Petya's Master Boot Record Infection

July 8, 2017

Last week we started our technical analysis on Petya (also called NotPetya) and its so-called “killswitch.” In that blog post we mentioned that Petya looks for a file in the Windows folder that has the same filename (no extension) as itself (for example: C:\Windows\Petya). If it exists, it terminates by calling ExitProcess. If it doesn't exist, it creates a file with the attribute DELETE_ON_CLOSE. This seems to imply that instead of a killswitch, this file is meant to be a marker to check and see if the system has already been infected. After...

Read more...

Previous Article
Unmasking Android Malware: A Deep Dive into a New Rootnik Variant, Part I
Unmasking Android Malware: A Deep Dive into a New Rootnik Variant, Part I

Part I: How to Unpack the Malware App This past January I performed a deep analysis of an Android rootnik ...

Next Article
Key Differences Between Petya and NotPetya
Key Differences Between Petya and NotPetya

There have already been a lot of write-ups for the NotPetya malware. This article is just a supplement for ...