SYMBOLCOMMON_NAMEaka. SYNONYMS
win.eternal_petya (Back to overview)

EternalPetya

aka: ExPetr, Pnyetya, Petna, NotPetya, Nyetya, NonPetya, nPetya, Diskcoder.C, BadRabbit

Actor(s): TeleBots, Sandworm

There is no description at this point.

References
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
@online{hlavek:20201221:russian:804662f, author = {Adam Hlavek and Kimberly Ortiz}, title = {{Russian cyber attack campaigns and actors}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors}, language = {English}, urldate = {2021-01-05} } Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-11-04Stranded on Pylos BlogJoe Slowik
@online{slowik:20201104:enigmatic:c2d7b4e, author = {Joe Slowik}, title = {{The Enigmatic Energetic Bear}}, date = {2020-11-04}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/}, language = {English}, urldate = {2020-11-06} } The Enigmatic Energetic Bear
EternalPetya Havex RAT
2020-10-19CyberScoopTim Starks
@online{starks:20201019:us:d77b8f8, author = {Tim Starks}, title = {{US charges Russian GRU officers for NotPetya, other major hacks}}, date = {2020-10-19}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/russian-hackers-notpetya-charges-gru/}, language = {English}, urldate = {2020-10-19} } US charges Russian GRU officers for NotPetya, other major hacks
EternalPetya
2020-10-19UK GovernmentForeignCommonwealth & Development Office, Dominic Raab
@online{office:20201019:uk:7ead390, author = {ForeignCommonwealth & Development Office and Dominic Raab}, title = {{UK exposes series of Russian cyber attacks against Olympic and Paralympic Games}}, date = {2020-10-19}, organization = {UK Government}, url = {https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games}, language = {English}, urldate = {2020-10-23} } UK exposes series of Russian cyber attacks against Olympic and Paralympic Games
elf.vpnfilter BlackEnergy EternalPetya Industroyer
2020-10-19WiredAndy Greenberg
@online{greenberg:20201019:us:89aec2c, author = {Andy Greenberg}, title = {{US Indicts Sandworm, Russia's Most Destructive Cyberwar Unit}}, date = {2020-10-19}, organization = {Wired}, url = {https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/}, language = {English}, urldate = {2020-10-19} } US Indicts Sandworm, Russia's Most Destructive Cyberwar Unit
EternalPetya Olympic Destroyer
2020-10-19Riskint BlogCurtis
@online{curtis:20201019:revisited:df05745, author = {Curtis}, title = {{Revisited: Fancy Bear's New Faces...and Sandworms' too}}, date = {2020-10-19}, organization = {Riskint Blog}, url = {https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too}, language = {English}, urldate = {2020-10-23} } Revisited: Fancy Bear's New Faces...and Sandworms' too
BlackEnergy EternalPetya Industroyer Olympic Destroyer
2020-08-29AguinetAdrien Guinet
@online{guinet:20200829:emulating:45c0c16, author = {Adrien Guinet}, title = {{Emulating NotPetya bootloader with Miasm}}, date = {2020-08-29}, organization = {Aguinet}, url = {https://aguinet.github.io//blog/2020/08/29/miasm-bootloader.html}, language = {English}, urldate = {2020-09-04} } Emulating NotPetya bootloader with Miasm
EternalPetya
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-29Atlantic CouncilTrey Herr, June Lee, William Loomis, Stewart Scott
@techreport{herr:20200729:breaking:d37db04, author = {Trey Herr and June Lee and William Loomis and Stewart Scott}, title = {{BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain}}, date = {2020-07-29}, institution = {Atlantic Council}, url = {https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf}, language = {English}, urldate = {2020-08-05} } BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain
EternalPetya GoldenSpy Kwampirs Stuxnet
2020-06-21GVNSHTNGavin Ashton
@online{ashton:20200621:maersk:5121522, author = {Gavin Ashton}, title = {{Maersk, me & notPetya}}, date = {2020-06-21}, organization = {GVNSHTN}, url = {https://gvnshtn.com/maersk-me-notpetya/}, language = {English}, urldate = {2020-08-18} } Maersk, me & notPetya
EternalPetya
2020-06-09Kaspersky LabsCostin Raiu
@online{raiu:20200609:looking:3038dce, author = {Costin Raiu}, title = {{Looking at Big Threats Using Code Similarity. Part 1}}, date = {2020-06-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/big-threats-using-code-similarity-part-1/97239/}, language = {English}, urldate = {2020-08-18} } Looking at Big Threats Using Code Similarity. Part 1
