Goal: Study the Petya destructive component after its Kaspersky AV detection by emulating desired process name “avp.exe.”
Malware SHA1: 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
Credit: Microsoft, Carbon Black
Source: Microsoft
1-2. Appears to be the compromised Ukrainian accounting company Me-DOC through compromised software update process.
3. Load the EternalPetya ransomware using Ollydbg and rundll32.exe
*Setting up a breakpoint on the privilege lookup function and stepping inside the function (F7)
kernel32.GetCurrentProcess
advapi32.OpenProcessToken
· hProcess = FFFFFFFF
· DesiredAccess = TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES
· phToken = 0007B4DC
advapi32.LookupPrivilegeValueW
· SystemName = NULL
· Privilege = “SeShutdownPrivilege” | “SeDebugPrivilege” | “SeTcbPrivilege”
· pLocalId = 0007B4CC
advapi32.AdjustTokenPrivileges
· hToken = 000000B8 (window)
· DisableAllPrivileges = FALSE
· pNewState = 0007B4C8
· PrevStateSize = 0x0
· pPrevState = NULL
· pRetLen = NULL
*Setting up a breakpoint on the AV process check function and emulate Kaspersky’s “avp.exe” process using renamed Notepad.exe
4. Multi-threaded execution of the code
The Destructive Component: Post-Kaspersky "avp.exe" (emulated with Notepad.exe)
I. CreateFileA
CreateFile function creates or opens a file or I/O device
00076A1C 00A343C4 |FileName = "\\.\C:"
00076A20 40000000 |Access = GENERIC_WRITE
00076A24 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00076A28 00000000 |pSecurity = NULL
00076A2C 00000003 |Mode = OPEN_EXISTING
00076A30 00000000 |Attributes = 0
00076A34 00000000 \hTemplateFile = NULL
II. DeviceIOControl
*DeviceIoControl function sends a control code directly to a specified device driver, causing the corresponding device to perform the corresponding operation.
00076A18 000000FC |hDevice = 000000FC (window)
00076A1C 00070000 |IoControlCode = IOCTL_DISK_GET_DRIVE_GEOMETRY
00076A20 00000000 |InBuffer = NULL
00076A24 00000000 |InBufferSize = 0
00076A28 00076A48 |OutBuffer = 00076A48
00076A2C 00000018 |OutBufferSize = 18 (24.)
00076A30 00076A44 |pBytesReturned = 00076A44
00076A34 00000000 \pOverlapped = NULL
III. SetFilePointer
*SetFilePointerEx function moves the file pointer of the specified opened file.
00076A28 000000FC |hFile = 000000FC (window)
00076A2C 00000200 |OffsetLo = 200 (512.)
00076A30 00000000 |pOffsetHi = NULL
00076A34 00000000 \Origin = FILE_BEGIN
IV. WriteFile
*This function is designed for both synchronous and asynchronous operation.
00076A24 000000FC |hFile = 000000FC (window)
00076A28 0014E148 |Buffer = 0014E148
00076A2C 00000200 |nBytesToWrite = 200 (512.)
00076A30 00076A44 |pBytesWritten = 00076A44
00076A34 00000000 \pOverlapped = NULL
V. CreateFileA000769E4 00A343CC |FileName = "\\.\PhysicalDrive0"
000769E8 40000000 |Access = GENERIC_WRITE
000769EC 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
000769F0 00000000 |pSecurity = NULL
000769F4 00000003 |Mode = OPEN_EXISTING
000769F8 00000000 |Attributes = 0
000769FC 00000000 \hTemplateFile = NULLVI. DeviceIOControl00076A18 000000FC |hDevice = 000000FC (window)
00076A1C 00070000 |IoControlCode = IOCTL_DISK_GET_DRIVE_GEOMETRY
00076A20 00000000 |InBuffer = NULL
00076A24 00000000 |InBufferSize = 0
00076A28 00076A48 |OutBuffer = 00076A10
00076A2C 00000018 |OutBufferSize = 18 (24.)
00076A30 00076A44 |pBytesReturned = 00076A44
00076A34 00000000 \pOverlapped = NULLVII. DeviceIOControl00076A18 000000FC |hDevice = 000000FC (window)
00076A1C 00070000 |IoControlCode = FSCTL_DISMOUNT_VOLUME
00076A20 00000000 |InBuffer = NULL
00076A24 00000000 |InBufferSize = NULL
00076A28 00076A48 |OutBuffer = 00076A2C
00076A2C 00000018 |OutBufferSize = 18 (24.)
00076A30 00076A44 |pBytesReturned = 00076A44
00076A34 00000000 \pOverlapped = NULLVIII. WriteFile000769EC 000000FC |hFile = 000000FC (window)
000769F0 0014E148 |Buffer = 0014E148
000769F4 00001400 |nBytesToWrite = 1400 (5120.)
000769F8 00076A2C |pBytesWritten = 00076A2C
000769FC 00000000 \pOverlapped = NULL
Reverse Engineering, Malware Deep Insight 
plz mention md5
LikeLike
Of course. Here it is (I've also added it in the introduction):MD5: 71b6a493388e7d0b40c83ce903bc6b04SHA1: 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06dSHA256: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745Thanks!
LikeLike