SOFTWARE
Overview 3PARA RAT 4H RAT adbupd Adups ADVSTORESHELL Agent Tesla Agent.btz Allwinner Android Overlay Malware Android/Chuli.A ANDROIDOS_ANSERVER.A AndroRAT Arp ASPXSpy Astaroth at AuditCred AutoIt backdoor Azorult Backdoor.Oldrea BACKSPACE BADCALL BADNEWS BadPatch Bandook Bankshot BBSRAT BISCUIT Bisonal BITSAdmin BLACKCOFFEE BlackEnergy BONDUPDATER BOOTRASH BrainTest Brave Prince Briba BS2005 BUBBLEWRAP Cachedump CALENDAR Calisto CallMe Cannon Carbanak Carbon Cardinal RAT Catchamas CCBkdr certutil Chaos Charger ChChes Cherry Picker China Chopper CHOPSTICK CloudDuke cmd Cobalt Strike Cobian RAT CoinTicker Comnie ComRAT CORALDECK CORESHELL CosmicDuke CozyCar Crimson CrossRAT DarkComet Daserf DDKONG DealersChoice Dendroid Denis Derusbi Dipsind DOGCALL Dok Downdelph DownPaper DressCode DroidJack dsquery DualToy Duqu DustySky Dyre Ebury Elise ELMER Emissary Emotet Empire Epic EvilGrab Exaramel Expand FakeM FALLCHILL Felismus FELIXROOT Fgdump Final1stspy FinFisher Flame FLASHFLOOD FLIPSIDE Forfiles FruitFly FTP Gazer GeminiDuke gh0st RAT GLOOXMAIL Gold Dragon Gooligan GravityRAT GreyEnergy gsecdump H1N1 Hacking Team UEFI Rootkit HALFBAKED HAMMERTOSS HAPPYWORK HARDRAIN Havij hcdLoader HDoor Helminth Hi-Zor HIDEDRV Hikit HOMEFRY HOPLIGHT HTRAN HTTPBrowser httpclient HummingBad HummingWhale Hydraq ifconfig iKitten Impacket InnaputRAT InvisiMole Invoke-PSImage ipconfig ISMInjector Ixeshe Janicab JHUHUGIT JPIN jRAT Judy KARAE Kasidet Kazuar Keydnap KEYMARBLE KeyRaider Koadic Komplex KOMPROGO KONNI Kwampirs LaZagne Linfo Linux Rabbit LockerGoga LOWBALL Lslsass Lurid MacSpy Marcher Matroyshka MazarBOT meek Micropsia Mimikatz MimiPenguin Miner-C MiniDuke MirageFox Mis-Type Misdat Mivast MobileOrder MoonWind More_eggs Mosquito MURKYTOP Naid NanHaiShu NanoCore NavRAT nbtstat NDiskMonitor Nerex Net Net Crawler NETEAGLE netsh netstat NetTraveler NETWIRE Nidiran Nltest NOKKI NotCompatible NotPetya OBAD OceanSalt Octopus OLDBAIT OldBoot Olympic Destroyer OnionDuke OopsIE Orz OSInfo OSX_OCEANLOTUS.D OwaAuth P2P ZeuS Pasam Pass-The-Hash Toolkit Pegasus for Android Pegasus for iOS PHOREAL PinchDuke Ping Pisloader PJApps PLAINTEE PlugX pngdowner PoisonIvy POORAIM PoshC2 POSHSPY Power Loader PowerDuke POWERSOURCE PowerSploit POWERSTATS POWERTON POWRUNER Prikormka Proton Proxysvc PsExec Psylo Pteranodon PUNCHBUGGY PUNCHTRACK Pupy pwdump QUADAGENT QuasarRAT RARSTONE RATANKBA RawDisk RawPOS RCSAndroid Reaver RedDrop RedLeaves Reg Regin Remcos Remexi RemoteCMD Remsec Responder RGDoor RIPTIDE ROCKBOOT RogueRobin ROKRAT route Rover RTM Ruler RuMMS RunningRAT S-Type Sakula SamSam schtasks SDelete SeaDuke Seasalt SEASHARPEE Shamoon ShiftyBug SHIPSHAPE SHOTPUT SHUTTERSPEED Skeleton Key Skygofree SLOWDRIFT Smoke Loader SNUGRIDE Socksbot SOUNDBITE SPACESHIP SpeakUp spwebmember SpyDealer SpyNote RAT sqlmap SslMM Starloader Stealth Mango StreamEx Sykipot SynAck Sys10 Systeminfo T9000 Taidoor Tangelo Tasklist TDTESS TEXTMATE TINYTYPHON TinyZBot Tor TrickBot Trojan-SMS.AndroidOS.Agent.ao Trojan-SMS.AndroidOS.FakeInst.a Trojan-SMS.AndroidOS.OpFake.a Trojan.Karagany Trojan.Mebromi Truvasys TURNEDUP Twitoor TYPEFRAME UACMe UBoatRAT Umbreon Unknown Logger UPPERCUT Uroburos USBStealer Vasport VERMIN Volgmer WannaCry WEBC2 Wiarp Windows Credential Editor WINDSHIELD WINERACK Winexe Wingbird WinMM Winnti Wiper WireLurker X-Agent for Android XAgentOSX Xbash Xbot xCmd XcodeGhost XLoader XTunnel YiSpecter yty Zebrocy ZergHelper Zeroaccess ZeroT Zeus Panda ZLib zwShell
  1. Home
  2. Software
  3. NotPetya

