Skip to content

thing about GoldenEye (and probably every Petya sample) #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
amdfanboi opened this issue Nov 11, 2024 · 8 comments
Open

thing about GoldenEye (and probably every Petya sample) #4

amdfanboi opened this issue Nov 11, 2024 · 8 comments

Comments

@amdfanboi
Copy link
Contributor

i've noticed that when GoldenEye is started on UEFI (or GUID Partition Table-based) system, it starts encrypting files with a random extension and creates ransom note on the desktop

YOUR_FILES_ARE_ENCRYPTED.TXT

that's because UEFI systems are using GPT instead of MBR, it's possible that it happens with every Petya sample but i need to verify that
@Cryakl
Copy link
Owner

Cryakl commented Nov 11, 2024

i've noticed that when GoldenEye is started on UEFI (or GUID Partition Table-based) system, it starts encrypting files with a random extension and creates ransom note on the desktop

I remember some variants of Petya also encrypt files when they are unable to get Admin rights.
But I hadn't documented it yet.

@amdfanboi
Copy link
Contributor Author

amdfanboi commented Nov 11, 2024
edited
Loading

i've also checked BadRabbit (yet another Petya variant) but this one starts for a split second and closes, same thing happens on MBR system...

after checking the sample on any.run, i've noticed that it tries to contact some C2 servers which are throwing errors 400 and 403, i think that's why it doesn't encrypt any files

edit : nvm, i've restarted win10 vm, i've got ransom note and test file is now encrypted (it leaves original extension, only file content is modified)
edit2 : after second restart, vm is stuck on "Preparing automatic repair" lol, looks like BadRabbit can also break OS

@Cryakl
Copy link
Owner

Cryakl commented Nov 11, 2024

i've also checked BadRabbit (yet another Petya variant) but this one starts for a split second and closes, same thing happens on MBR system...

after checking the sample on any.run, i've noticed that it tries to contact some C2 servers which are throwing errors 400 and 403, i think that's why it doesn't encrypt any files

edit : nvm, i've restarted win10 vm, i've got ransom note and test file is now encrypted (it leaves original extension, only file content is modified) edit2 : after second restart, vm is stuck on "Preparing automatic repair" lol, looks like BadRabbit can also break OS

BadRabbit's infection routine takes a while, I managed to get it working in my VM just now, it drops the ransom note to the root drive.

@amdfanboi
Copy link
Contributor Author

amdfanboi commented Nov 11, 2024
edited
Loading

BadRabbit's infection routine takes a while, I managed to get it working in my VM just now, it drops the ransom note to the root drive.

yea, i've also noticed that but i don't know if automatic repair boot-loop is intended behavior or something went wrong and it broke some system files, i was testing it on clean Win10 VM

@amdfanboi
Copy link
Contributor Author

amdfanboi commented Mar 24, 2025
edited
Loading

hello after long break
i don't quite remember when GitHub unlocked my account but i've used some of my "suspension" time to search for some new samples and i can say that i've found some of them

i'll be able to provide them once i'll organize them, i think i'll be able do that later

also i didn't knew that you've became new vxug staff member, congrats 👏 :
https://twitter.com/vxunderground/status/1903920379497971889

@Cryakl
Copy link
Owner

Cryakl commented Mar 24, 2025

hello after long break i don't quite remember when GitHub unlocked my account but i've used some of my "suspension" time to search for some new samples and i can say that i've found some of them

i'll be able to provide them once i'll organize them, i think i'll be able do that later

also i didn't knew that you've became new vxug staff member, congrats 👏 : https://twitter.com/vxunderground/status/1903920379497971889

We both got caught in the crossfire, my account was suspended too, and I mentioned your account in the appeal too so I figure that's how it got back. 😭

Thank you, I appreciate it, and good luck organizing the samples too.

@Hildaboo
Copy link

Hildaboo commented May 5, 2025

Hi, petya doesnt support UEFI at all.

Petya v1 (Red)
Petya v2 (Green, bundled with Mischa)
Petya V3 (Green, bundled with Mischa)

can support gpt partitioning (partially)

however, Petya V3 (Goldeneye) removed support for this.

as for the file encryption component (Mischa/Chimera V2) bundled in V2 onward, its only triggered when it fails to lock the mbr or gain administrator rights.

(P.S, badrabbit is diskcryptor, not related to petya at all. I expect you people could read the various articles of analysis on it :)

@Cryakl
Copy link
Owner

Cryakl commented May 5, 2025

Hi, petya doesnt support UEFI at all.

Petya v1 (Red) Petya v2 (Green, bundled with Mischa) Petya V3 (Green, bundled with Mischa)

can support gpt partitioning (partially)

however, Petya V3 (Goldeneye) removed support for this.

as for the file encryption component (Mischa/Chimera V2) bundled in V2 onward, its only triggered when it fails to lock the mbr or gain administrator rights.

(P.S, badrabbit is diskcryptor, not related to petya at all. I expect you people could read the various articles of analysis on it :)

Thank you for the insight. I admit when I first created this it was just some small hobby project, so a lot of the samples are badly sorted or thrown together hastily with not too much research. I'll have to drop more time into this and clear out all the errors and mistakes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Hildaboo @amdfanboi @Cryakl