Penquin Turla CCleaner Backdoor EternalPetya Regin WannaCryptor XTunnel
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020SecureworksSecureWorks
@online{secureworks:2020:iron:3c939bc, author = {SecureWorks}, title = {{IRON VIKING}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-viking}, language = {English}, urldate = {2020-05-23} } IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy Microcin
2018-10-11ESET ResearchAnton Cherepanov, Robert Lipovsky
@online{cherepanov:20181011:new:8e588c3, author = {Anton Cherepanov and Robert Lipovsky}, title = {{New TeleBots backdoor: First evidence linking Industroyer to NotPetya}}, date = {2018-10-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/}, language = {English}, urldate = {2019-11-14} } New TeleBots backdoor: First evidence linking Industroyer to NotPetya
Exaramel EternalPetya Exaramel Industroyer
2018-01-13The Washington PostEllen Nakashima
@online{nakashima:20180113:russian:fce58a2, author = {Ellen Nakashima}, title = {{Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes}}, date = {2018-01-13}, organization = {The Washington Post}, url = {https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html}, language = {English}, urldate = {2020-01-06} } Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes
EternalPetya
2017-10-27F-SecureF-Secure Global
@online{global:20171027:big:916374a, author = {F-Secure Global}, title = {{The big difference with Bad Rabbit}}, date = {2017-10-27}, organization = {F-Secure}, url = {https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/}, language = {English}, urldate = {2020-01-07} } The big difference with Bad Rabbit
EternalPetya
2017-10-26FireEyeBarry Vengerik, Ben Read, Brian Mordosky, Christopher Glyer, Ian Ahl, Matt Williams, Michael Matonis, Nick Carr
@online{vengerik:20171026:backswing:3aab9cf, author = {Barry Vengerik and Ben Read and Brian Mordosky and Christopher Glyer and Ian Ahl and Matt Williams and Michael Matonis and Nick Carr}, title = {{BACKSWING - Pulling a BADRABBIT Out of a Hat}}, date = {2017-10-26}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html}, language = {English}, urldate = {2019-12-20} } BACKSWING - Pulling a BADRABBIT Out of a Hat
EternalPetya
2017-10-26Reversing LabsNone
@online{none:20171026:reversinglabs:d3543db, author = {None}, title = {{ReversingLabs' YARA rule detects BadRabbit encryption routine specifics}}, date = {2017-10-26}, organization = {Reversing Labs}, url = {https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html}, language = {English}, urldate = {2019-10-17} } ReversingLabs' YARA rule detects BadRabbit encryption routine specifics
EternalPetya
2017-10-25RiskIQYonathan Klijnsma
@online{klijnsma:20171025:down:8d41ef5, author = {Yonathan Klijnsma}, title = {{Down the Rabbit Hole: Tracking the BadRabbit Ransomware to a Long Ongoing Campaign of Target Selection}}, date = {2017-10-25}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/badrabbit/}, language = {English}, urldate = {2020-01-10} } Down the Rabbit Hole: Tracking the BadRabbit Ransomware to a Long Ongoing Campaign of Target Selection
EternalPetya
2017-10-24ESET ResearchEditor
@online{editor:20171024:kiev:b706a68, author = {Editor}, title = {{Kiev metro hit with a new variant of the infamous Diskcoder ransomware}}, date = {2017-10-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer}, language = {English}, urldate = {2019-11-14} } Kiev metro hit with a new variant of the infamous Diskcoder ransomware
EternalPetya
2017-10-24ESET ResearchMarc-Etienne M.Léveillé
@online{mlveill:20171024:bad:5653a57, author = {Marc-Etienne M.Léveillé}, title = {{Bad Rabbit: Not‑Petya is back with improved ransomware}}, date = {2017-10-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/}, language = {English}, urldate = {2019-07-11} } Bad Rabbit: Not‑Petya is back with improved ransomware
EternalPetya TeleBots
2017-10-24Cisco TalosNick Biasini
@online{biasini:20171024:threat:7bd8515, author = {Nick Biasini}, title = {{Threat Spotlight: Follow the Bad Rabbit}}, date = {2017-10-24}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/10/bad-rabbit.html}, language = {English}, urldate = {2019-12-10} } Threat Spotlight: Follow the Bad Rabbit
EternalPetya
2017-10-24Kaspersky LabsOrkhan Mamedov, Fedor Sinitsyn, Anton Ivanov
