{
	"id": "efa52f22-247c-4e9a-9273-fed26c26dff4",
	"created_at": "2026-04-06T01:29:07.063167Z",
	"updated_at": "2026-04-10T03:20:20.630581Z",
	"deleted_at": null,
	"sha1_hash": "44bcba68843f35ff4eda518182af595bc2d7419c",
	"title": "Petya/Not Petya Ransomware:",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2691800,
	"plain_text": "Petya/Not Petya Ransomware:\r\nBy Ilan Duhin\r\nPublished: 2023-01-30 · Archived: 2026-04-06 00:16:44 UTC\r\n7 min read\r\nJan 30, 2023\r\nWriter: Ilan Duhin\r\nExecutive Summary:\r\nPetya is a family of encrypting malware that targets OS of windows to infect MBR (master boot record) to execute\r\npayload that encrypt a hard drive’s file system table.\r\nPetya spread over the network by using the exploit MS17–010 Vulnerability known as EternalBlue. It also\r\nspreads by stealing user names \u0026 passwords and spreading across network shares.\r\nStatic Analysis:\r\nwhen I opened the ransomware in IDA, it started at the 10007D39 address with the function DLLEntryPoint, so\r\nalthough the file extension is .exe, I guess it is actually DLL.\r\nPress enter or click to view image in full size\r\nPeStudio: in the indicators tab we see two of them that can suspicious to me.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Ilandu/petya-not-petya-ransomware-9619cbbb0786\r\nPage 1 of 11\n\nThe date of file header that specified is 5 years later, probably our suspicious payload\r\nIn the Imports tab, I will be looking for interesting api calls that I want to investigate later in IDA/Debugger to\r\nsee which values they contain.\r\nit means that the new process that is created, runs in the security context of the calling process. If\r\nthe calling process is impersonating another user, the new process uses the token for calling process.\r\nIt works like that: a new thread is created in suspended mode. The impersonated token replace the current\r\nthread token with SetThreadToken and the thread is resumed. This thread is then used to execute the SMB\r\nRCE as the impersonated user.\r\nis used to connect to a server by using default credentials for the impersonated token and then\r\ncancel the connection.\r\nThe function that encrypts data. In our situation, I guess it would try to encrypt the MFT because it\r\nis ransomware.\r\nIn the Library tab, I checked which library the ransomware import and which function it exports. In picture\r\nbelow I see many import DLL which give me a clue that the binary isn’t packed.\r\nThe interesting libraries I focus on them is:\r\n· Crypt32.dll — will use possibly crypto functions.\r\nhttps://medium.com/@Ilandu/petya-not-petya-ransomware-9619cbbb0786\r\nPage 2 of 11\n\n· Advapi32.dll — probably will be responsible for restarting the OS system (I guess because the ransomware\r\nwants to reboot the machine after she encrypts all files).\r\n· Shlwapi.dll — function that works for strings \u0026 filesystems paths.\r\n· Ws2_32.dll — it contains windows sockets api, I guess for setting up some sockets.\r\nAnother way to find interesting things about ransomware is by reading her string. To do this I use BinText.\r\nThe strings are readable strings \u0026 useful output which means it’s not packed!\r\nPress enter or click to view image in full size\r\nthe file extension that the ransom will be looking for.\r\nPress enter or click to view image in full size\r\nthe messages that will show on the victim screen\r\nDynamic Analysis:\r\nAs we see at static analysis that needs to face with DLL, I try to run it with Rundll32 at the Entry point and see\r\nwhat happens.\r\nHow do we know what the Entry point argument is? Well, one of the suspicious strings that I found was: the\r\nstring is described that the ransomware is run by rundll32 as a child process with the #1 argument (which\r\nis the first value in library).\r\nAlso when dropping the dll into IDA, at the Export tab we can see there is one export function that we should\r\nrun.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Ilandu/petya-not-petya-ransomware-9619cbbb0786\r\nPage 3 of 11\n\nPress enter or click to view image in full size\r\nrunning the ransomware with the first function of export tab\r\nWe see in Process Hacker that the dll running by cmd \u0026 rundll32 that we use earlier.\r\nDouble-clicking on rundll32.exe, memory \u0026 strings tab we see interesting strings that running in the memory:\r\nPress enter or click to view image in full size\r\nThe scheduled task is created to shut down victim’s machine because the malware start\r\nencrypting after reboot.\r\nWhen we enter into task scheduler itself we see the task really created and ready to run.\r\nPress enter or click to view image in full size\r\nMapping physical drive. It means that the ransom wants to gain access to the physical disk and\r\nencrypts the MFT so the file system will not be readable.\r\nPress enter or click to view image in full size\r\nThe string below describe that security, application, system logs are will deleted by the malware.\r\nIn simple words, our sample leaves no trace.\r\nhttps://medium.com/@Ilandu/petya-not-petya-ransomware-9619cbbb0786\r\nPage 4 of 11\n\nWhen the victim’s computer will reboot the Petya will fake “check disks scan”. We will see it later\r\nafter restarting our VM. This action actually is encryption!\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nThe messages that show up on victim’s screen.