{"id":5880,"date":"2017-01-18T22:53:22","date_gmt":"2017-01-18T22:53:22","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/18\/news-85\/"},"modified":"2017-01-18T22:53:22","modified_gmt":"2017-01-18T22:53:22","slug":"news-85","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/18\/news-85\/","title":{"rendered":"Goldeneye Ransomware &#8211; the Petya\/Mischa combo rebranded"},"content":{"rendered":"<p>From March 2016 we&#8217;ve observed the\u00a0evolution of an interesting low-level ransomware, Petya &#8211; you can read about it <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/04\/petya-ransomware\/\" target=\"_blank\">here<\/a>. The <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/05\/petya-and-mischa-ransomware-duet-p1\/\" target=\"_blank\">second version (green) Petya<\/a> comes combined with another ransomware,\u00a0packed in the same dropper &#8211; <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/06\/petya-and-mischa-ransomware-duet-p2\/\" target=\"_blank\">Mischa<\/a>. The latter one was deployed as an alternative payload: in case if the dropper was run without administrator privileges and the\u00a0 low-level attack was impossible. This combo is slowly reaching its maturity &#8211; the authors fixed bugs that allowed for decryption of the two earliest versions. Now, we are facing an outbreak of the fourth version &#8211; this time under a new name &#8211; Goldeneye, and, appropriately, a new, golden theme.<\/p>\n<p>In this post we will take a look inside, in order to answer the question\u00a0of whether or not any internal changes followed the\u00a0external alterations.<\/p>\n<h3>Analyzed sample<\/h3>\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/b5ef16922e2c76b09edd71471dd837e89811c5e658406a8495c1364d0d9dc690\/analysis\/\" target=\"_blank\">e068ee33b5e9cb317c1af7cecc1bacb5<\/a> &#8211; original sample (packed)\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/en\/file\/94e8fd03f5eb3ad9677b803816b235f9040ae0ed2721b7a65ebc0d1becf290f5\/analysis\/1481144698\/\" target=\"_blank\">532b62e7a6522bb0643bcb6fc0bfe983<\/a> &#8211; core.dll (dropper)\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/en\/file\/4125ab0e94922047ca0d8d2c62a0ea9851d0cf79e09a1ece13d3cb827d46426d\/analysis\/1481143821\/\" target=\"_blank\">0cd94baa2dccc0e7c2008b7948cebfe3<\/a> &#8211; elevate_x86.dll<\/li>\n<li><a href=\"https:\/\/www.virustotal.com\/en\/file\/4ab319b722282de4006eb7c3a2f1b9029e866e3eeb2505cab7fb5befe1f36b55\/analysis\/1481143835\/\" target=\"_blank\">54fb6dbad73eee5d8638c0869c35ed8f<\/a> &#8211; elevate_x64.dll<\/li>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/35616240b9a6bb48d933f2a9ea0eca2e0890bd9ec6d2987686838e3ae0a42242\/analysis\/1481174450\/\" target=\"_blank\">e5a2cc00d1ad8d409576bc6d24a346bd<\/a> &#8211; Petya Golden (dump from the disk)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><a href=\"https:\/\/malwr.com\/analysis\/MjNiODhmYmY0ZmU5NDUzOWIxZGRhMGM1YzllOTY1ZWE\/share\/8ea9ad053f8c4b988b7cc4645c1dec24\" target=\"_blank\">435076f9c8900cbdfc48a15713b1c431<\/a> &#8211; Goldeneye Decrypter (original)<\/li>\n<\/ul>\n<p><em>\/\/ special thanks to <a href=\"https:\/\/twitter.com\/procrash\" target=\"_blank\">@procrash<\/a><\/em><\/p>\n<h3>Distribution<\/h3>\n<p>Currently Goldeneye is distributed by phishing e-mails, in campaigns targeting Germany. The same pattern of distribution was observed in first editions of Petya ransomware. Germany seems to be an environment familiar to this ransomware author (who is probably a German native speaker) and his testing campaigns are always released in this country. However, the threat will probably go global again, as the affiliate program for other criminals is going to be released soon.<\/p>\n<h3>Behavioural analysis<\/h3>\n<p>After being run, the malware installs its copy in the %APPDATA% directory, under the name of a random application found in the system:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15719\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/golden_dropped.png\" alt=\"golden_dropped\" width=\"621\" height=\"122\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/golden_dropped.png 621w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/golden_dropped-300x59.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/golden_dropped-600x118.png 600w\" sizes=\"auto, (max-width: 621px) 100vw, 621px\" \/><\/p>\n<p>The installed copy is automatically executed and proceeds with malicious actions.<\/p>\n<p>In the past, the dropper of Petya\/Mischa used to trigger a UAC popup window. If the user had\u00a0agreed to run the sample as the Administrator, he\/she was attacked by the low-level payload: Petya. Otherwise, the high-level Mischa was deployed.