SOFTWARE
Arp
at
cmd
Dok
FTP
Net
Orz
Reg
RTM
Tor
yty
SOFTWARE
1-9
A-B
Arp
at
C-D
cmd
Dok
E-F
FTP
G-H
I-J
K-L
M-N
Net
O-P
Orz
Q-R
Reg
RTM
S-T
Tor
U-V
W-X
Y-Z
yty
  1. Home
  2. Software
  3. NotPetya

NotPetya

NotPetya is malware that was first seen in a worldwide attack starting on June 27, 2017. The main purpose of the malware appeared to be to effectively destroy data and disk structures on compromised systems. Though NotPetya presents itself as a form of ransomware, it appears likely that the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.[1][1][2]

ID: S0368
Associated Software: GoldenEye, Petrwrap, Nyetya
Type: MALWARE
Platforms: Windows
Version: 1.1

Associated Software Descriptions

Name Description
GoldenEye [1]
Petrwrap [1]
Nyetya [1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1003 Credential Dumping

NotPetya contains a modified version of Mimikatz to help gather credentials that are later used for lateral movement.[1][2][3]
Enterprise T1486 Data Encrypted for Impact

NotPetya encrypts user files and disk structures like the MBR with 2048-bit RSA.[1][2]
Enterprise T1210 Exploitation of Remote Services

NotPetya can use two exploits in SMBv1, EternalBlue and EternalRomance, to spread itself to other remote systems on the network.[1][2]
Enterprise T1070 Indicator Removal on Host

NotPetya uses wevtutil to clear the Windows event logs.[1]
Enterprise T1036 Masquerading

NotPetya drops PsExec with the filename dllhost.dat.[1]
Enterprise T1085 Rundll32

NotPetya uses rundll32.exe to install itself on remote systems when accessed via PsExec or wmic.[1]
Enterprise T1053 Scheduled Task

NotPetya creates a task to reboot the system one hour after infection.[1]
Enterprise T1035 Service Execution

NotPetya can use PsExec to help propagate itself across a network.[1][2]
Enterprise T1195 Supply Chain Compromise

NotPetya's initial infection vector for the June 27, 2017 compromise was a backdoor in the Ukrainian tax accounting software M.E.Doc.[1][2][5]
Enterprise T1529 System Shutdown/Reboot

NotPetya will reboot the system one hour after infection.[1]
Enterprise T1078 Valid Accounts

NotPetya can use valid credentials with PsExec or wmic to spread itself to remote systems.[1][2]
Enterprise T1077 Windows Admin Shares

NotPetya can use PsExec, which interacts with the ADMIN$ network share to execute commands on remote systems.[1][2][4]
Enterprise T1047 Windows Management Instrumentation

NotPetya can use wmic to help propagate itself across a network.[1][2]

References

  1. Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
  2. US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.
  3. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  1. Russinovich, M. (2004, June 28). PsExec. Retrieved December 17, 2015.
  2. Maynor, D., Nikolic, A., Olney, M., and Younan, Y. (2017, July 5). The MeDoc Connection. Retrieved March 26, 2019.