@online{mamedov:20171024:bad:3c21717, author = {Orkhan Mamedov and Fedor Sinitsyn and Anton Ivanov}, title = {{Bad Rabbit ransomware}}, date = {2017-10-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/bad-rabbit-ransomware/82851/}, language = {English}, urldate = {2019-12-20} } Bad Rabbit ransomware
EternalPetya
2017-10-24WiredAndy Greenberg
@online{greenberg:20171024:new:5359735, author = {Andy Greenberg}, title = {{New Ransomware Linked to NotPetya Sweeps Russia and Ukraine}}, date = {2017-10-24}, organization = {Wired}, url = {https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/}, language = {English}, urldate = {2020-01-06} } New Ransomware Linked to NotPetya Sweeps Russia and Ukraine
EternalPetya
2017-10-24IntezerJay Rosenberg
@online{rosenberg:20171024:notpetya:7146657, author = {Jay Rosenberg}, title = {{NotPetya Returns as Bad Rabbit}}, date = {2017-10-24}, organization = {Intezer}, url = {http://www.intezer.com/notpetya-returns-bad-rabbit/}, language = {English}, urldate = {2020-01-05} } NotPetya Returns as Bad Rabbit
EternalPetya
2017-09-19NCC GroupOllie Whitehouse
@online{whitehouse:20170919:eternalglue:c4348e0, author = {Ollie Whitehouse}, title = {{EternalGlue part one: Rebuilding NotPetya to assess real-world resilience}}, date = {2017-09-19}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/eternalglue-part-one-rebuilding-notpetya-to-assess-real-world-resilience/}, language = {English}, urldate = {2019-12-10} } EternalGlue part one: Rebuilding NotPetya to assess real-world resilience
EternalPetya
2017-08-11ThreatpostTom Spring
@online{spring:20170811:ukrainian:eb4451f, author = {Tom Spring}, title = {{Ukrainian Man Arrested, Charged in NotPetya Distribution}}, date = {2017-08-11}, organization = {Threatpost}, url = {https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/}, language = {English}, urldate = {2020-01-05} } Ukrainian Man Arrested, Charged in NotPetya Distribution
EternalPetya
2017-07-14MalwarebytesMalwarebytes Labs
@online{labs:20170714:keeping:0759a8b, author = {Malwarebytes Labs}, title = {{Keeping up with the Petyas: Demystifying the malware family}}, date = {2017-07-14}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/}, language = {English}, urldate = {2019-12-20} } Keeping up with the Petyas: Demystifying the malware family
EternalPetya GoldenEye PetrWrap Petya
2017-07-03The GuardianAlex Hern
@online{hern:20170703:notpetya:ba6bc6c, author = {Alex Hern}, title = {{'NotPetya' malware attacks could warrant retaliation, says Nato affiliated-researcher}}, date = {2017-07-03}, organization = {The Guardian}, url = {https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik}, language = {English}, urldate = {2019-07-11} } 'NotPetya' malware attacks could warrant retaliation, says Nato affiliated-researcher
EternalPetya
2017-07-03CrowdStrikeShaun Hurley, Karan Sood
@online{hurley:20170703:notpetya:1453645, author = {Shaun Hurley and Karan Sood}, title = {{NotPetya Technical Analysis Part II: Further Findings and Potential for MBR Recovery}}, date = {2017-07-03}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/}, language = {English}, urldate = {2019-12-20} } NotPetya Technical Analysis Part II: Further Findings and Potential for MBR Recovery
EternalPetya
2017-07-03G DataG Data
@online{data:20170703:who:7b53706, author = {G Data}, title = {{Who is behind Petna?}}, date = {2017-07-03}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna}, language = {English}, urldate = {2020-01-08} } Who is behind Petna?
EternalPetya
2017-06-30Kaspersky LabsGReAT
@online{great:20170630:from:d91b457, author = {GReAT}, title = {{From BlackEnergy to ExPetr}}, date = {2017-06-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/from-blackenergy-to-expetr/78937/}, language = {English}, urldate = {2019-12-20} } From BlackEnergy to ExPetr
EternalPetya
2017-06-30ESET ResearchAnton Cherepanov
@online{cherepanov:20170630:telebots:84aa93d, author = {Anton Cherepanov}, title = {{TeleBots are back: Supply‑chain attacks against Ukraine}}, date = {2017-06-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/}, language = {English}, urldate = {2019-12-20} } TeleBots are back: Supply‑chain attacks against Ukraine
EternalPetya TeleBots
2017-06-30MalwarebytesMalwarebytes Labs