<\/p>\n<p>In the current case the model of the attack is different and looks more like a\u00a0case of <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/06\/satana-ransomware\/\" target=\"_blank\">Satana ransomware<\/a>.<\/p>\n<p>First, the high-level attack is deployed and the files are encrypted one by one. Then, the malware tries to bypass UAC and elevate its privileges by its own, in order to make the second attack, this time at low-level: installing Petya at the beginning of the disk. The bypass works silently if the UAC is\u00a0set to default or lower. In cases where the UAC is\u00a0set to max, the following window pops up repeatedly, till the user accepts the elevation:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15648\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/uac_highest.png\" alt=\"uac_highest\" width=\"466\" height=\"277\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/uac_highest.png 466w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/uac_highest-300x178.png 300w\" sizes=\"auto, (max-width: 466px) 100vw, 466px\" \/><\/p>\n<p>The used bypass techniques works on both &#8211;\u00a0 32-bit and 64-bit &#8211; versions of Windows, up to Windows 8.1. On Windows 10, even if the UAC is set to default a popup is displayed &#8211; but not revealing the real name of the infecting program, i.e.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15652\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/win10_petya.png\" alt=\"win10_petya\" width=\"401\" height=\"347\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/win10_petya.png 462w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/win10_petya-300x260.png 300w\" sizes=\"auto, (max-width: 401px) 100vw, 401px\" \/><\/p>\n<h4>\u00a0The high-level part (former Mischa)<\/h4>\n<p>On the first stage of the attack, files are being encrypted one by one. The malware drops the following note in TXT format:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15649\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/mischa_note.png\" alt=\"mischa_note\" width=\"947\" height=\"302\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/mischa_note.png 947w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/mischa_note-300x96.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/mischa_note-600x191.png 600w\" sizes=\"auto, (max-width: 947px) 100vw, 947px\" \/><\/p>\n<p>Files that are encrypted are added random extensions:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15650\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/encrypted_files.png\" alt=\"encrypted_files\" width=\"583\" height=\"169\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/encrypted_files.png 583w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/encrypted_files-300x87.png 300w\" sizes=\"auto, (max-width: 583px) 100vw, 583px\" \/><\/p>\n<p>If we have two files with the same plaintext they turn into two different cipher-texts &#8211; that indicates that each file is encrypted with a new key or an initialization vector. The high entropy suggests AES in CBC mode.<\/p>\n<p>Visualization &#8211; original file vs encrypted one:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-11700\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/03\/enc_square1.png\" alt=\"enc_square1\" width=\"219\" height=\"219\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/03\/enc_square1.png 219w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/03\/enc_square1-150x150.png 150w\" sizes=\"auto, (max-width: 219px) 100vw, 219px\" \/>\u00a0 <img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15651\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/enc_square1.bmp_.yC5pDbHp.png\" alt=\"enc_square1-bmp-yc5pdbhp\" width=\"219\" height=\"219\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/enc_square1.bmp_.yC5pDbHp.png 219w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/enc_square1.bmp_.yC5pDbHp-150x150.png 150w\" sizes=\"auto, (max-width: 219px) 100vw, 219px\" \/><\/p>\n<h4>The low-level part (former Petya)<\/h4>\n<p>The second stage of infection is deployed after encrypting the files. The behavior of second payload is no different than in the previous versions of Petya. After the malware is deployed, system crashes and starts with a fake CHKDSK. It pretends to be checking the disk for errors, but in reality it performs Master File Table encryption, using Salsa20. After it is completed, we are facing a familiar blinking skull &#8211; this time in yellow\/golden color:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15641\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/yellow1.png\" alt=\"yellow1\" width=\"726\" height=\"405\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/yellow1.png 726w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/yellow1-300x167.