NotPetya\Petya : Overwriting System MBR

This post will cover technical details of how NotPetya\Petya overwrite system MBR and copy its own custom boot loader to encrypt Master File Table Data run lists clusters.

NotPetya\Petya has its own MBR and custom code (called by its MBR) embedded in its binary.

Below instruction copies MBR bytes in NotPetya\Petya binary to memory allocated by HeapAlloc API.

MBR bytes in NotPetya\Petya binary.
MBR bytes

Below instruction copies custom code bytes in NotPetya\Petya binary to memory allocated by HeapAlloc API.Size of custom code is 0x22B1(dwBytes).

Custom code bytes in NotPetya\Petya binary.
custom loader bytes

Before overwriting system MBR bytes it copies below information from System MBR into its own MBR bytes it copied to memory.
1.Disk Signature
2.Partition Table entries.

Below is the set of instructions performing above operation.

Next step is to overwrite System MBR with its own MBR and custom code.

Size of MRB is 0x200 bytes and size of custom code is 0x22B1.Adding 0x22B1 + 0x200 = 0x24B1.Because of sector alignment which is 0x200 bytes total 0x2600 bytes overwritten which is (0x2600/0x200) 0x13 (19) sectors. Therefore MBR and custom code take first 19 sectors of Hard Disk Drive.

Below is the set of instruction performing above operation

Generate 32 byte Salsa20 key and 8 byte nonce using CryptGenRandom Windows API.

Generate user-id using CryptGenRandom windows API and Base58 encoding.
Generate random bytes using CryptGenRandom API.

Base58 character string.

Applying Base58 encoding to above random bytes to generate user id.

Harded coded Bitcoin address in binary.

Write Salsa20 key,nonce,Bitcoin address and userid to sector 32.

Write 0x7 value 0x200 times to sector 33.

xor system MBR bytes with key 0x7.

Write encrypted system MBR to sector 34.

Lets use dd utility to dump first 34 sectors of disk to view content of sectors overwritten by NotPetya\Petya.
command to dump first 34 sectors.
dd.exe if=\\?\Device\Harddisk0\DR0 of=system_mbr_sectors_34 bs=512 count=34 --size --progess

Sector 0 : Overwritten MBR

Sector 1-19 : Custom code

Sector 32 : Salsa20 key, nonce,user id,Bitcoin address

Sector 33 : 0x7 value 0x200 times.

Sector 34 : Encrypted System MBR (xored with key 0x7)


Popular posts from this blog

VIrtual Machine Detection Techniques

Debugging MBR : IDA Pro and Bochs Emulator

Analyzing ATM Malwares

DoublePulsar Backdoor

Google CTF 2017 : Android RE Challenge

Samsung CTF : Chicken or Egg Reversing Challenge

FireEye FLARE CTF 2017 : APK Challenge 8

FireEye FLARE CTF 2017 : PEWPEWBOAT Challenge 5

WannaCry Encryption Flow