Imports RSA-2048 public key and encrypts AES-128 key with the public key
Figure 7.2 — NotPetya releasing handle of AES-128 key
Figure 7.3 — README.txt Ransom Note

Destroying the master boot record

Figure 7.4 — Get System Directory, Open C Volume
Figure 7.5 — Read Partition Information
Figure 7.6 — Modify MBR and Dismount Volume

Forced System Shutdown and Anti-Analysis

Forced system shutdown

Figure 8.1 — Showcasing the schtasks command in Ollydbg

Anti-Analysis

Anti-reversing techniques

Anti-Antivirus checking

Figure 9.1 — NotPetya Checks the following AV products

Recommended Actions

Conclusion

Yara Signature

References

--

--

--

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Recognize And Avoid Phishing

How to bypass mod_security (WAF)

White or black hat?

OpenVPN Configuration over Centos

True privacy, with high staking rewards is coming to the Binance Smart Chain

Is WordPress More Secure Than Other CMS? How Secure Is WordPress?

Why we need privacy-first security solutions

Decrypting AzoRult traffic for fun and profit

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ben Lee

Ben Lee

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.

More from Medium

OSINT: Berlin Needs Music

Playing The Financial Market Safely

SAR box(Ubuntu machine called LOVE) - Walkthrough

Job Market Remains Very Strong in New BLS Report