SYMBOLCOMMON_NAMEaka. SYNONYMS
win.petrwrap (Back to overview)

PetrWrap

VTCollection    

The PetrWrap Trojan is written in C and compiled in MS Visual Studio. It carries a sample of the Petya ransomware v3 inside its data section and uses Petya to infect the victim’s machine. What’s more, PetrWrap implements its own cryptographic routines and modifies the code of Petya in runtime to control its execution. This allows the criminals behind PetrWrap to hide the fact that they are using Petya during infection.

References
2017-07-14MalwarebytesMalwarebytes Labs
Keeping up with the Petyas: Demystifying the malware family
EternalPetya GoldenEye PetrWrap Petya
2017-03-14Kaspersky LabsAnton Ivanov, Fedor Sinitsyn
PetrWrap: the new Petya-based ransomware used in targeted attacks
PetrWrap
Yara Rules
[TLP:WHITE] win_petrwrap_auto (20230808 | Detects win.petrwrap.)
rule win_petrwrap_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.petrwrap."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.petrwrap"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f7e9 c1fa02 8bc2 c1e81f 40 03c2 687f010000 }
            // n = 7, score = 100
            //   f7e9                 | imul                ecx
            //   c1fa02               | sar                 edx, 2
            //   8bc2                 | mov                 eax, edx
            //   c1e81f               | shr                 eax, 0x1f
            //   40                   | inc                 eax
            //   03c2                 | add                 eax, edx
            //   687f010000           | push                0x17f

        $sequence_1 = { 136c2414 894c2428 8b4c246c 896c2420 8d4960 e8???????? 8b4c2440 }
            // n = 7, score = 100
            //   136c2414             | adc                 ebp, dword ptr [esp + 0x14]
            //   894c2428             | mov                 dword ptr [esp + 0x28], ecx
            //   8b4c246c             | mov                 ecx, dword ptr [esp + 0x6c]
            //   896c2420             | mov                 dword ptr [esp + 0x20], ebp
            //   8d4960               | lea                 ecx, [ecx + 0x60]
            //   e8????????           |                     
            //   8b4c2440             | mov                 ecx, dword ptr [esp + 0x40]

        $sequence_2 = { 50 57 57 c744242400000000 c744242800000000 c744242c00000000 c744243800000000 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   57                   | push                edi
            //   57                   | push                edi
            //   c744242400000000     | mov                 dword ptr [esp + 0x24], 0
            //   c744242800000000     | mov                 dword ptr [esp + 0x28], 0
            //   c744242c00000000     | mov                 dword ptr [esp + 0x2c], 0
            //   c744243800000000     | mov                 dword ptr [esp + 0x38], 0

        $sequence_3 = { 8b7c2418 f7c3fcffffff 0f8496000000 897c2420 8d4900 6a00 56 }
            // n = 7, score = 100
            //   8b7c2418             | mov                 edi, dword ptr [esp + 0x18]
            //   f7c3fcffffff         | test                ebx, 0xfffffffc
            //   0f8496000000         | je                  0x9c
            //   897c2420             | mov                 dword ptr [esp + 0x20], edi
            //   8d4900               | lea                 ecx, [ecx]
            //   6a00                 | push                0
            //   56                   | push                esi

        $sequence_4 = { 53 53 896c2448 8844241f 660fd6442454 e8???????? 83c40c }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   896c2448             | mov                 dword ptr [esp + 0x48], ebp
            //   8844241f             | mov                 byte ptr [esp + 0x1f], al
            //   660fd6442454         | movq                qword ptr [esp + 0x54], xmm0
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_5 = { 8bca 83d100 01460c 8b442424 83d100 83c310 83ed04 }
            // n = 7, score = 100
            //   8bca                 | mov                 ecx, edx
            //   83d100               | adc                 ecx, 0
            //   01460c               | add                 dword ptr [esi + 0xc], eax
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]
            //   83d100               | adc                 ecx, 0
            //   83c310               | add                 ebx, 0x10
            //   83ed04               | sub                 ebp, 4

        $sequence_6 = { 89460c 8b06 53 55 8b2f 8b7f04 33db }
            // n = 7, score = 100
            //   89460c               | mov                 dword ptr [esi + 0xc], eax
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   53                   | push                ebx
            //   55                   | push                ebp
            //   8b2f                 | mov                 ebp, dword ptr [edi]
            //   8b7f04               | mov                 edi, dword ptr [edi + 4]
            //   33db                 | xor                 ebx, ebx

        $sequence_7 = { 8b7c2444 33fb 237c2434 23cb }
            // n = 4, score = 100
            //   8b7c2444             | mov                 edi, dword ptr [esp + 0x44]
            //   33fb                 | xor                 edi, ebx
            //   237c2434             | and                 edi, dword ptr [esp + 0x34]
            //   23cb                 | and                 ecx, ebx

        $sequence_8 = { 897db0 6a00 ff75c8 ff55d8 6a00 6a16 }
            // n = 6, score = 100
            //   897db0               | mov                 dword ptr [ebp - 0x50], edi
            //   6a00                 | push                0
            //   ff75c8               | push                dword ptr [ebp - 0x38]
            //   ff55d8               | call                dword ptr [ebp - 0x28]
            //   6a00                 | push                0
            //   6a16                 | push                0x16

        $sequence_9 = { 7f04 8bc5 eb0e 56 55 e8???????? 8b54242c }
            // n = 7, score = 100
            //   7f04                 | jg                  6
            //   8bc5                 | mov                 eax, ebp
            //   eb0e                 | jmp                 0x10
            //   56                   | push                esi
            //   55                   | push                ebp
            //   e8????????           |                     
            //   8b54242c             | mov                 edx, dword ptr [esp + 0x2c]

    condition:
        7 of them and filesize < 1024000
}
Download all Yara Rules