# Petya— Enhanced WannaCry ?

URL: https://www.msuiche.com/posts/petya-enhanced-wannacry/
Date: 2017-06-27
Author: Matt Suiche


---


#### What we know so far about Byata.

#### Summary

Yes, this is bad — real bad — this is another ransom-ware leveraging SMB network kernel vulnerabilities to spread on the local network. The exploit used is based on ETERNALBLUE NSA’s exploit leaked by TheShadowBrokers in April, 2017. Similar to WannaCry. No kill-switch this time. _(& stop hoping for one)_

> [](https://twitter.com/msuiche/status/879802251526721538)


**_Update_**_: The initial infection vector seem to have_ [_been a rogue update pushed by the attackers via the Ukranian accounting software Me-Doc_](http://www.me-doc.com.ua/forum/viewtopic.php?f=6&t=13781)_._

**_Update2_**_:_ [_Microsoft published a complete and detailed analysis of the ransomware._](https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/)

![image](./images/1.png#layoutTextWidth)
Infected machine on one of our customer’s site in Ukraine.



#### Bottom line is :

*   Patch your systems. (Especially MS17–010) — Keep in mind that WannaCry **itself** is still active — _our killswitch prevented 80K infections in the past 7 days alone !_
*   Have a backup strategy. This is your best strategy against the rising threats of ransomware.
*   Have a worse case scenario plan. Companies need incident response and recovery plans.
> [](https://twitter.com/Bing_Chris/status/879730330713952257)
Get your patches together ! Put them in a backup. All your patches. Get them together.



### Details: Byata/Petya/NotPetya/Nyeta

Comae Team dubbed this malware: Byata

> [](https://twitter.com/craiu/status/879695678708097025)


Thanks to Costin for sharing the `71b6a493388e7d0b40c83ce903bc6b04`hash.

*   SMB kernel exploit can be found at the `0x10005A7E `offset

The attackers xored (0xcc) the shellcode to make sure the signature does not automatically get detected by anti-virus. Very simple trick which is very efficient which shows how easy it is to bypass signature-based anti viruses.

![image](./images/2.png#layoutTextWidth)


Another thing we can notice is that the attackers rewrote the kernel exploit properly. Below is the definition of a function that builds SMBv1 header packets.

![image](./images/3.png#layoutTextWidth)
.text:10002466 buildSMBv1PacketHeader()



The code is definitely cleaner.

#### Affected files by the ransomware.

65 different file types are targeted by the ransomware.
`.3ds,.7z,.accdb,.ai,.asp,.aspx,.avhd,.back,.bak,.c,.cfg,.conf,.cpp,.cs,.ctl,.dbf,.disk,.djvu,.doc,.docx,.dwg,.eml,.fdb,.gz,.h,.hdd,.kdbx,.mail,.mdb,.msg,.nrg,.ora,.ost,.ova,.ovf,.pdf,.php,.pmf,.ppt,.pptx,.pst,.pvi,.py,.pyc,.rar,.rtf,.sln,.sql,.tar,.vbox,.vbs,.vcb,.vdi,.vfd,.vmc,.vmdk,.vmsd,.vmx,.vsdx,.vsv,.work,.xls,.xlsx,.xvd,.zip`
![image](./images/4.png#layoutTextWidth)


#### Logs Deletion

Logs are also being deleted.
`wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:v`

#### Appendix A — IDA script to decode the kernel shellcode in Petya
` auto start, end, ptr;  
 auto key;  
 start = 0x100123B0;  
 end = 0x10012D26;  
 key = 0xcc;  
 for (ptr = start; ptr <= end; ptr++)  
 PatchByte(ptr, Byte(ptr) ^ key);`
![image](./images/5.png#layoutTextWidth)
Decoded Kernel Shellcode


> [](https://twitter.com/msuiche/status/879799989857390592)