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/yellow1-600x335.png 600w\" sizes=\"auto, (max-width: 726px) 100vw, 726px\" \/><\/p>\n<p>After pressing a key, we can see the screen with the ransom note:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15642\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/yellow2.png\" alt=\"yellow2\" width=\"724\" height=\"407\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/yellow2.png 724w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/yellow2-300x169.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/yellow2-600x337.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/yellow2-400x225.png 400w\" sizes=\"auto, (max-width: 724px) 100vw, 724px\" \/><\/p>\n<h4>Page for the victim<\/h4>\n<p>On every edition all the pieces of the ransomware had a consistent theme. This time is no different. The page for the victim, that is hosted on a Tor-based site comes in very similar theme like the ransomware itself:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15643\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/victim_page.png\" alt=\"victim_page\" width=\"844\" height=\"575\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/victim_page.png 999w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/victim_page-300x205.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/victim_page-600x409.png 600w\" sizes=\"auto, (max-width: 844px) 100vw, 844px\" \/><\/p>\n<p>After paying the ransom, the victim is provided with a key to decrypt the first (bootlocker) stage and a decrypter to recover the files:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15674\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/decryptor.png\" alt=\"decryptor\" width=\"557\" height=\"405\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/decryptor.png 557w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/decryptor-300x218.png 300w\" sizes=\"auto, (max-width: 557px) 100vw, 557px\" \/><\/p>\n<p>The decrypter requires having a proper key in order to work:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15722\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/password_dec.png\" alt=\"password_dec\" width=\"554\" height=\"403\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/password_dec.png 554w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/password_dec-300x218.png 300w\" sizes=\"auto, (max-width: 554px) 100vw, 554px\" \/><\/p>\n<h4>Affiliate program<\/h4>\n<p>In the past, Petya\/Mischa combo was available as RaaS (Ransomware as a Service). Following the changes in the layout, the Twitter account associated with the criminal(s) behind the malware, also changed the theme of the profile, and updated the information about the affiliate program status:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15645\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/janus.png\" alt=\"janus\" width=\"781\" height=\"393\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/janus.png 899w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/janus-300x151.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/janus-600x302.png 600w\" sizes=\"auto, (max-width: 781px) 100vw, 781px\" \/><\/p>\n<p>It confirms that the actor behind Goldeneye as well as the methods of redistributing it didn&#8217;t change.<\/p>\n<h3>Inside<\/h3>\n<p>This ransomware is very complex, having multiple pieces that have already been described in our previous articles. That&#8217;s why, in this one we will focus only on the differences comparing to the previous editions. Let&#8217;s start from the <em>core.dll<\/em>, that is the PE file that we get after unpacking the first layer.<\/p>\n<h4>The core.dll<\/h4>\n<p>Just like in the previous versions, the main application is a DLL (<em>core.dll<\/em>), packed by various crypters and loaded by a technique known as <em>Reflective Loader<\/em>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15731\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/core_dll-1.png\" alt=\"core_dll\" width=\"517\" height=\"296\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/core_dll-1.png 517w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/core_dll-1-300x172.png 300w\" sizes=\"auto, (max-width: 517px) 100vw, 517px\" \/><\/p>\n<p>In the past Petya and Mischa were two separate modules delivered by this DLL. The dropper was deciding which one of them to deploy, by making an attempt to run the sample with Administrator privileges &#8211; no UAC bypass was used, only social engineering. Now, however, it comes with two DLLs that perform UAC bypass &#8211; one for 32 bit and another for 64 bit variant of Windows. It decides which one to deploy, basing on the detected architecture.