TeslaCrypt ransomware

Forum for analysis and discussion about malware.

TeslaCrypt ransomware

Postby Sargerras » Thu Mar 12, 2015 12:37 pm

Hello,

and some more of this bad stuff.
You do not have the required permissions to view the files attached to this post.
Sargerras
 
Posts: 9
Joined: Mon May 13, 2013 12:23 pm
Reputation point: 3

Re: TeslaCrypt ransomware

Postby AaLl86 » Wed Apr 01, 2015 2:06 pm

Hi!
This is a dropper that claims to be the new CryptoLocker 3.0.
Even if in the available analysis (http://www.bleepingcomputer.com/forums/t/568525/new-teslacrypt-ransomware-sets-its-scope-on-video-gamers/ or http://labs.bromium.com/2015/03/12/achievement-locked-new-crypto-ransomware-pwns-video-gamers/), and the dropper itself, speak about an asymmetric RSA-2048 encryption, I can assure you all that the file encryption is a SYMMETRIC AES256 encryption.
You can decrypt your files using the "key.dat" inside the "APPDATA" folder....


Andrea
AaLl86
 
Posts: 50
Joined: Sat Mar 20, 2010 4:21 pm
Location: Italy
Reputation point: 47

Re: Cryptowall

Postby Blaze » Thu Apr 02, 2015 1:15 pm

Probable Cryptowall 3.0 sample attached, can't check thoroughly myself right now.
You do not have the required permissions to view the files attached to this post.
Follow me on Twitter: @bartblaze
User avatar
Blaze
 
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Reputation point: 71

Re: Cryptowall

Postby Snakebyte » Thu Apr 02, 2015 1:25 pm

Thank you
User avatar
Snakebyte
 
Posts: 12
Joined: Tue Oct 07, 2014 9:33 am
Reputation point: 1

Re: Cryptowall

Postby Artilllerie » Thu Apr 02, 2015 2:19 pm

Blaze : It's a sort of cryptolocker sample :

Image

Image
User avatar
Artilllerie
 
Posts: 25
Joined: Thu Dec 13, 2012 11:32 am
Reputation point: 3

Re: Cryptowall

Postby Blaze » Thu Apr 02, 2015 2:27 pm

Interesting Artillerie, did you run this on a physical or virtual machine? I had the same result as you on a virtual machine, however on a physical machine I got:

Image

I was thinking this may be TeslaCrypt.
Follow me on Twitter: @bartblaze
User avatar
Blaze
 
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Reputation point: 71

Re: Cryptowall

Postby Artilllerie » Thu Apr 02, 2015 2:56 pm

Very interesting, tested on my side on Win 7 32b with VMware.
User avatar
Artilllerie
 
Posts: 25
Joined: Thu Dec 13, 2012 11:32 am
Reputation point: 3

Re: Cryptowall

Postby EP_X0FF » Thu Apr 02, 2015 3:20 pm

Here is unpacked. Have no idea what is it, since I don't follow modern cryptolockers, but code seems readable.

Some parts for example.
Code: Select all
  pExecInfo.lpVerb = L"open";
  if ( !dword_4681A8 )
    pExecInfo.lpVerb = L"runas";
  pExecInfo.lpFile = L"vssadmin.exe";
  pExecInfo.lpParameters = L"delete shadows /all /Quiet";
  pExecInfo.nShow = 0;
  pExecInfo.fMask = 64;
  while ( !ShellExecuteExW(&pExecInfo)


Code: Select all
        if ( wcsstr(&ImageFileName, L"taskmgr")
          || wcsstr(&ImageFileName, L"procexp")
          || wcsstr(&ImageFileName, L"regedit")
          || wcsstr(&ImageFileName, L"msconfig")
          || wcsstr(&ImageFileName, L"cmd.exe") )
          TerminateProcess(v4, 0);


Also by hardcoded mutex name "dslhufdks3" you can find some references in google :)

File exts.
Code: Select all
.sql
.rar
.wma
.avi
.wmv
.csv
.d3dbsp
.zip
.sie
.sum
.ibank
.qdf
.gdb
.tax
.pkpass
.bkp
.qic
.bkf
.sidn
.sidd
.mddata
.itl
.itdb
.icxs
.hvpl
.hplg
.hkdb
.mdbackup
.syncdb
.gho
.cas
.svg
.map
.wmo
.itm
.fos
.mov
.vdf
.ztmp
.sis
.sid
.ncf
.menu
.layout
.dmp
.blob
.esm
.vcf
.vtf
.dazip
.fpk
.mlx
.iwd
.vpk
.tor
.psk
.rim
.fsh
.ntl
.arch00
.lvl
.snx
.cfr
.vpp_pc
.lrf
.mcmeta
.vfs0
.mpqge
.kdb
.dba
.rofl
.hkx
.bar
.upk
.das
.iwi
.litemod
.asset
.forge
.ltx
.bsa
.apk
.sav
.lbf
.slm
.bik
.epk
.rgss3a
.pak
.big
wallet
.wotreplay
.xxx
.desc
.flv
.css
.png
.jpeg
.txt
.pfx
.pem
.crt
.cer
.der
.srw
.pef
.ptx
.rwl
.raw
.raf
.orf
.nrw
.mrwref
.mef
.erf
.kdc
.dcr
.crw
.bay
.srf
.arw
.dng
.jpe
.jpg
.cdr
.indd
.eps
.pdf
.pdd
.psd
.dbf
.mdf
.rtf
.wpd
.dxg
.dwg
.pst
.accdb
.mdb
.pptm
.pptx
.ppt
.xlk
.xlsb
.xlsm
.xlsx
.xls
.wps
.docm
.docx
.doc
.odb
.odc
.odm
.odp
.ods
.odt
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Cryptowall

Postby Grinler » Thu Apr 02, 2015 6:12 pm

This is teslacrypt. Notice the version number in the GUI title and game extensions.
BleepingComputer.com
Grinler
 
Posts: 48
Joined: Sun Mar 14, 2010 1:47 pm
Reputation point: 5

Re: Cryptowall

Postby Grinler » Thu Apr 02, 2015 6:22 pm

Yup, to confirm I just installed and its TeslaCrypt. Not sure why you saw the CW 3.0 screen. That's strange.

Some minor changes in this version include new ransom note filenames:

HELP_RESTORE_FILES.txt
HELP_RESTORE_FILES.bmp

Still has open img dir:

hxxp://34r6hq26q2h4jkzj.79fhdm16.com/img/
BleepingComputer.com
Grinler
 
Posts: 48
Joined: Sun Mar 14, 2010 1:47 pm
Reputation point: 5

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 8 guests