Upload File

ransomwareudurrani.com/0fff/locpy/gol.pdf · 2017. 6. 28. · ransomware (petya / goldeneye) +...

  • Home
  • Documents
  • Ransomwareudurrani.com/0fff/locpy/gol.pdf · 2017. 6. 28. · Ransomware (Petya / GoldenEye) + Propagation Process Flow: - First stage payload is a DLL file - Rundll32 executes the
7
(Petya / GoldenEye) + Propagation Process Flow: - First stage payload is a DLL file - Rundll32 executes the first stage payload - Rundll32 spawns a second stage payload (<RandomName>.tmp) - A new task is scheduled (via schtasks) for: +(1 hour and 3 minutes) - MBR is encrypted and modified UD 1 WIPER

Upload: others

Post on 14-Oct-2020

5 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Ransomwareudurrani.com/0fff/locpy/gol.pdf · 2017. 6. 28. · Ransomware (Petya / GoldenEye) + Propagation Process Flow: - First stage payload is a DLL file - Rundll32 executes the

(Petya / GoldenEye) + Propagation

Process Flow:

- First stage payload is a DLL file

- Rundll32 executes the first stage payload

- Rundll32 spawns a second stage payload (<RandomName>.tmp)

- A new task is scheduled (via schtasks) for: +(1 hour and 3 minutes)

- MBR is encrypted and modified

UD !1

WIPER

Page 2: Ransomwareudurrani.com/0fff/locpy/gol.pdf · 2017. 6. 28. · Ransomware (Petya / GoldenEye) + Propagation Process Flow: - First stage payload is a DLL file - Rundll32 executes the

- Reboot is initiated

- User gets the ransom screen (BTC: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX)

UD !2

Page 3: Ransomwareudurrani.com/0fff/locpy/gol.pdf · 2017. 6. 28. · Ransomware (Petya / GoldenEye) + Propagation Process Flow: - First stage payload is a DLL file - Rundll32 executes the

Wevtutil command is also executed wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D.

This is mainly executed to clear logs. Few weeks ago during SOREBRECT campaign, ransomware payload was running the same command to clear logs. For SOREBRECT network activity go to:

http://udurrani.com/0fff/sor/

Stage 1:

First stage is a DLL file that is loaded by using rundll32.exe

Later char_buffer is passed to CreateProcess() function. A binary file with .tmp extension is dropped to temp folder. File name is completely random and file size: 56320 bytes

Here is the system flow:

Let’s examine both the files (DLL and .TMP Binary) including the compile time.

UD !3

http://udurrani.com/0fff/sor/
Page 4: Ransomwareudurrani.com/0fff/locpy/gol.pdf · 2017. 6. 28. · Ransomware (Petya / GoldenEye) + Propagation Process Flow: - First stage payload is a DLL file - Rundll32 executes the

Code View:

UD !4

Page 5: Ransomwareudurrani.com/0fff/locpy/gol.pdf · 2017. 6. 28. · Ransomware (Petya / GoldenEye) + Propagation Process Flow: - First stage payload is a DLL file - Rundll32 executes the

Traffic View:

Most of the traffic is used to scan the internal network for port 445, 139 and 80 for propagation.

UD !5

Page 6: Ransomwareudurrani.com/0fff/locpy/gol.pdf · 2017. 6. 28. · Ransomware (Petya / GoldenEye) + Propagation Process Flow: - First stage payload is a DLL file - Rundll32 executes the

UD !6

Page 7: Ransomwareudurrani.com/0fff/locpy/gol.pdf · 2017. 6. 28. · Ransomware (Petya / GoldenEye) + Propagation Process Flow: - First stage payload is a DLL file - Rundll32 executes the

MBR View:

UD !7


O GOL - esmal.tjal.jus.br Gol.pdf · Este caso foi desenvolvido pelos pesquisadores Vilson Malchow Vedana, Sérgio Alves Júnior e André Gomma de Azevedo do Grupo de Pesquisa e Trabalho

Den Flaschenhals schließen: So wehren Sie einen Exploit ab · mshta.exe und rundll32.exe JA Geschützt CVE-2013-5331 und CVE-20144113 über Metasploit JA Geschützt Umgehung von