<\/p>\n<p>The internal logic of this module changed a bit. There is no <em>Mischa.dll<\/em> separated. Instead, the <em>core.dll<\/em> covers the functionality of encrypting files as well as of installing disk locker afterwards. The payloads are XOR encrypted and stored in the last section of the PE file (<em>.xxxx<\/em>):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15716\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/core_dll.png\" alt=\"core_dll\" width=\"200\" height=\"251\" \/><\/p>\n<p>Section .<em>xxxx<\/em> contains:<\/p>\n<ul>\n<li>the low level part (former Petya)<\/li>\n<li>32 bit DLL (elevate_x86.dll)<\/li>\n<li>64 bit DLL (elevate_x64.dll)<\/li>\n<\/ul>\n<p>(The two DLLs used to UAC bypass are based on the technique similar to the one described <a href=\"http:\/\/www.rohitab.com\/discuss\/topic\/40992-cc-uac-bypass\/\" target=\"_blank\">here<\/a>.)<\/p>\n<p>At first run, the core module makes its own copy into %APPDATA% and applies some tricks to blend into the environment:<\/p>\n<ul>\n<li>Choosing the application name at random, out of various applications in System folder<\/li>\n<li>Changing own timestamp to the timestamp of Kernel32.dll (the so called &#8220;timestomping&#8221; technique).<\/li>\n<li class=\"alignnone size-full wp-image-15726\">Adding to its resources the resource of the genuine Microsoft application, under which name it is installed:<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15730\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/add_resource-1.png\" alt=\"add_resource\" width=\"512\" height=\"239\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/add_resource-1.png 512w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/add_resource-1-300x140.png 300w\" sizes=\"auto, (max-width: 512px) 100vw, 512px\" \/><\/p>\n<p>Result:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15724\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/spoofed_res.png\" alt=\"spoofed_res\" width=\"811\" height=\"526\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/spoofed_res.png 811w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/spoofed_res-300x195.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/spoofed_res-600x389.png 600w\" sizes=\"auto, (max-width: 811px) 100vw, 811px\" \/><\/p>\n<p>Some of those tricks remind us of <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/03\/cerber-ransomware-new-but-mature\/\" target=\"_blank\">Cerber ransomware<\/a>\u00a0and they were probably inspired by it.<\/p>\n<p>Then, the dropper deploys the installed copy and proceeds with encryption.<\/p>\n<h4>The file cryptor (former Mischa)<\/h4>\n<p>The file cryptor feature is now implemented inside the <em>core.dll<\/em>.<\/p>\n<p>It behaves similarly to the former Mischa ransomware &#8211; the only difference is that now it is employed before the low-level attack, rather than being an alternative.<\/p>\n<h5>Attacked targets<\/h5>\n<p>Files are attacked with the following extensions:<\/p>\n<pre>doc docx docm odt ods odp odf odc odm odb xlsm xlsb xlk xls xlsx   pps ppt pptm pptx pub epub pdf  jpg jpegB rtf txt frm wdb ldf myi  vmx xml xsl wps cmf vbs accdb cdr svg conf cfg config wb2 msg azw   azw1 azw3 azw4 lit apnx mobi p12 p7b p7c pfx pem cer key der mdb   htm html class java cs asp aspx cgi h cpp php jsp bak dat pst eml   xps sqllite sql js jar py wpd crt csv prf cnf indd number pagesN   po dcu pas dfm\tdirectory pbk yml dtd rll cert p12 cat inf mui   props idl result localstorage ost default json db sqlite bat x3f   srw pef raf orf nrw nef mrw mef kdc dcr crw eip fff iiq k25 crwl   bay sr2 ari srf arw cr2 raw rwl rw2 r3d 3fr ai eps pdd dng dxf dwg   psd ps png jpe bmp gif tiff gfx jge tga jfif emf 3dm 3ds max obj   a2c ddspspimage yuv 3g2 3gp asf asx mpg mpeg avi mov flv wma wmv   ogg swf$ ptx ape aif wav ram ra m3u movie mp1 mp2 mp3 mp4 mp4v mpa   mpe mpv2 rpf vlc m4a aac aa aa3 amr mkv dvd mts qt vob 3ga ts m4v   rm srt aepx camproj dash  zip rar gzip vmdk mdf iso bin cue dbf   erf dmg toast vcd ccd disc nrg nri cdi  <\/pre>\n<h5>Encryption<\/h5>\n<p>Files are read in chunks, each is 1024 bytes long. Then, they are processed by the built-in implementation of AES.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15732\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/read_encrypt.png\" alt=\"read_encrypt\" width=\"506\" height=\"661\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/read_encrypt.png 506w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/read_encrypt-230x300.png 230w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/read_encrypt-459x600.png 459w\" sizes=\"auto, (max-width: 506px) 100vw, 506px\" \/><\/p>\n<p>The easiest way to analyze the encryption algorithm used, is by reversing the original decrypter, provided by the ransomware author to victims that paid the ransom. The decrypter is written in .NET and not obfuscated.