Archive

Archive for July, 2017

#Petya #notpetya quick analysis

July 1, 2017 Leave a comment

create a process from temp directory which takes a pipe parameter:

1

check drive and encrypts sectors:

2

creats a scheduled task to shutdown/reboot the system:

3

uses getextendedtcptable api:

4

drops psexec as dllhost.dat in windows directory which is embded in resource #3 of dll:

5

deletes system logs:

6

i did not had network access so couldnt generate the pcap for smb exploit.

Advertisements
Categories: Uncategorized
%d bloggers like this: