{
	"id": "ea79e816-15ad-49f8-8a7e-0c14dbf7cc5d",
	"created_at": "2026-04-06T00:15:06.893864Z",
	"updated_at": "2026-04-10T03:21:47.986512Z",
	"deleted_at": null,
	"sha1_hash": "bf0cf2f5bd707b34e8009ef82406f2892a30fc80",
	"title": "Goldeneye Ransomware - the Petya/Mischa combo rebranded | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 656842,
	"plain_text": "Goldeneye Ransomware - the Petya/Mischa combo rebranded |\r\nMalwarebytes Labs\r\nBy Malwarebytes Labs\r\nPublished: 2016-12-14 · Archived: 2026-04-05 17:16:42 UTC\r\nFrom March 2016 we’ve observed the evolution of an interesting low-level ransomware, Petya – you can read\r\nabout it here. The second version (green) Petya comes combined with another ransomware, packed in the same\r\ndropper – Mischa. The latter one was deployed as an alternative payload: in case if the dropper was run without\r\nadministrator privileges and the  low-level attack was impossible. This combo is slowly reaching its maturity – the\r\nauthors fixed bugs that allowed for decryption of the two earliest versions. Now, we are facing an outbreak of the\r\nfourth version – this time under a new name – Goldeneye, and, appropriately, a new, golden theme.\r\nIn this post we will take a look inside, in order to answer the question of whether or not any internal changes\r\nfollowed the external alterations.\r\nAnalyzed sample\r\ne068ee33b5e9cb317c1af7cecc1bacb5 – original sample (packed)\r\n08b079609c2a3a4deb4f11cf373f9278 – core.dll (dropper) // UPDATE: replaced with a fixed dump\r\n0cd94baa2dccc0e7c2008b7948cebfe3 – elevate_x86.dll\r\n54fb6dbad73eee5d8638c0869c35ed8f – elevate_x64.dll\r\ne5a2cc00d1ad8d409576bc6d24a346bd – Petya Golden (dump from the disk)\r\n435076f9c8900cbdfc48a15713b1c431 – Goldeneye Decrypter (original)\r\n// special thanks to @procrash\r\nDistribution\r\nCurrently Goldeneye is distributed by phishing e-mails, in campaigns targeting Germany. The same pattern of\r\ndistribution was observed in first editions of Petya ransomware. Germany seems to be an environment familiar to\r\nthis ransomware author (who is probably a German native speaker) and his testing campaigns are always released\r\nin this country. However, the threat will probably go global again, as the affiliate program for other criminals is\r\ngoing to be released soon.\r\nBehavioural analysis\r\nAfter being run, the malware installs its copy in the %APPDATA% directory, under the name of a random\r\napplication found in the system:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/\r\nPage 1 of 14\n\nThe installed copy is automatically executed and proceeds with malicious actions.\r\nIn the past, the dropper of Petya/Mischa used to trigger a UAC popup window. If the user had agreed to run the\r\nsample as the Administrator, he/she was attacked by the low-level payload: Petya. Otherwise, the high-level\r\nMischa was deployed.\r\nIn the current case the model of the attack is different and looks more like a case of Satana ransomware.\r\nFirst, the high-level attack is deployed and the files are encrypted one by one. Then, the malware tries to bypass\r\nUAC and elevate its privileges by its own, in order to make the second attack, this time at low-level: installing\r\nPetya at the beginning of the disk. The bypass works silently if the UAC is set to default or lower. In cases where\r\nthe UAC is set to max, the following window pops up repeatedly, till the user accepts the elevation:\r\nThe used bypass techniques works on both –  32-bit and 64-bit – versions of Windows, up to Windows 8.1. On\r\nWindows 10, even if the UAC is set to default a popup is displayed – but not revealing the real name of the\r\ninfecting program, i.e.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/\r\nPage 2 of 14\n\nThe high-level part (former Mischa)\r\nOn the first stage of the attack, files are being encrypted one by one. The malware drops the\r\nfollowing note in TXT format:\r\nFiles that are encrypted are added random extensions:\r\nIf we have two files with the same plaintext they turn into two different cipher-texts – that indicates that each file\r\nis encrypted with a new key or an initialization vector. The high entropy suggests AES in CBC mode.