SYMBOLCOMMON_NAMEaka. SYNONYMS
win.petrwrap (Back to overview)

PetrWrap

VTCollection    

The PetrWrap Trojan is written in C and compiled in MS Visual Studio. It carries a sample of the Petya ransomware v3 inside its data section and uses Petya to infect the victim’s machine. What’s more, PetrWrap implements its own cryptographic routines and modifies the code of Petya in runtime to control its execution. This allows the criminals behind PetrWrap to hide the fact that they are using Petya during infection.

References
2017-07-14MalwarebytesMalwarebytes Labs
Keeping up with the Petyas: Demystifying the malware family
EternalPetya GoldenEye PetrWrap Petya
2017-03-14Kaspersky LabsAnton Ivanov, Fedor Sinitsyn
PetrWrap: the new Petya-based ransomware used in targeted attacks
PetrWrap
Yara Rules
[TLP:WHITE] win_petrwrap_auto (20260504 | Detects win.petrwrap.)
rule win_petrwrap_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.petrwrap."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.petrwrap"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c46c c3 55 68???????? 57 56 e8???????? }
            // n = 7, score = 100
            //   83c46c               | add                 esp, 0x6c
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   68????????           |                     
            //   57                   | push                edi
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_1 = { c1e108 0fb680d0384400 33c8 334f04 8bc1 c1c808 2500ff00ff }
            // n = 7, score = 100
            //   c1e108               | shl                 ecx, 8
            //   0fb680d0384400       | movzx               eax, byte ptr [eax + 0x4438d0]
            //   33c8                 | xor                 ecx, eax
            //   334f04               | xor                 ecx, dword ptr [edi + 4]
            //   8bc1                 | mov                 eax, ecx
            //   c1c808               | ror                 eax, 8
            //   2500ff00ff           | and                 eax, 0xff00ff00

        $sequence_2 = { 8d0475ffffffff 89442418 83c8ff 396f0c 0f45d0 8954241c e8???????? }
            // n = 7, score = 100
            //   8d0475ffffffff       | lea                 eax, [esi*2 - 1]
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   83c8ff               | or                  eax, 0xffffffff
            //   396f0c               | cmp                 dword ptr [edi + 0xc], ebp
            //   0f45d0               | cmovne              edx, eax
            //   8954241c             | mov                 dword ptr [esp + 0x1c], edx
            //   e8????????           |                     

        $sequence_3 = { 33c8 0fb6c3 0fb60485d01c4400 33c8 334d04 8bc1 }
            // n = 6, score = 100
            //   33c8                 | xor                 ecx, eax
            //   0fb6c3               | movzx               eax, bl
            //   0fb60485d01c4400     | movzx               eax, byte ptr [eax*4 + 0x441cd0]
            //   33c8                 | xor                 ecx, eax
            //   334d04               | xor                 ecx, dword ptr [ebp + 4]
            //   8bc1                 | mov                 eax, ecx

        $sequence_4 = { f7d7 237c2444 f7d2 23542418 33f9 8b4c2414 33d0 }
            // n = 7, score = 100
            //   f7d7                 | not                 edi
            //   237c2444             | and                 edi, dword ptr [esp + 0x44]
            //   f7d2                 | not                 edx
            //   23542418             | and                 edx, dword ptr [esp + 0x18]
            //   33f9                 | xor                 edi, ecx
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   33d0                 | xor                 edx, eax

        $sequence_5 = { f76500 89442418 8bca 0fa4c101 33f6 03c0 }
            // n = 6, score = 100
            //   f76500               | mul                 dword ptr [ebp]
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   8bca                 | mov                 ecx, edx
            //   0fa4c101             | shld                ecx, eax, 1
            //   33f6                 | xor                 esi, esi
            //   03c0                 | add                 eax, eax

        $sequence_6 = { 8bf0 85f6 746a 8b4610 8b6d00 }
            // n = 5, score = 100
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   746a                 | je                  0x6c
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   8b6d00               | mov                 ebp, dword ptr [ebp]

        $sequence_7 = { b8420435af 641a4157 347d 4e 46 92 }
            // n = 6, score = 100
            //   b8420435af           | mov                 eax, 0xaf350442
            //   641a4157             | sbb                 al, byte ptr fs:[ecx + 0x57]
            //   347d                 | xor                 al, 0x7d
            //   4e                   | dec                 esi
            //   46                   | inc                 esi
            //   92                   | xchg                eax, edx

        $sequence_8 = { 7f04 8bcb eb10 51 53 e8???????? 8bc8 }
            // n = 7, score = 100
            //   7f04                 | jg                  6
            //   8bcb                 | mov                 ecx, ebx
            //   eb10                 | jmp                 0x12
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax

        $sequence_9 = { 68???????? 6a01 6a09 e8???????? a1???????? 68da000000 68???????? }
            // n = 7, score = 100
            //   68????????           |                     
            //   6a01                 | push                1
            //   6a09                 | push                9
            //   e8????????           |                     
            //   a1????????           |                     
            //   68da000000           | push                0xda
            //   68????????           |                     

    condition:
        7 of them and filesize < 1024000
}
Download all Yara Rules