liranzoz/Malware-Analysis-Lab

## 🔍 The Sample NotPetya (June 2017) caused **~$10B** in global damage. It was initially seeded through a backdoored update to **M.E.Doc**, a Ukrainian accounting application, and spread laterally using **EternalBlue / EternalRomance** (the leaked NSA SMB exploits) plus **Mimikatz**-style credential theft. It looked like ransomware. It was actually a **wiper** — files could never be decrypted, the "ransom" was a smokescreen. | Property | Value | |:---|:---| | **File** | `nopetya.dll` — 32-bit DLL, console subsystem | | **SHA-256** | `027CC450EF5F8C5F653329641EC1FED91F694E0D229928963B30F6B0D7D3A745` | | **Language** | C / C++ | | **Compiler** | Microsoft Visual C++ — Visual Studio 2010 (Rich header) | | **Packer** | Generic — `.rsrc` section compressed (DIE heuristic, not UPX) | | **Size / Sections** | ~362 KB · 6 sections, all with valid entropy | | **Execution** | `rundll32.exe nopetya.dll,#1` (entry exported by ordinal) | | **Signature** | Invalid — flagged by PEStudio | ## 🏗️ Lab Architecture ┌───────────────────────────────┐ ┌───────────────────────────────┐ │ Windows 10 Victim VM │ │ REMnux (Analysis VM) │ │ ────────────────────────── │ │ ────────────────────────── │ │ • PEStudio, Process Explorer │ ◄─────► │ • INetSim (fake internet) │ │ • Procmon, Regshot │ host- │ • Wireshark capture │ │ • Detonation target │ only │ • DNS / HTTP / SMTP sim │ └───────────────────────────────┘ └───────────────────────────────┘ ▲ ▲ └────────── isolated from host ──────────────┘ ## 🛠️ Lab Setup ### REMnux — Analysis Box The de-facto Linux distribution for reverse engineers. Here it acts as the **fake internet** — INetSim responds to every DNS, HTTP, HTTPS, SMTP, FTP and POP3 request the victim makes, so the malware *thinks* it's online without ever touching a real network. ### Windows 10 — Victim Box The detonation target. Monitoring tools were installed *before* a clean snapshot was taken, so the malware can be triggered, observed, and the VM reverted to a clean state in seconds. ## 🧬 Static Analysis — *the imports tell the story* Static analysis means examining the binary **without executing it**. PEStudio surfaced **38 indicators** before a single line of code ran. The import table alone exposes the entire playbook: | Library | Notable APIs | What it reveals | |:---|:---|:---| | **DHCPSAPI** | `DhcpEnumSubnetClients`, `DhcpEnumSubnets` | Pull the DHCP client list → find every host on the LAN | | **NETAPI32 / MPR** | `NetServerEnum`, `WNetAddConnection2W` | Enumerate machines, mount admin shares | | **WS2_32** | `socket`, `connect`, `send`, `recv` | Raw sockets for network propagation | | **ADVAPI32** | `AdjustTokenPrivileges`, `CreateProcessAsUserW` | Privilege escalation | | **CRYPT32** | `CryptEncrypt`, `CryptGenKey` | The "ransomware" payload | **Verdict:** a network worm carrying an encryption payload — not a simple file locker. ## 💥 Dynamic Analysis — *detonation* ### 🧷 The `perfc` Marker ### ⏲️ Scheduled Reboot A `shutdown.exe /r /f` task is queued ~10–60 minutes post-infection. The reboot is what triggers the **fake CHKDSK** screen while the MFT is silently encrypted. The user thinks Windows is repairing the disk; it is actually being destroyed. ### 🌐 Network Behavior — *lateral movement caught in the act* NotPetya doesn't guess at targets — it **builds a hit-list**. It queries the local **DHCP server** (`DhcpEnumSubnets` / `DhcpEnumSubnetClients`) to pull every IP the network has handed out, then floods the subnet with **ARP requests** to confirm which hosts are alive. Wireshark caught the ARP storm within seconds of execution, followed by SMB-style traffic targeting any responder — the classic **EternalBlue / EternalRomance** lateral-movement pattern. To authenticate against those hosts it dumps credentials from `lsass.exe` using a bundled **Mimikatz**-style module, then re-uses the stolen tokens with **PsExec** (dropped as `dllhost.dat`) and WMIC for remote execution. INetSim absorbed every outbound packet so nothing left the lab. ### 🟦 The End State Windows BSOD. Stop code `0xc0000350`. Disk is no longer recoverable. ## 🎯 Indicators of Compromise #### 🧮 Hashes | Hash | Value | |:---|:---| | **SHA-256** (analyzed sample) | `027CC450EF5F8C5F653329641EC1FED91F694E0D229928963B30F6B0D7D3A745` | | **SHA-1** | `34F917AAB5AB3DD83C81E11AFE9F4D5DCE1B47E1` | | **MD5** | `71B6A493388E7D0B40C83CE903BC6B04` | #### 📁 Host artifacts | Artifact | Purpose | |:---|:---| | `C:\Windows\perfc` (0-byte) | Self kill-switch marker — vaccine vector | | `C:\Windows\perfc.dat` | The DLL payload dropped to disk | | `C:\Windows\dllhost.dat` | Renamed **PsExec** binary used for lateral movement | | `C:\Windows\.tmp` | Dropped **Mimikatz**-style credential dumper | #### ⚙️ Process & command lines - `rundll32.exe C:\Windows\perfc.dat,#1` — primary execution vector - `schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST ` — forced reboot - `wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application` — wipes Windows event logs - `fsutil usn deletejournal /D C:` — deletes the NTFS USN journal to hinder forensics #### 🌐 Network - **TCP/445 (SMB)** — EternalBlue (`CVE-2017-0144`) & EternalRomance (`CVE-2017-0145`) exploitation - **TCP/139 (NetBIOS)** — secondary SMB transport - **TCP/135 (RPC)** — WMI-based remote execution - **ARP broadcasts** — local /24 host discovery (observed in Wireshark) - **DHCP enumeration** — pulls neighboring subnet client lists #### 💰 Ransom artifacts (theatre) - **Bitcoin wallet:** `1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX` - **Contact email:** `wowsmith123456@posteo.net` *(shut down within hours of the outbreak)* - **Ransom demand:** $300 USD in BTC — payment was meaningless; the encryption key was never recoverable #### 💥 Detonation evidence | Signal | Value | |:---|:---| | **BSOD stop code** | `0xc0000350` | | **Behavior post-reboot (UEFI)** | Endless reboot loop — no valid OS found | | **Scheduled task observed** | `\Microsoft\Windows\...\shutdown.exe /r /f` | ## 🧭 Mapped TTPs (MITRE ATT&CK) `T1059` Command & Scripting · `T1134` Token Manipulation · `T1018` Remote System Discovery · `T1210` Exploitation of Remote Services · `T1021.002` SMB / Admin Shares · `T1003` OS Credential Dumping · `T1070.001` Clear Windows Event Logs · `T1486` Data Encrypted for Impact · `T1485` Data Destruction · `T1529` System Shutdown / Reboot · `T1561.002` Disk Structure Wipe ## 🧰 Skills & Tooling

         

**Lab engineering** · **PE static analysis** · **Disassembly / reversing (Ghidra)** · **Packer & compiler ID (DIE)** · **Behavioral / dynamic analysis** · **Network forensics** · **IOC extraction & ATT&CK mapping** · **Threat-intel writeup**

**Liran Zozulya** · [LinkedIn](LINKEDIN_URL_HERE) · [GitHub](GITHUB_URL_HERE)