Aziz-ghraybia/NotPetya-Anatomy-of-a-Cyberweapon

# NotPetya: Anatomy of a Cyberweapon A comprehensive academic and technical malware analysis of the NotPetya cyberattack, covering automated analysis, static reverse engineering, dynamic behavioral analysis, geopolitical context, and defensive countermeasures. ## Overview This project presents a full-scale analysis of **NotPetya**, one of the most destructive cyberweapons ever deployed. The report examines: * The geopolitical background behind the attack * The MEDoc supply-chain compromise * EternalBlue exploitation (MS17-010 / CVE-2017-0144) * Credential harvesting using Mimikatz * Static malware reverse engineering * Dynamic behavioral analysis in an isolated lab environment * Incident response findings * Detection engine comparisons * Anti-forensics techniques * Enterprise impact and recovery case studies The analysis was performed for academic and educational purposes in a controlled environment. ## Report Structure ### Chapter 1 — Introduction & Theoretical Research * Geopolitical context * NotPetya classification * MEDoc supply-chain compromise * EternalBlue exploitation * Mimikatz credential harvesting * Propagation mechanisms * Kill switch behavior * Enterprise impact analysis ### Chapter 2 — Automated Analysis #### Tools Used * VirusTotal * MetaDefender * Hybrid-Analysis (Falcon Sandbox) #### Focus Areas * Detection comparison * Sandbox behavioral indicators * YARA rule matches * Threat intelligence tagging * Misclassification analysis (Petya vs NotPetya) ### Chapter 3 — Static Analysis #### Tools Used * PEStudio * Detect It Easy (DIE) * CFF Explorer * Strings (Sysinternals) * HxD #### Focus Areas * PE structure analysis * Import mapping * Encryption capabilities * Embedded payloads * API capability reconstruction * Anti-analysis indicators ### Chapter 4 — Dynamic Analysis #### Environment * FlareVM isolated lab #### Monitoring Tools * Wireshark * ProcMon * Regshot * Process Hacker * FakeNet-NG #### Focus Areas * SMB propagation * Process execution chains * Registry destruction * Scheduled task persistence * File encryption behavior * Network reconnaissance ### Chapter 5 — Aftermath & Countermeasures * Global impact assessment * Maersk recovery case study * Attribution analysis * Defensive recommendations * Lessons learned ## Sample Information | Property | Value | | ------------- | ------------------------------------------------------------------ | | SHA256 | `027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745` | | MD5 | `71b6a493388e7d0b40c83ce903bc6b04` | | Original Name | `perfc.dat` | | File Type | PE32 DLL | ## Key Technical Findings * NotPetya is a **wiper disguised as ransomware** * No functional decryption mechanism exists * Uses multiple propagation vectors simultaneously: * EternalBlue * WMIC * PsExec * Performs: * MBR overwrite * MFT encryption * Anti-forensics log wiping * Credential harvesting via Mimikatz * Capable of lateral movement even on patched systems using stolen credentials ## Skills Demonstrated * Malware Analysis * Reverse Engineering * Static Analysis * Dynamic Analysis * Threat Intelligence * Windows Internals * Network Traffic Analysis * Incident Response * Digital Forensics * Cyber Threat Research ## Disclaimer This repository is intended strictly for: * Academic research * Malware analysis education * Defensive cybersecurity training No malware binaries are distributed in this repository. All analysis was conducted inside isolated environments. ## Author **Mohamed Aziz Ghraybia** Cybersecurity Student — Tekup University