SYMBOLCOMMON_NAMEaka. SYNONYMS
win.petrwrap (Back to overview)

PetrWrap


The PetrWrap Trojan is written in C and compiled in MS Visual Studio. It carries a sample of the Petya ransomware v3 inside its data section and uses Petya to infect the victim’s machine. What’s more, PetrWrap implements its own cryptographic routines and modifies the code of Petya in runtime to control its execution. This allows the criminals behind PetrWrap to hide the fact that they are using Petya during infection.

References
2017-07-14MalwarebytesMalwarebytes Labs
@online{labs:20170714:keeping:0759a8b, author = {Malwarebytes Labs}, title = {{Keeping up with the Petyas: Demystifying the malware family}}, date = {2017-07-14}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/}, language = {English}, urldate = {2019-12-20} } Keeping up with the Petyas: Demystifying the malware family
EternalPetya GoldenEye PetrWrap Petya
2017-03-14Kaspersky LabsAnton Ivanov, Fedor Sinitsyn
@online{ivanov:20170314:petrwrap:646653c, author = {Anton Ivanov and Fedor Sinitsyn}, title = {{PetrWrap: the new Petya-based ransomware used in targeted attacks}}, date = {2017-03-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/}, language = {English}, urldate = {2019-12-20} } PetrWrap: the new Petya-based ransomware used in targeted attacks
PetrWrap
Yara Rules
[TLP:WHITE] win_petrwrap_auto (20230715 | Detects win.petrwrap.)
rule win_petrwrap_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.petrwrap."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.petrwrap"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4504 8954241c 3bc8 0f8de0000000 85c0 0f84d8000000 56 }
            // n = 7, score = 100
            //   8b4504               | mov                 eax, dword ptr [ebp + 4]
            //   8954241c             | mov                 dword ptr [esp + 0x1c], edx
            //   3bc8                 | cmp                 ecx, eax
            //   0f8de0000000         | jge                 0xe6
            //   85c0                 | test                eax, eax
            //   0f84d8000000         | je                  0xde
            //   56                   | push                esi

        $sequence_1 = { 0f85d9faffff ff4b04 394304 7feb b801000000 eb10 57 }
            // n = 7, score = 100
            //   0f85d9faffff         | jne                 0xfffffadf
            //   ff4b04               | dec                 dword ptr [ebx + 4]
            //   394304               | cmp                 dword ptr [ebx + 4], eax
            //   7feb                 | jg                  0xffffffed
            //   b801000000           | mov                 eax, 1
            //   eb10                 | jmp                 0x12
            //   57                   | push                edi

        $sequence_2 = { 48 89442430 85c0 0f8ef6000000 2bcb 894c2418 8b0b }
            // n = 7, score = 100
            //   48                   | dec                 eax
            //   89442430             | mov                 dword ptr [esp + 0x30], eax
            //   85c0                 | test                eax, eax
            //   0f8ef6000000         | jle                 0xfc
            //   2bcb                 | sub                 ecx, ebx
            //   894c2418             | mov                 dword ptr [esp + 0x18], ecx
            //   8b0b                 | mov                 ecx, dword ptr [ebx]

        $sequence_3 = { be34000000 90 b808000000 e8???????? f20f110424 6a14 68???????? }
            // n = 7, score = 100
            //   be34000000           | mov                 esi, 0x34
            //   90                   | nop                 
            //   b808000000           | mov                 eax, 8
            //   e8????????           |                     
            //   f20f110424           | movsd               qword ptr [esp], xmm0
            //   6a14                 | push                0x14
            //   68????????           |                     

        $sequence_4 = { 33ed 8d9b00000000 8d7c2441 03fd 03f7 8a27 0fb60c16 }
            // n = 7, score = 100
            //   33ed                 | xor                 ebp, ebp
            //   8d9b00000000         | lea                 ebx, [ebx]
            //   8d7c2441             | lea                 edi, [esp + 0x41]
            //   03fd                 | add                 edi, ebp
            //   03f7                 | add                 esi, edi
            //   8a27                 | mov                 ah, byte ptr [edi]
            //   0fb60c16             | movzx               ecx, byte ptr [esi + edx]

        $sequence_5 = { c1e206 03148580db4600 eb05 ba???????? f6422480 7415 e8???????? }
            // n = 7, score = 100
            //   c1e206               | shl                 edx, 6
            //   03148580db4600       | add                 edx, dword ptr [eax*4 + 0x46db80]
            //   eb05                 | jmp                 7
            //   ba????????           |                     
            //   f6422480             | test                byte ptr [edx + 0x24], 0x80
            //   7415                 | je                  0x17
            //   e8????????           |                     

        $sequence_6 = { 50 e8???????? 83c42c 85c0 7525 6891020000 68???????? }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c42c               | add                 esp, 0x2c
            //   85c0                 | test                eax, eax
            //   7525                 | jne                 0x27
            //   6891020000           | push                0x291
            //   68????????           |                     

        $sequence_7 = { 6a40 8d8530040000 50 e8???????? 83c410 bf01000000 897db0 }
            // n = 7, score = 100
            //   6a40                 | push                0x40
            //   8d8530040000         | lea                 eax, [ebp + 0x430]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   bf01000000           | mov                 edi, 1
            //   897db0               | mov                 dword ptr [ebp - 0x50], edi

        $sequence_8 = { e8???????? 53 e8???????? 8bd8 83c408 895c241c }
            // n = 6, score = 100
            //   e8????????           |                     
            //   53                   | push                ebx
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   83c408               | add                 esp, 8
            //   895c241c             | mov                 dword ptr [esp + 0x1c], ebx

        $sequence_9 = { 8b7c2440 8b4c2440 234c2448 f7d7 237c2424 f7d2 23542458 }
            // n = 7, score = 100
            //   8b7c2440             | mov                 edi, dword ptr [esp + 0x40]
            //   8b4c2440             | mov                 ecx, dword ptr [esp + 0x40]
            //   234c2448             | and                 ecx, dword ptr [esp + 0x48]
            //   f7d7                 | not                 edi
            //   237c2424             | and                 edi, dword ptr [esp + 0x24]
            //   f7d2                 | not                 edx
            //   23542458             | and                 edx, dword ptr [esp + 0x58]

    condition:
        7 of them and filesize < 1024000
}
Download all Yara Rules