27 – Petya, . , , , . BiZone . , .
, ( ).
:
- MS17-10, , WannaCry;
- WMI (Windows Management Instrumentation),
wmic.exe /node:"<hostname>" /user:"<username>" /password:"<password> process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\perfc.dat\" #1
- PSEXEC Microsoft ( , «Mimikatz»; lsass.exe.
Petya :
wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:
, , , .
:
1. $MFT (NotPetya)
MBR ( MBR 34 (xor 0x07)). ( “schtasks” “at”) CHKDSK. $MFT Salsa20 ( c Petya). , , . .
:
- . , , . , “FILE”, , , . , (Data Runs). : ( ), , . , , .
- : R-Studio, GetDataBack, .
- MBR “bootrec /FixMbr” (Vista+, Windows XP “fixmbr”).
- MBR , . MBR 34 (0x4400 , 0x200) (xor 0x07) .
2. (Misha)
MBR, . :
3ds, 7z, accdb, ai, asp, aspx, avhd, back, bak, c, cfg, conf, cpp, cs, ctl, dbf, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, kdbx, mail, mdb, msg, nrg, ora, ost, ova, ovf, pdf, php, pmf, ppt, pptx, pst, pvi, py, pyc, rar, rtf, sln, sql, tar, vbox, vbs, vcb, vdi, vfd, vmc, vmdk, vmsd, vmx, vsdx, vsv, work, xls, xlsx, xvd, zip.
, , , Volume Shadow Copy, Restore points, File History.
, . , .
?
NotPetya , , . :
(MFT), . MFT , :
, , (Carving) . MFT . hiberfil.sys, MFTmirr .. , MFT .
«PSEXEC» Windows :
«C:\Windows\perfc.dat» «C:\Windows\dllhost.dat»
«PSEXEC.EXE» , , , , WMI.
, PsExec WMI. “C:\Windows\perfc”.
UPD: NotPetya Misha , Misha MBR. Misha .
GPT MBR, NotPetya , . , NTFS (R-Studio ).
C perfc , Petya «perfc.dat». , , .