@online{labs:20170630:eternalpetya:122fb36, author = {Malwarebytes Labs}, title = {{EternalPetya – yet another stolen piece in the package?}}, date = {2017-06-30}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/}, language = {English}, urldate = {2019-12-20} } EternalPetya – yet another stolen piece in the package?
EternalPetya
2017-06-29Robert Graham
@online{graham:20170629:nonpetya:c470dd8, author = {Robert Graham}, title = {{NonPetya: no evidence it was a "smokescreen"}}, date = {2017-06-29}, url = {http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html}, language = {English}, urldate = {2020-01-07} } NonPetya: no evidence it was a "smokescreen"
EternalPetya
2017-06-29MalwarebytesMalwarebytes Labs
@online{labs:20170629:eternalpetya:bdd5896, author = {Malwarebytes Labs}, title = {{EternalPetya and the lost Salsa20 key}}, date = {2017-06-29}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/}, language = {English}, urldate = {2019-12-20} } EternalPetya and the lost Salsa20 key
EternalPetya
2017-06-29Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20170629:ransomware:d2d7b40, author = {Catalin Cimpanu}, title = {{Ransomware Attacks Continue in Ukraine with Mysterious WannaCry Clone}}, date = {2017-06-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/}, language = {English}, urldate = {2019-12-20} } Ransomware Attacks Continue in Ukraine with Mysterious WannaCry Clone
EternalPetya
2017-06-29MicrosoftMicrosoft Defender ATP Research Team
@online{team:20170629:windows:f957ff3, author = {Microsoft Defender ATP Research Team}, title = {{Windows 10 platform resilience against the Petya ransomware attack}}, date = {2017-06-29}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/}, language = {English}, urldate = {2020-01-07} } Windows 10 platform resilience against the Petya ransomware attack
EternalPetya
2017-06-28Kaspersky LabsAnton Ivanov, Orkhan Mamedov
@online{ivanov:20170628:expetrpetyanotpetya:903b1fc, author = {Anton Ivanov and Orkhan Mamedov}, title = {{ExPetr/Petya/NotPetya is a Wiper, Not Ransomware}}, date = {2017-06-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/}, language = {English}, urldate = {2019-12-20} } ExPetr/Petya/NotPetya is a Wiper, Not Ransomware
EternalPetya
2017-06-28hacks4pancakes
@online{hacks4pancakes:20170628:why:8053178, author = {hacks4pancakes}, title = {{Why NotPetya Kept Me Awake (& You Should Worry Too)}}, date = {2017-06-28}, url = {https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/}, language = {English}, urldate = {2020-01-09} } Why NotPetya Kept Me Awake (& You Should Worry Too)
EternalPetya
2017-06-28CrowdStrikeFalcon Intelligence Team
@online{team:20170628:crowdstrike:e933e49, author = {Falcon Intelligence Team}, title = {{CrowdStrike Protects Against NotPetya Attack}}, date = {2017-06-28}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/}, language = {English}, urldate = {2019-12-20} } CrowdStrike Protects Against NotPetya Attack
EternalPetya
2017-06-27SANSBrad Duncan
@online{duncan:20170627:checking:23c2251, author = {Brad Duncan}, title = {{Checking out the new Petya variant}}, date = {2017-06-27}, organization = {SANS}, url = {https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/}, language = {English}, urldate = {2020-01-06} } Checking out the new Petya variant
EternalPetya
2017-06-27Kaspersky LabsGReAT
@online{great:20170627:schroedingers:43c7e28, author = {GReAT}, title = {{Schroedinger’s Pet(ya)}}, date = {2017-06-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/schroedingers-petya/78870/}, language = {English}, urldate = {2019-12-20} } Schroedinger’s Pet(ya)
EternalPetya
2017-06-27Medium thegrugqthegrugq
@online{thegrugq:20170627:pnyetya:45771f2, author = {thegrugq}, title = {{Pnyetya: Yet Another Ransomware Outbreak}}, date = {2017-06-27}, organization = {Medium thegrugq}, url = {https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4}, language = {English}, urldate = {2020-01-13} } Pnyetya: Yet Another Ransomware Outbreak
EternalPetya
Yara Rules
[TLP:WHITE] win_eternal_petya_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_eternal_petya_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bec 51 57 68000000f0 }
            // n = 4, score = 400
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   57                   | push                edi
            //   68000000f0           | push                0xf0000000

