Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

thing about GoldenEye (and probably every Petya sample) #4

Open
amdfanboi opened this issue Nov 11, 2024 · 4 comments
Open

thing about GoldenEye (and probably every Petya sample) #4

amdfanboi opened this issue Nov 11, 2024 · 4 comments

Comments

@amdfanboi
Copy link
Contributor

i've noticed that when GoldenEye is started on UEFI (or GUID Partition Table-based) system, it starts encrypting files with a random extension and creates ransom note on the desktop

YOUR_FILES_ARE_ENCRYPTED.TXT

that's because UEFI systems are using GPT instead of MBR, it's possible that it happens with every Petya sample but i need to verify that
@Cryakl
Copy link
Owner

Cryakl commented Nov 11, 2024

i've noticed that when GoldenEye is started on UEFI (or GUID Partition Table-based) system, it starts encrypting files with a random extension and creates ransom note on the desktop

I remember some variants of Petya also encrypt files when they are unable to get Admin rights.
But I hadn't documented it yet.

@amdfanboi
Copy link
Contributor Author

amdfanboi commented Nov 11, 2024
edited
Loading

i've also checked BadRabbit (yet another Petya variant) but this one starts for a split second and closes, same thing happens on MBR system...

after checking the sample on any.run, i've noticed that it tries to contact some C2 servers which are throwing errors 400 and 403, i think that's why it doesn't encrypt any files

edit : nvm, i've restarted win10 vm, i've got ransom note and test file is now encrypted (it leaves original extension, only file content is modified)
edit2 : after second restart, vm is stuck on "Preparing automatic repair" lol, looks like BadRabbit can also break OS

@Cryakl
Copy link
Owner

Cryakl commented Nov 11, 2024

i've also checked BadRabbit (yet another Petya variant) but this one starts for a split second and closes, same thing happens on MBR system...

after checking the sample on any.run, i've noticed that it tries to contact some C2 servers which are throwing errors 400 and 403, i think that's why it doesn't encrypt any files

edit : nvm, i've restarted win10 vm, i've got ransom note and test file is now encrypted (it leaves original extension, only file content is modified) edit2 : after second restart, vm is stuck on "Preparing automatic repair" lol, looks like BadRabbit can also break OS

BadRabbit's infection routine takes a while, I managed to get it working in my VM just now, it drops the ransom note to the root drive.

@amdfanboi
Copy link
Contributor Author

amdfanboi commented Nov 11, 2024
edited
Loading

BadRabbit's infection routine takes a while, I managed to get it working in my VM just now, it drops the ransom note to the root drive.

yea, i've also noticed that but i don't know if automatic repair boot-loop is intended behavior or something went wrong and it broke some system files, i was testing it on clean Win10 VM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@amdfanboi @Cryakl