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/\r\nPage 3 of 14\n\nVisualization – original file vs encrypted one:\r\n \r\nThe low-level part (former Petya)\r\nThe second stage of infection is deployed after encrypting the files. The behavior of second payload is no different\r\nthan in the previous versions of Petya. After the malware is deployed, system crashes and starts with a fake\r\nCHKDSK. It pretends to be checking the disk for errors, but in reality it performs Master File Table encryption,\r\nusing Salsa20. After it is completed, we are facing a familiar blinking skull – this time in yellow/golden color:”\u003e\r\nAfter pressing a key, we can see the screen with the ransom note:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/\r\nPage 4 of 14\n\nPage for the victim\r\nOn every edition all the pieces of the ransomware had a consistent theme. This time is no different.\r\nThe page for the victim, that is hosted on a Tor-based site comes in very similar theme like the\r\nransomware itself:\r\nAfter paying the ransom, the victim is provided with a key to decrypt the first (bootlocker) stage and a decrypter\r\nto recover the files:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/\r\nPage 5 of 14\n\nThe decrypter requires having a proper key in order to work:\r\nAffiliate program\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/\r\nPage 6 of 14\n\nIn the past, Petya/Mischa combo was available as RaaS (Ransomware as a Service). Following the\r\nchanges in the layout, the Twitter account associated with the criminal(s) behind the malware, also\r\nchanged the theme of the profile, and updated the information about the affiliate program status:\r\nIt confirms that the actor behind Goldeneye as well as the methods of redistributing it didn’t change.\r\nInside\r\nThis ransomware is very complex, having multiple pieces that have already been described in our previous\r\narticles. That’s why, in this one we will focus only on the differences comparing to the previous editions. Let’s\r\nstart from the core.dll, that is the PE file that we get after unpacking the first layer.\r\nThe core.dll\r\nJust like in the previous versions, the main application is a DLL (core.dll), packed by various crypters and loaded\r\nby a technique known as Reflective Loader.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/\r\nPage 7 of 14\n\nIn the past Petya and Mischa were two separate modules delivered by this DLL. The dropper was deciding which\r\none of them to deploy, by making an attempt to run the sample with Administrator privileges – no UAC bypass\r\nwas used, only social engineering. Now, however, it comes with two DLLs that perform UAC bypass – one for 32\r\nbit and another for 64 bit variant of Windows. It decides which one to deploy, basing on the detected architecture.\r\nThe internal logic of this module changed a bit. There is no Mischa.dll separated. Instead, the core.dll covers the\r\nfunctionality of encrypting files as well as of installing disk locker afterwards. The payloads are XOR encrypted\r\nand stored in the last section of the PE file (.xxxx):\r\nSection .xxxx contains:\r\nthe low level part (former Petya)\r\n32 bit DLL (elevate_x86.dll)\r\n64 bit DLL (elevate_x64.dll)\r\n(The two DLLs used to UAC bypass are based on the technique similar to the one described here.)\r\nAt first run, the core module makes its own copy into %APPDATA% and applies some tricks to blend into the\r\nenvironment:\r\nChoosing the application name at random, out of various applications in System folder\r\nChanging own timestamp to the timestamp of Kernel32.dll (the so called “timestomping” technique).\r\nAdding to its resources the resource of the genuine Microsoft application, under which name it is installed:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/\r\nPage 8 of 14\n\nResult:\r\nSome of those tricks remind us of Cerber ransomware and they were probably inspired by it.\r\nThen, the dropper deploys the installed copy and proceeds with encryption.\r\nThe file cryptor (former Mischa)\r\nThe file cryptor feature is now implemented inside the core.dll.\r\nIt behaves similarly to the former Mischa ransomware – the only difference is that now it is employed before the\r\nlow-level attack, rather than being an alternative.\r\nAttacked targets\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/\r\nPage 9 of 14\n\nFiles are attacked with the following extensions:\r\ndoc docx docm odt ods odp odf odc odm odb xlsm xlsb xlk xls xlsx pps ppt pptm pptx pub epub pdf jpg\r\nEncryption\r\nFiles are read in chunks, each is 1024 bytes long. Then, they are processed by the built-in implementation of AES.