        $sequence_1 = { 68f0000000 6a40 ff15???????? 8bd8 }
            // n = 4, score = 400
            //   68f0000000           | push                0xf0
            //   6a40                 | push                0x40
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax

        $sequence_2 = { 57 68000000f0 6a18 33ff }
            // n = 4, score = 400
            //   57                   | push                edi
            //   68000000f0           | push                0xf0000000
            //   6a18                 | push                0x18
            //   33ff                 | xor                 edi, edi

        $sequence_3 = { 53 8d4644 50 53 6a02 }
            // n = 5, score = 400
            //   53                   | push                ebx
            //   8d4644               | lea                 eax, [esi + 0x44]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   6a02                 | push                2

        $sequence_4 = { 40 49 75f9 56 ff15???????? }
            // n = 5, score = 400
            //   40                   | inc                 eax
            //   49                   | dec                 ecx
            //   75f9                 | jne                 0xfffffffb
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_5 = { 53 6a21 8d460c 50 }
            // n = 4, score = 400
            //   53                   | push                ebx
            //   6a21                 | push                0x21
            //   8d460c               | lea                 eax, [esi + 0xc]
            //   50                   | push                eax

        $sequence_6 = { 50 8d8594f9ffff 50 894dac }
            // n = 4, score = 300
            //   50                   | push                eax
            //   8d8594f9ffff         | lea                 eax, [ebp - 0x66c]
            //   50                   | push                eax
            //   894dac               | mov                 dword ptr [ebp - 0x54], ecx

        $sequence_7 = { ff75f8 8945fc ff15???????? 56 56 6a02 56 }
            // n = 7, score = 300
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   ff15????????         |                     
            //   56                   | push                esi
            //   56                   | push                esi
            //   6a02                 | push                2
            //   56                   | push                esi

        $sequence_8 = { ff7608 03c1 50 ff15???????? }
            // n = 4, score = 300
            //   ff7608               | push                dword ptr [esi + 8]
            //   03c1                 | add                 eax, ecx
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_9 = { 0fb7044a 6685c0 7412 0fb7444584 66890c47 0fb7044a 66ff444584 }
            // n = 7, score = 300
            //   0fb7044a             | movzx               eax, word ptr [edx + ecx*2]
            //   6685c0               | test                ax, ax
            //   7412                 | je                  0x14
            //   0fb7444584           | movzx               eax, word ptr [ebp + eax*2 - 0x7c]
            //   66890c47             | mov                 word ptr [edi + eax*2], cx
            //   0fb7044a             | movzx               eax, word ptr [edx + ecx*2]
            //   66ff444584           | inc                 word ptr [ebp + eax*2 - 0x7c]

