Another annoying ransomware, called Petya, is currently in the wild. The crypto-locker variant, encrypts/destroys MBR and boot records of Windows drives. It’s been spread as an attachment via email, disguised to be a job seeker’s application. I took a short look at it.

More about Petya
http://blog.trendmicro.com/trendlabs-security-intelligence/petya-crypto-ransomware-overwrites-mbr-lock-users-computers/

The malware uses several layers of encryption, anti-debugging and anti-emulation layers. To avoid analysis, it makes use of the typical “ask for more than available” strategy: Either wasting too much CPU time (causing sandbox timeout) or allocating too much memory (out of memory failure) etc. It doesn’t try to detect emulation of AV’s however.

I’ve removed the overhead to focus on the core of the malware. Once dumped, I’ve patched the underlying DLL to act as a PE executable, changing the PE header + adding some code caves. Dealing with a PE32 executable, makes the analysis much more convenient. Loading that one into IDA however didn’t provide much help, as the author put quite some effort into this piece of shit to keep it’s size small and to avoid analysis, by NOT using any c++::std functions. So it took quite some time to fully reverse the binary, and to spot functions like new(), delete(), memset() etc. Using that one + IDA + Olly concluded my overall analysis, which I not going to release here. I don’t want to educate SKIDS about ransomware.

Download: Petya Ransomware / Malware, decrypted, unwrapped, DLL->PE32 .exe converted
http://ul.to/ud1zi7oi

Password: infected

Uploaded to Virustotal, for detection
https://www.virustotal.com/en/file/87f202a4c28b27437f505873d8dcbe1cc966a27efa4d79b440704cf341ab4a22/analysis/1458949913/

**** WARNING: Executing this executable will damage your Windows installation! Run it under VMWare only! Use at your own risk. For educational purposes only. Im not responsible for any damages. Do not download if you do not agree. ****