Petya + Propagation

udurrani

INFO

PSEXEC

PSEXEC is dropped as dllhost.dat under c:\windows location. Its mainly used for propagation.



Some links

     CLICK FOR Info on Lateral Movement *
     CLICK FOR Lateral Movement / Propagation Video *



File a.dll is the malicious DLL. After the internal scan, payload is propagated to live machines

ProcessFuncParam
rundll32.exe CreateFile \\;RdpDr\;:1\172.16.177.2\admin$\
rundll32.exe CreateFile \\;RdpDr\;:1\172.16.177.254\admin$\
rundll32.exe CreateFile \\;RdpDr\;:1\10.0.0.2\admin$\
rundll32.exe CreateFile \\;RdpDr\;:1\172.16.177.149\admin$\
rundll32.exe CreateFile C:\Program Files (x86)\Icecast\admin
rundll32.exe QueryDirectory C:\Program Files (x86)\Icecast\admin\*
rundll32.exe ReadFile C:\Program Files (x86)\Icecast\admin
rundll32.exe QueryDirectory C:\Program Files (x86)\Icecast\admin
rundll32.exe QueryDirectory C:\Program Files (x86)\Icecast\admin
rundll32.exe CloseFile C:\Program Files (x86)\Icecast\admin
rundll32.exe CreateFile C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Include\ahadmin.h
rundll32.exe CreateFile \\172.16.177.2\admin$\a
rundll32.exe CreateFile \\172.16.177.2\admin$\a.dll
rundll32.exe CreateFile \\172.16.177.149\admin$\a
rundll32.exe CreateFile \\10.0.0.2\admin$\a
rundll32.exe CreateFile \\172.16.177.149\admin$\a.dll
rundll32.exe CreateFile \\10.0.0.2\admin$\a.dll
rundll32.exe CreateFile \\172.16.177.254\admin$\a
rundll32.exe CreateFile \\172.16.177.254\admin$\a.dll
rundll32.exe CreateFile \\;RdpDr\;:1\10.0.0.11\admin$\
rundll32.exe CreateFile \\10.0.0.11\admin$\a
rundll32.exe CreateFile \\10.0.0.11\admin$\a.dll