        $sequence_10 = { 83e001 89412c 8b4320 c7403001000000 }
            // n = 4, score = 300
            //   83e001               | and                 eax, 1
            //   89412c               | mov                 dword ptr [ecx + 0x2c], eax
            //   8b4320               | mov                 eax, dword ptr [ebx + 0x20]
            //   c7403001000000       | mov                 dword ptr [eax + 0x30], 1

        $sequence_11 = { 8b4d0c 0fb71441 8955f0 3bd3 0f862fffffff 8b45cc }
            // n = 6, score = 300
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   0fb71441             | movzx               edx, word ptr [ecx + eax*2]
            //   8955f0               | mov                 dword ptr [ebp - 0x10], edx
            //   3bd3                 | cmp                 edx, ebx
            //   0f862fffffff         | jbe                 0xffffff35
            //   8b45cc               | mov                 eax, dword ptr [ebp - 0x34]

        $sequence_12 = { 2bc1 d1f8 8d440002 50 6a08 ffd6 50 }
            // n = 7, score = 300
            //   2bc1                 | sub                 eax, ecx
            //   d1f8                 | sar                 eax, 1
            //   8d440002             | lea                 eax, [eax + eax + 2]
            //   50                   | push                eax
            //   6a08                 | push                8
            //   ffd6                 | call                esi
            //   50                   | push                eax

        $sequence_13 = { 83e001 894304 8bc2 83e003 83e800 }
            // n = 5, score = 300
            //   83e001               | and                 eax, 1
            //   894304               | mov                 dword ptr [ebx + 4], eax
            //   8bc2                 | mov                 eax, edx
            //   83e003               | and                 eax, 3
            //   83e800               | sub                 eax, 0

        $sequence_14 = { 75f5 2bcf d1f9 8d1409 8bce 85d2 }
            // n = 6, score = 200
            //   75f5                 | jne                 0xfffffff7
            //   2bcf                 | sub                 ecx, edi
            //   d1f9                 | sar                 ecx, 1
            //   8d1409               | lea                 edx, [ecx + ecx]
            //   8bce                 | mov                 ecx, esi
            //   85d2                 | test                edx, edx

        $sequence_15 = { 50 ffd6 85c0 0f8480000000 8b95f4fdffff 8d8df8fdffff }
            // n = 6, score = 200
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   0f8480000000         | je                  0x86
            //   8b95f4fdffff         | mov                 edx, dword ptr [ebp - 0x20c]
            //   8d8df8fdffff         | lea                 ecx, [ebp - 0x208]

    condition:
        7 of them and filesize < 851968
}
[TLP:WHITE] win_eternal_petya_w0   (20171222 | No description)
rule win_eternal_petya_w0 {

    meta:
        author = "ReversingLabs"
        date = "2017-11-29"
        source = "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html"
        info = "ReversingLabs' YARA rule detects BadRabbit encryption routine specifics."
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya"
        malpedia_version = "20171222"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    
    strings:
        $encrypt_file = { 55 8B EC 83 EC ?? 53 56 57 8B 7D ?? 8B 4F ?? 33 DB 8D 45 ?? 50 53 53 51 89 5D ?? 89  5D ?? 89 5D ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 55 ?? 53 53 6A ?? 53 53  68 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 8D  4D ?? 51 57 8B CE E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 39 5D ?? 0F 84 ??  ?? ?? ?? 39 5D ?? 0F 84 ?? ?? ?? ?? 8D 55 ?? 52 56 FF 15 ?? ?? ?? ?? 8B 4F ?? 8B 45  ?? 83 C1 ?? 2B C1 19 5D ?? 89 45 ?? 89 5D ?? 78 ?? 7F ?? 3D ?? ?? ?? ?? 76 ?? B8 ??  ?? ?? ?? EB ?? C7 45 ?? ?? ?? ?? ?? 53 50 53 6A ?? 53 8B F8 56 89 45 ?? 89 7D ?? FF  15 ?? ?? ?? ?? 8B D8 85 DB 74 ?? 8B 55 ?? 52 6A ?? 6A ?? 6A ?? 53 FF 15 ?? ?? ?? ??  8B F8 85 FF 74 ?? 8B 4D ?? 8B 55 ?? 8D 45 ?? 50 57 6A ?? 51 6A ?? 52 FF 15 ?? ?? ??  ?? 85 C0 74 ?? 8B 45 ?? 50 57 FF 15 ?? ?? ?? ?? 8B 4D ?? 51 68 ?? ?? ?? ?? E8 ?? ??  ?? ?? 83 C4 ?? 57 FF 15 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B 7D ?? 8B 45 ?? 3B C7 73  ?? 2B F8 EB ?? 33 FF 8B 55 ?? 8B 42 ?? 8D 4C 38 ?? 6A ?? 51 E8 ?? ?? ?? ?? 8B 7D ??  83 C4 ?? 33 DB 56 FF 15 ?? ?? ?? ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 39 5D ?? 74 ?? 39  5D ?? 75 ?? 8B 47 ?? 8B 35 ?? ?? ?? ?? 50 FF D6 8B 7F ?? 3B FB 74 ?? 57 FF D6 5F 5E  5B 8B E5 5D C3 }