\r\nThe easiest way to analyze the encryption algorithm used, is by reversing the original decrypter, provided by the\r\nransomware author to victims that paid the ransom. The decrypter is written in .NET and not obfuscated.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/\r\nPage 10 of 14\n\nLooking at the decrypter code we can confirm that each file is encrypted using AES in CBC mode. The AES key\r\nis 32 byte long, and it is the taken from the beginning of SHA512 hash of the password.\r\nThe initialisation vector is random for every file and it is stored in its content:\r\nThe disk locker (former Petya)\r\nThis part of the Goldeneye ransomware is written at the disk beginning and is independent from the\r\noperating system. It is made up of a bootloader and a tiny, 16-bit kernel. At the very first sight we\r\ncan suspect, that it is nothing more than a refactored Petya. That’s why, for the simplicity I will refer\r\nthis part as Petya Goldeneye.\r\nIndeed, comparing the current edition with Petya 3 (described here) we can see, that the encryption algorithm and\r\nthe codebase hasn’t changed. Yet, we can spot some differences.\r\nEncryption\r\nAll versions of Petya use Salsa20 to encrypt MFT. In the current edition, the implementation of Salsa20 is\r\nidentical like in the former version.\r\nSee the BinDiff screenshot below – Petya Goldeneye vs Petya 3:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/\r\nPage 11 of 14\n\nWe can safely assume, that just like in the previous case the Salsa20 has been implemented correctly – means, this\r\nedition of Petya is not decryptable by external tools.\r\nWhat has changed in the code?\r\nAlthough the main parts of the code didn’t change, still we can notice that some refactoring has taken place:\r\nThe most important changes are about the way in which the encryption/decryption is applied. The author added\r\nmore checks and simplified the decryption function. Yet, the changes are rather about improving the code quality\r\nrather than introducing some new ideas.\r\nLayout\r\nJust like in the previous cases, Petya’s code is written at the beginning of the disk – however, now the layout is\r\nmore compact. The code of Petya’s kernel starts just after MBR, without any padding. Due to this, other important\r\nsectors are also shifted. For example, the data sector, where the random salsa key is saved*, is now placed in\r\nsector 32:\r\n* just like in all previous editions, this key is erased after use. Read more about the full procedure here.\r\nSumming up, all the sectors are shifted towards the beginning of the disk.\r\nData sector:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/\r\nPage 12 of 14\n\nPetya3: 54\r\nPetya Goldeneye: 32\r\nVerification sector:\r\nPetya3: 55\r\nPetya Goldeneye: 33\r\nOriginal MBR (xored with 7)\r\nPetya3: 56\r\nPetya Goldeneye: 34\r\nConclusion\r\nGoldeneye ransomware is yet another step in the development of the Petya/Mischa bundle. The redesigned\r\ndropper coupled both elements together in a new way, that makes it even more dangerous. At the current stage the\r\nproduct doesn’t seem decryptable by external tools. We strongly advise to be very vigilant about opening e-mail\r\nattachments, because this is still the main way of distribution of this ransomware.\r\nDuring the tests, Malwarebytes has proven to protect against the malicious payloads attached to Goldeneye\r\nphishing e-mails:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/\r\nPage 13 of 14\n\nThis was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest\r\nin InfoSec. She loves going in details about malware and sharing threat information with the community. Check\r\nher out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/"
	],
	"report_names": [
		"goldeneye-ransomware-the-petyamischa-combo-rebranded"
	],
	"threat_actors": [],
	"ts_created_at": 1775434506,
	"ts_updated_at": 1775791307,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bf0cf2f5bd707b34e8009ef82406f2892a30fc80.pdf",
		"text": "https://archive.orkl.eu/bf0cf2f5bd707b34e8009ef82406f2892a30fc80.txt",
		"img": "https://archive.orkl.eu/bf0cf2f5bd707b34e8009ef82406f2892a30fc80.jpg"
	}
}