TeslaCrypt ransomware

Forum for analysis and discussion about malware.
Sargerras
Posts: 9
Joined: Mon May 13, 2013 12:23 pm

TeslaCrypt ransomware

Post by Sargerras » Thu Mar 12, 2015 12:37 pm

Hello,

and some more of this bad stuff.
You do not have the required permissions to view the files attached to this post.

AaLl86
Posts: 50
Joined: Sat Mar 20, 2010 4:21 pm
Location: Italy
Contact:

Re: TeslaCrypt ransomware

Post by AaLl86 » Wed Apr 01, 2015 2:06 pm

Hi!
This is a dropper that claims to be the new CryptoLocker 3.0.
Even if in the available analysis (http://www.bleepingcomputer.com/forums/ ... eo-gamers/ or http://labs.bromium.com/2015/03/12/achi ... eo-gamers/), and the dropper itself, speak about an asymmetric RSA-2048 encryption, I can assure you all that the file encryption is a SYMMETRIC AES256 encryption.
You can decrypt your files using the "key.dat" inside the "APPDATA" folder....


Andrea

User avatar
Blaze
Posts: 199
Joined: Fri Aug 27, 2010 7:35 am
Contact:

Re: Cryptowall

Post by Blaze » Thu Apr 02, 2015 1:15 pm

Probable Cryptowall 3.0 sample attached, can't check thoroughly myself right now.
You do not have the required permissions to view the files attached to this post.

User avatar
Snakebyte
Posts: 12
Joined: Tue Oct 07, 2014 9:33 am

Re: Cryptowall

Post by Snakebyte » Thu Apr 02, 2015 1:25 pm

Thank you

User avatar
Artilllerie
Posts: 25
Joined: Thu Dec 13, 2012 11:32 am

Re: Cryptowall

Post by Artilllerie » Thu Apr 02, 2015 2:19 pm

Blaze : It's a sort of cryptolocker sample :

Image

Image

User avatar
Blaze
Posts: 199
Joined: Fri Aug 27, 2010 7:35 am
Contact:

Re: Cryptowall

Post by Blaze » Thu Apr 02, 2015 2:27 pm

Interesting Artillerie, did you run this on a physical or virtual machine? I had the same result as you on a virtual machine, however on a physical machine I got:

Image

I was thinking this may be TeslaCrypt.

User avatar
Artilllerie
Posts: 25
Joined: Thu Dec 13, 2012 11:32 am

Re: Cryptowall

Post by Artilllerie » Thu Apr 02, 2015 2:56 pm

Very interesting, tested on my side on Win 7 32b with VMware.

User avatar
EP_X0FF
Global Moderator
Posts: 4788
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Cryptowall

Post by EP_X0FF » Thu Apr 02, 2015 3:20 pm

Here is unpacked. Have no idea what is it, since I don't follow modern cryptolockers, but code seems readable.

Some parts for example.

Code: Select all

  pExecInfo.lpVerb = L"open";
  if ( !dword_4681A8 )
    pExecInfo.lpVerb = L"runas";
  pExecInfo.lpFile = L"vssadmin.exe";
  pExecInfo.lpParameters = L"delete shadows /all /Quiet";
  pExecInfo.nShow = 0;
  pExecInfo.fMask = 64;
  while ( !ShellExecuteExW(&pExecInfo)

Code: Select all

        if ( wcsstr(&ImageFileName, L"taskmgr")
          || wcsstr(&ImageFileName, L"procexp")
          || wcsstr(&ImageFileName, L"regedit")
          || wcsstr(&ImageFileName, L"msconfig")
          || wcsstr(&ImageFileName, L"cmd.exe") )
          TerminateProcess(v4, 0);
Also by hardcoded mutex name "dslhufdks3" you can find some references in google :)

File exts.

Code: Select all

.sql
.rar
.wma
.avi
.wmv
.csv
.d3dbsp
.zip
.sie
.sum
.ibank
.qdf
.gdb
.tax
.pkpass
.bkp
.qic
.bkf
.sidn
.sidd
.mddata
.itl
.itdb
.icxs
.hvpl
.hplg
.hkdb
.mdbackup
.syncdb
.gho
.cas
.svg
.map
.wmo
.itm
.fos
.mov
.vdf
.ztmp
.sis
.sid
.ncf
.menu
.layout
.dmp
.blob
.esm
.vcf
.vtf
.dazip
.fpk
.mlx
.iwd
.vpk
.tor
.psk
.rim
.fsh
.ntl
.arch00
.lvl
.snx
.cfr
.vpp_pc
.lrf
.mcmeta
.vfs0
.mpqge
.kdb
.dba
.rofl
.hkx
.bar
.upk
.das
.iwi
.litemod
.asset
.forge
.ltx
.bsa
.apk
.sav
.lbf
.slm
.bik
.epk
.rgss3a
.pak
.big
wallet
.wotreplay
.xxx
.desc
.flv
.css
.png
.jpeg
.txt
.pfx
.pem
.crt
.cer
.der
.srw
.pef
.ptx
.rwl
.raw
.raf
.orf
.nrw
.mrwref
.mef
.erf
.kdc
.dcr
.crw
.bay
.srf
.arw
.dng
.jpe
.jpg
.cdr
.indd
.eps
.pdf
.pdd
.psd
.dbf
.mdf
.rtf
.wpd
.dxg
.dwg
.pst
.accdb
.mdb
.pptm
.pptx
.ppt
.xlk
.xlsb
.xlsm
.xlsx
.xls
.wps
.docm
.docx
.doc
.odb
.odc
.odm
.odp
.ods
.odt
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

Grinler
Posts: 48
Joined: Sun Mar 14, 2010 1:47 pm

Re: Cryptowall

Post by Grinler » Thu Apr 02, 2015 6:12 pm

This is teslacrypt. Notice the version number in the GUI title and game extensions.
BleepingComputer.com

Grinler
Posts: 48
Joined: Sun Mar 14, 2010 1:47 pm

Re: Cryptowall

Post by Grinler » Thu Apr 02, 2015 6:22 pm

Yup, to confirm I just installed and its TeslaCrypt. Not sure why you saw the CW 3.0 screen. That's strange.

Some minor changes in this version include new ransom note filenames:

HELP_RESTORE_FILES.txt
HELP_RESTORE_FILES.bmp

Still has open img dir:

hxxp://34r6hq26q2h4jkzj.79fhdm16.com/img/
BleepingComputer.com

Post Reply