        $main_encrypt = { 55 8B EC 56 6A ?? 6A ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 8B 75 ?? 89 46 ?? 85 C0 0F 84  ?? ?? ?? ?? 53 8B 1D ?? ?? ?? ?? 57 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8D 7E ?? 57 FF  D3 85 C0 75 ?? FF 15 ?? ?? ?? ?? 3D ?? ?? ?? ?? 75 ?? 6A ?? 6A ?? 6A ?? 6A ?? 57 FF  D3 85 C0 74 ?? 8B 07 8D 5E ?? 53 50 8B 46 ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 8B  C6 E8 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 56 8D 4E ?? 6A ?? 51 E8 ??  ?? ?? ?? 8B 56 ?? 83 C4 ?? 52 FF 15 ?? ?? ?? ?? 8B 46 ?? 50 FF 15 ?? ?? ?? ?? 8B 0B  51 FF 15 ?? ?? ?? ?? 8B 17 6A ?? 52 FF 15 ?? ?? ?? ?? 8B 46 ?? 50 FF 15 ?? ?? ?? ??  5F 5B B9 ?? ?? ?? ?? 8D 46 ?? 8B FF C6 00 ?? 40 49 75 ?? 56 FF 15 ?? ?? ?? ?? 33 C0  5E 5D C2 ?? ?? }

        $encryption_loop = { 8B 7C 24 ?? 6A ?? 6A ?? 8D 43 ?? 50 33 C0 39 43 ?? 0F 95 C0 40 50 FF 15 ?? ?? ?? ??  85 C0 0F 84 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? B9 ??  ?? ?? ?? 8D 44 24 ?? 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ??  75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 D8 ?? 85 C0 0F 84 ?? ??  ?? ?? B9 ?? ?? ?? ?? 8D 44 24 ?? 8D 64 24 ?? 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ??  66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83  D8 ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 4C 24 ?? 51 57 8D 94 24 ?? ?? ?? ?? 52 FF 15 ?? ??  ?? ?? 85 C0 74 ?? 8B 44 24 ?? A8 ?? 74 ?? A9 ?? ?? ?? ?? 75 ?? 8D BC 24 ?? ?? ?? ??  E8 ?? ?? ?? ?? 85 C0 75 ?? 8B 45 ?? 53 48 50 8B CF 51 E8 ?? ?? ?? ?? 83 C4 ?? EB ??  8D 54 24 ?? 52 FF 15 ?? ?? ?? ?? 8D 4C 24 ?? 8D 71 ?? 90 66 8B 11 83 C1 ?? 66 85 D2  75 ?? 2B CE D1 F9 8D 4C 4C ?? 3B C1 74 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 8D  94 24 ?? ?? ?? ?? 53 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 74 24 ?? 8D 44 24 ?? 50 56 FF 15  ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ??}

    condition:
        $encrypt_file and $main_encrypt and $encryption_loop 
}
Download all Yara Rules