Let’s Learn: Debugging EternalPetya’s MBR Destroyer Function with OllyDBG Part I

Goal: Study the Petya destructive component after its Kaspersky AV detection by emulating desired process name “avp.exe.”
Malware SHA1: 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

Source: Microsoft


1-2. Appears to be the compromised Ukrainian accounting company Me-DOC through compromised software update process.


3. Load the EternalPetya ransomware using Ollydbg and rundll32.exe
*Setting up a breakpoint on the privilege lookup function and stepping inside the function (F7) 

kernel32.GetCurrentProcess
advapi32.OpenProcessToken
·      hProcess = FFFFFFFF
·      DesiredAccess = TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES
·      phToken = 0007B4DC

advapi32.LookupPrivilegeValueW
·      SystemName = NULL
·      Privilege = “SeShutdownPrivilege” | “SeDebugPrivilege” | “SeTcbPrivilege”
·      pLocalId = 0007B4CC

advapi32.AdjustTokenPrivileges
·      hToken = 000000B8 (window)
·      DisableAllPrivileges = FALSE
·      pNewState = 0007B4C8
·      PrevStateSize = 0x0
·      pPrevState = NULL
·      pRetLen = NULL

*Setting up a breakpoint on the AV process check function and emulate Kaspersky’s “avp.exe” process using renamed Notepad.exe


4. Multi-threaded execution of the code
The Destructive Component: Post-Kaspersky "avp.exe" (emulated with Notepad.exe)
I. CreateFileA
CreateFile function creates or opens a file or I/O device
00076A1C   00A343C4  |FileName = "\\.\C:"
00076A20 40000000 |Access = GENERIC_WRITE
00076A24 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00076A28 00000000 |pSecurity = NULL
00076A2C 00000003 |Mode = OPEN_EXISTING
00076A30 00000000 |Attributes = 0
00076A34 00000000 \hTemplateFile = NULL
II. DeviceIOControl
*DeviceIoControl function sends a control code directly to a specified device driver, causing the corresponding device to perform the corresponding operation.
00076A18   000000FC  |hDevice = 000000FC (window)
00076A1C 00070000 |IoControlCode = IOCTL_DISK_GET_DRIVE_GEOMETRY
00076A20 00000000 |InBuffer = NULL
00076A24 00000000 |InBufferSize = 0
00076A28 00076A48 |OutBuffer = 00076A48
00076A2C 00000018 |OutBufferSize = 18 (24.)
00076A30 00076A44 |pBytesReturned = 00076A44
00076A34 00000000 \pOverlapped = NULL
III. SetFilePointer 
*SetFilePointerEx function moves the file pointer of the specified opened file.
00076A28   000000FC  |hFile = 000000FC (window)
00076A2C 00000200 |OffsetLo = 200 (512.)
00076A30 00000000 |pOffsetHi = NULL
00076A34 00000000 \Origin = FILE_BEGIN
IV. WriteFile
*This function is designed for both synchronous and asynchronous operation.
00076A24   000000FC  |hFile = 000000FC (window)
00076A28 0014E148 |Buffer = 0014E148
00076A2C 00000200 |nBytesToWrite = 200 (512.)
00076A30 00076A44 |pBytesWritten = 00076A44
00076A34 00000000 \pOverlapped = NULL
V. CreateFileA
000769E4   00A343CC  |FileName = "\\.\PhysicalDrive0"
000769E8 40000000 |Access = GENERIC_WRITE
000769EC 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
000769F0 00000000 |pSecurity = NULL
000769F4 00000003 |Mode = OPEN_EXISTING
000769F8 00000000 |Attributes = 0
000769FC 00000000 \hTemplateFile = NULL
VI. DeviceIOControl
00076A18   000000FC  |hDevice = 000000FC (window)
00076A1C 00070000 |IoControlCode = IOCTL_DISK_GET_DRIVE_GEOMETRY
00076A20 00000000 |InBuffer = NULL
00076A24 00000000 |InBufferSize = 0
00076A28 00076A48 |OutBuffer = 00076A10
00076A2C 00000018 |OutBufferSize = 18 (24.)
00076A30 00076A44 |pBytesReturned = 00076A44
00076A34 00000000 \pOverlapped = NULL
VII. DeviceIOControl
00076A18   000000FC  |hDevice = 000000FC (window)
00076A1C 00070000 |IoControlCode =
FSCTL_DISMOUNT_VOLUME
00076A20 00000000 |InBuffer = NULL
00076A24 00000000 |InBufferSize =
NULL
00076A28 00076A48 |OutBuffer = 00076A2C
00076A2C 00000018 |OutBufferSize = 18 (24.)
00076A30 00076A44 |pBytesReturned = 00076A44
00076A34 00000000 \pOverlapped = NULL
VIII.  WriteFile
000769EC   000000FC  |hFile = 000000FC (window)
000769F0 0014E148 |Buffer = 0014E148
000769F4 00001400 |nBytesToWrite = 1400 (5120.)
000769F8 00076A2C |pBytesWritten = 00076A2C
000769FC 00000000 \pOverlapped = NULL


2 thoughts on “Let’s Learn: Debugging EternalPetya’s MBR Destroyer Function with OllyDBG Part I”

  1. Of course. Here it is (I've also added it in the introduction):MD5: 71b6a493388e7d0b40c83ce903bc6b04SHA1: 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06dSHA256: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745Thanks!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s