VALIDATING VMWARE APPDEFENSE …...A104-218 Host CLI - Defense Evasion, Execution: RegAsm Bypass A104-096 Host CLI - Defense Evasion, Execution: rundll32.exe A104-010 Host CLI - Persistence:

RunDLL32.EXE Shell32.DLL,ShellExec RunDLL · (Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht

Royal Astronomical Society of Canada Guidelines for ... DSP GOL.pdf · The general guidelines for outdoor lighting within the Dark Sky Preserve is presented in Section 4. Lighting

Is Tinnitus a Disease of the Ear or a Hiccup of the Brain?00000000-0fff-14a...manent ringing, rattling, or rustling that appears to origin either from one or even both ears. This sound

Stop Fileless Attacks at Pre-execution - Bitdefender · other script interpreting tools such as wscript.exe, cscript.exe, rundll32.exe; mshta.exe; powershell_ise.exe, regedit.exe,

New ransomware, old techniques: Petya adds worm capabilities · C:\\Windows\\system32\\rundll32.exe\” \”C:\\Program Data\\perfc.dat\”,#1 30 The same update vector was also mentioned

Threat Intelligence - Cornell University · Dept of Defense FY12 …Boeing.pdf April is the Cruelest Month.pdf National Human Rights…China.pdf Security Predictions…2013.pdf rundll32.exe

1 TABLE - WikiLeaks · As a user, I need to be able to run the application on the pivot machine using rundll32.exe 4.1.5.3 L OADLIBRARY SUPPORT Importance: 1 ‐ Cri tical As a user,

Go!gol.媒体資料 - PAR GOLF PLUS(パーゴルフ プラス)c.pargolf.co.jp/pgo/a/docs/media_sheet_go-gol.pdfゴルフ談義するならこんなトコ、Go!gol.Loungeツアー談義、他

Is Tinnitus a Disease of the Ear or a Hiccup of the Brain?00000000-0fff-14a1-ffff... · 2017. 10. 5. · cure. tinnitus. Unfortunately most individuals affected by acute tinnitus

Productos SKF - Volkswagen GOL 1.6 - 8V - del `98 al `11 Automotrices Volsk GOL.pdf · Productos SKF - Volkswagen GOL 1.6 - 8V - del `98 al `11 Rueda Delantera BAH-0036 Kit de Rueda

Printer related Scripts in Windows XP and Server … · Web viewPrinter related Scripts in Windows XP and Server 2003 Using the various functions and parameters of the rundll32 printui.dll,PrintUIEntry

kflIfs f k|s fzg - Supreme Court of Nepal · ;jf]{Rr cbfnt a 'n]l6g @)^^, kmfu 'g –!, k "0ff {° $@# 1 @)^^, kmfu'g – ! kflIfs f k|s fzg jif{!*, cÍ @! kk"0"0fff{{ÍÍ $$@@##

Analisi Dinamica del Malware BlackEnergyads/.../2018/...BlackEnergy.pdf · BlackEnergy v.3 – 2/3 rundll32.exe è un processo legittimo di Microsoft Windows, che è responsabile

Manual de reparacion y ajustes - GOL.pdf

Ботнет Stantinko додає до інструментарію можливість ... · виконується або компонентом BEDS Stantinko, або rundll32.exe

312_SSP 013br Novo Gol.pdf

[1938] Battle of Khalkhin Gol.pdf

Monero Mining - UDURRANIudurrani.com/0fff/cpu-mining.pdf · schtasks /create /tn "Mysa1" /tr "rundll32.exe c:\windows\debug\item.dat,ServiceMain aaaa" /ru "system" /sc onstart /F

ˆ˚ˇ˛˘ ˘ ˜˚˛˝˙ˆˇ˚˘ - Panda Security · (utilizando rundll32), através da consola w The Starting Point: Powerware A semana passada, fomos questionados, no PandaLabs,

UPDD Windows XPe Integrators Guide Page 1 of 10 · rundll32.exe NonPnpIns.dll,?InstallNonPnpDevice@@YAXXZ It should be possible to run ‘rundll32.exe “C:\Program Files\UPDD\NonPnpIns.dll”,?InstallNonPnpDevice@@YAXXZ’