<\/p>\n<p>Looking at the decrypter code we can confirm that each file is encrypted using AES in CBC mode. The AES key is 32 byte long, and it is the taken from the beginning of SHA512 hash of the password.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15715\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/aes_key.png\" alt=\"aes_key\" width=\"881\" height=\"55\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/aes_key.png 881w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/aes_key-300x19.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/aes_key-600x37.png 600w\" sizes=\"auto, (max-width: 881px) 100vw, 881px\" \/><\/p>\n<p>The initialisation vector is random for every file and it is stored in its content:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15714\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/decompiled1.png\" alt=\"decompiled1\" width=\"887\" height=\"416\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/decompiled1.png 887w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/decompiled1-300x141.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/decompiled1-600x281.png 600w\" sizes=\"auto, (max-width: 887px) 100vw, 887px\" \/><\/p>\n<h4>The disk locker (former Petya)<\/h4>\n<p>This part of the Goldeneye ransomware is written at the disk beginning and is independent from the operating system. It is made up\u00a0of a bootloader and a tiny, 16-bit kernel. At the very first sight we can suspect, that it is nothing more than a refactored Petya. That&#8217;s why, for the simplicity I will refer this part as Petya Goldeneye.<\/p>\n<p>Indeed, comparing the current edition with Petya 3 (described <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/07\/third-time-unlucky-improved-petya-is-out\/\" target=\"_blank\">here<\/a>) we can see, that the encryption algorithm and the codebase hasn&#8217;t changed. Yet, we can spot some differences.<\/p>\n<h5>Encryption<\/h5>\n<p>All versions of Petya use Salsa20 to encrypt MFT. In the current edition, the implementation of Salsa20 is identical like in the <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/07\/third-time-unlucky-improved-petya-is-out\/\" target=\"_blank\">former version<\/a>.<\/p>\n<p>See the <em>BinDiff<\/em> screenshot below &#8211; Petya Goldeneye vs Petya 3:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15678\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/no_change.png\" alt=\"no_change\" width=\"658\" height=\"199\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/no_change.png 658w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/no_change-300x91.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/no_change-600x181.png 600w\" sizes=\"auto, (max-width: 658px) 100vw, 658px\" \/><\/p>\n<p>We can safely assume, that just like in the previous case the Salsa20 has been implemented correctly &#8211; means, this edition of Petya is not decryptable by external tools.<\/p>\n<h5>What has changed in the code?<\/h5>\n<p>Although the main parts of the code didn&#8217;t change, still we can notice that some refactoring has taken place:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15709\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/changes.png\" alt=\"changes\" width=\"647\" height=\"123\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/changes.png 647w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/changes-300x57.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/changes-600x114.png 600w\" sizes=\"auto, (max-width: 647px) 100vw, 647px\" \/><\/p>\n<p>The most important changes are about the way in which the encryption\/decryption is applied. The author added more checks and simplified the decryption function. Yet, the changes are rather about improving the code quality rather than introducing some new ideas.<\/p>\n<h5>Layout<\/h5>\n<p>Just like in the previous cases, Petya&#8217;s code is written at the beginning of the disk &#8211; however, now the layout is more compact. The code of Petya&#8217;s kernel starts just after MBR, without any padding. Due to this, other important sectors are also shifted. For example, the data sector, where the random salsa key is saved*, is now placed in sector 32:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15682\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/sector_32.png\" alt=\"sector_32\" width=\"726\" height=\"167\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/sector_32.png 726w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/sector_32-300x69.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/sector_32-600x138.png 600w\" sizes=\"auto, (max-width: 726px) 100vw, 726px\" \/><\/p>\n<p><em>* just like in all previous editions, this key is erased after use. Read more about the full procedure <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/04\/petya-ransomware\/\" target=\"_blank\">here<\/a>.