NotPetya

NotPetya is malware that was first seen in a worldwide attack starting on June 27, 2017. The main purpose of the malware appeared to be to effectively destroy data and disk structures on compromised systems. Though NotPetya presents itself as a form of ransomware, it appears likely that the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.[1][1][2]

ID: S0368
Associated Software: GoldenEye, Petrwrap, Nyetya

Type: MALWARE
Platforms: Windows

Version: 1.0

Associated Software Descriptions

NameDescription
GoldenEye[1]
Petrwrap[1]
Nyetya[1]

Techniques Used

DomainIDNameUse
EnterpriseT1003Credential DumpingNotPetya contains a modified version of Mimikatz to help gather credentials that are later used for lateral movement.[1][2][3]
EnterpriseT1486Data Encrypted for ImpactNotPetya encrypts user files and disk structures like the MBR with 2048-bit RSA.[1][2]
EnterpriseT1210Exploitation of Remote ServicesNotPetya can use two exploits in SMBv1, EternalBlue and EternalRomance, to spread itself to other remote systems on the network.[1][2]
EnterpriseT1070Indicator Removal on HostNotPetya uses wevtutil to clear the Windows event logs.[1]
EnterpriseT1036MasqueradingNotPetya drops PsExec with the filename dllhost.dat.[1]
EnterpriseT1085Rundll32NotPetya uses rundll32.exe to install itself on remote systems when accessed via PsExec or wmic.[1]
EnterpriseT1053Scheduled TaskNotPetya creates a task to reboot the system one hour after infection.[1]
EnterpriseT1035Service ExecutionNotPetya can use PsExec to help propagate itself across a network.[1][2]
EnterpriseT1195Supply Chain CompromiseNotPetya's initial infection vector for the June 27, 2017 compromise was a backdoor in the Ukrainian tax accounting software M.E.Doc.[1][2][4]
EnterpriseT1078Valid AccountsNotPetya can use valid credentials with PsExec or wmic to spread itself to remote systems.[1][2]
EnterpriseT1077Windows Admin SharesNotPetya can use PsExec, which interacts with the ADMIN$ network share to execute commands on remote systems.[1][2][5]
EnterpriseT1047Windows Management InstrumentationNotPetya can use wmic to help propagate itself across a network.[1][2]

References

  1. Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
  2. US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.
  3. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  1. Maynor, D., Nikolic, A., Olney, M., and Younan, Y. (2017, July 5). The MeDoc Connection. Retrieved March 26, 2019.
  2. Russinovich, M. (2004, June 28). PsExec. Retrieved December 17, 2015.