\r\nIn addition, I have opened the Procmon earlier with a number of filters to capture interesting processes like:\r\nOperation is Process Create\r\nProcess name is Petya.dll\r\nProcess Name contains Rundll32\r\nAnd this is what we got!\r\nGet Ilan Duhin’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nhttps://medium.com/@Ilandu/petya-not-petya-ransomware-9619cbbb0786\r\nPage 5 of 11\n\nRemember me for faster sign in\r\nWe saw that the ransomware created a scheduled task to shut down the infected machine at a specific time,\r\nand created tmp file “181E.tmp” in the AppData\\Local\\Temp path.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nIt seems that the malware try to connect to admin$ share.\r\nIDA:\r\n- One of the thing I am doing when I dropped the file into IDA is to look on top of the scale. It indicates an\r\ninterview of the situation of the code. For example, the olive color is an unexplored code, and the pink one is\r\nexternal symbols that can indicate to us if our sample using external DLL libraries. (Basically it’s a table that\r\nshows us memory location of every symbol — API calls of the malware code)\r\n- The second thing I always look in the imports tab. Very important because we see which API calls the malware\r\nuse.\r\nFor example, as we see in static analysis of the API call of WNetAddConnection2w, we can see her references\r\nof her by pressing ”x” and maybe also our malware connection by disabling the ASLR \u0026 set BP.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Ilandu/petya-not-petya-ransomware-9619cbbb0786\r\nPage 6 of 11\n\nExtension files that are targeted by the ransomware (you can find it in the audit section)\r\nmalware “overwrites” the MBR. it pushes a file his name “Physicaldrive0” with a number of arguments it\r\nincluding himself and then it goes to the DeviceControl function (I guess to specify the device driver).\r\nPress enter or click to view image in full size\r\nWhen we double clicking on the file, we see the interesting arguments it pushes.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Ilandu/petya-not-petya-ransomware-9619cbbb0786\r\nPage 7 of 11\n\nAnother interesting thing is one of the arguments that DeviceControl includes and this is :hDrive. its argument\r\nthat gives a handle on the driver and retrieves information about the physical disk, file, thread, etc.\r\nNetwork Enumeration:\r\nAfter the malware get ComputerNameExW and before she created CreateThread we can see condition (jz) with\r\na very interesting argument that calls IpStratAddress which is the beginning of rebuilding the SMB protocol.\r\nhttps://medium.com/@Ilandu/petya-not-petya-ransomware-9619cbbb0786\r\nPage 8 of 11\n\nIf we go down little bit (after the thread creation) we see two calls to functions.\r\nIn the first one, we see a pushing argument like GetExtendedTcpTable which means “retrieve a list of TCP\r\nendpoints”. In other words get tcp connection of the local machine.\r\nIn the second, we see GetIpNetTable which means “give me your local network ip”.\r\nThe enumeration of SMB staring with the API call GetAdaptersInfo. The goal of this call is to get subnetmask of\r\nall network interfaces like workstations/servers. At the end of the call, we have conditions which means jump if\r\nnot zero to API call which retrieves inetaddr and closes the socket or jumps to API call LocalFree which checks\r\nthe free space on disk and give clue if it is a server or either workstation.\r\nPress enter or click to view image in full size\r\nIt checks it with NetServerGetInfo api call.\r\nhttps://medium.com/@Ilandu/petya-not-petya-ransomware-9619cbbb0786\r\nPage 9 of 11\n\nWhen we dive into the call of “Check_If_Server_Or_Not” we see three arguments that’s pushed into the call of\r\nNetServerGetInfo (bufptr, level, servername).\r\nThe first parameter contains 65h object which is equal to 101 in decimal. (just search in google “how much is\r\n0x65 in hexadecimal”).\r\nThe second one is empty which means equal to 0.\r\nFrom MSDN: bufptr is points to a server 101 info structure.\r\n** So 101 for me is the action of the malware return servername, type, and infrastructure. I recommend\r\ndescribing this by inserting a comment (“;”).\r\nSource: https://docs.microsoft.com/en-us/windows/win32/api/lmserver/ns-lmserver-server_info_101\r\nConclusion \u0026 Activities:\r\n· Dropped files\r\n· Token impersonation\r\n· Network node enumeration\r\n· SMB copy and remote execution\r\n· SMBv1 exploitation via EternalBlue\r\nhttps://medium.com/@Ilandu/petya-not-petya-ransomware-9619cbbb0786\r\nPage 10 of 11\n\n· Recon and write malware to admin$ on the remote target\r\n· MBR ransomware\r\n· Physical drive manipulation\r\n· MFT encryption\r\n· System shutdown\r\nSource: https://medium.com/@Ilandu/petya-not-petya-ransomware-9619cbbb0786\r\nhttps://medium.com/@Ilandu/petya-not-petya-ransomware-9619cbbb0786\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@Ilandu/petya-not-petya-ransomware-9619cbbb0786"
	],
	"report_names": [
		"petya-not-petya-ransomware-9619cbbb0786"
	],
	"threat_actors": [],
	"ts_created_at": 1775438947,
	"ts_updated_at": 1775791220,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/44bcba68843f35ff4eda518182af595bc2d7419c.pdf",
		"text": "https://archive.orkl.eu/44bcba68843f35ff4eda518182af595bc2d7419c.txt",
		"img": "https://archive.orkl.eu/44bcba68843f35ff4eda518182af595bc2d7419c.jpg"
	}
}