<\/em><\/p>\n<p>Summing up, all the sectors are shifted towards the beginning of the disk.<\/p>\n<p>Data sector:<\/p>\n<ul>\n<li>Petya3: 54<\/li>\n<li>Petya Goldeneye: 32<\/li>\n<\/ul>\n<p>Verification sector:<\/p>\n<ul>\n<li>Petya3: 55<\/li>\n<li>Petya Goldeneye: 33<\/li>\n<\/ul>\n<p>Original MBR (xored with 7)<\/p>\n<ul>\n<li>Petya3: 56<\/li>\n<li>Petya Goldeneye: 34<\/li>\n<\/ul>\n<h3>Conclusion<\/h3>\n<p>Goldeneye ransomware is yet another step in the development of the Petya\/Mischa bundle. The redesigned dropper coupled both elements together in a new way, that makes it even more dangerous. At the current stage the product doesn&#8217;t seem decryptable by external tools. We strongly advise to be very vigilant about opening e-mail attachments, because this is still the main way of distribution of this ransomware.<\/p>\n<p><em>During the tests, Malwarebytes has proven to protect against the malicious payloads attached to Goldeneye phishing e-mails:<\/em><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15741\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/thumbnail__golden_eye2.jpg.png\" alt=\"thumbnail__golden_eye2-jpg\" width=\"812\" height=\"685\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/thumbnail__golden_eye2.jpg.png 812w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/thumbnail__golden_eye2.jpg-300x253.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/12\/thumbnail__golden_eye2.jpg-600x506.png 600w\" sizes=\"auto, (max-width: 812px) 100vw, 812px\" \/><\/p>\n<hr \/>\n<p class=\"p1\"><em><span class=\"s1\">This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. <\/span><span class=\"s1\">She loves going in details about malware and sharing threat information with the community. <\/span><span class=\"s2\">Check her out on Twitter @<a href=\"https:\/\/twitter.com\/hasherezade\" target=\"_blank\">hasherezade<\/a> and her personal blog: <a href=\"https:\/\/hshrzd.wordpress.com\/\" target=\"_blank\"><span class=\"s3\">https:\/\/hshrzd.wordpress.com<\/span><\/a>.<\/span><\/em><\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/12\/goldeneye-ransomware-the-petyamischa-combo-rebranded\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/12\/goldeneye-ransomware-the-petyamischa-combo-rebranded\/' title='Goldeneye Ransomware - the Petya\/Mischa combo rebranded'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/03\/petya_image.png' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>From March 2016 we&#8217;ve observed the evolution of an interesting low-level ransomware, Petya. Now, we are facing an outbreak of the fourth version &#8211; this time under a new name &#8211; Goldeneye, and, appropriately, a new, golden theme.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/malware-threat-analysis\/\" rel=\"category tag\">Malware<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/\" rel=\"category tag\">Threat analysis<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/cerber-ransomware\/\" rel=\"tag\">Cerber ransomware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/goldeneye-ransomware\/\" rel=\"tag\">Goldeneye ransomware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/hasherezade\/\" rel=\"tag\">hasherezade<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malware\/\" rel=\"tag\">malware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/mischa-ransomware\/\" rel=\"tag\">Mischa ransomware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/petya-ransomware\/\" rel=\"tag\">Petya ransomware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/phishing\/\" rel=\"tag\">phishing<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ransomware\/\" rel=\"tag\">ransomware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/satana-ransomware\/\" rel=\"tag\">Satana ransomware<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/12\/goldeneye-ransomware-the-petyamischa-combo-rebranded\/' title='Goldeneye Ransomware - the Petya\/Mischa combo rebranded'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[10585,10586,10492,3764,10587,10588,3924,3765,10589,10494],"class_list":["post-5880","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-cerber-ransomware","tag-goldeneye-ransomware","tag-hasherezade","tag-malware","tag-mischa-ransomware","tag-petya-ransomware","tag-phishing","tag-ransomware","tag-satana-ransomware","tag-threat-analysis"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/5880","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=5880"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/5880\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=5880"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=5880"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=5880"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}