A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #25548  by AaLl86
 Wed Apr 01, 2015 2:06 pm
This is a dropper that claims to be the new CryptoLocker 3.0.
Even if in the available analysis (http://www.bleepingcomputer.com/forums/ ... eo-gamers/ or http://labs.bromium.com/2015/03/12/achi ... eo-gamers/), and the dropper itself, speak about an asymmetric RSA-2048 encryption, I can assure you all that the file encryption is a SYMMETRIC AES256 encryption.
You can decrypt your files using the "key.dat" inside the "APPDATA" folder....

 #25552  by Blaze
 Thu Apr 02, 2015 1:15 pm
Probable Cryptowall 3.0 sample attached, can't check thoroughly myself right now.
(156.93 KiB) Downloaded 238 times
 #25556  by Blaze
 Thu Apr 02, 2015 2:27 pm
Interesting Artillerie, did you run this on a physical or virtual machine? I had the same result as you on a virtual machine, however on a physical machine I got:


I was thinking this may be TeslaCrypt.
 #25561  by EP_X0FF
 Thu Apr 02, 2015 3:20 pm
Here is unpacked. Have no idea what is it, since I don't follow modern cryptolockers, but code seems readable.

Some parts for example.
Code: Select all
  pExecInfo.lpVerb = L"open";
  if ( !dword_4681A8 )
    pExecInfo.lpVerb = L"runas";
  pExecInfo.lpFile = L"vssadmin.exe";
  pExecInfo.lpParameters = L"delete shadows /all /Quiet";
  pExecInfo.nShow = 0;
  pExecInfo.fMask = 64;
  while ( !ShellExecuteExW(&pExecInfo)
Code: Select all
        if ( wcsstr(&ImageFileName, L"taskmgr")
          || wcsstr(&ImageFileName, L"procexp")
          || wcsstr(&ImageFileName, L"regedit")
          || wcsstr(&ImageFileName, L"msconfig")
          || wcsstr(&ImageFileName, L"cmd.exe") )
          TerminateProcess(v4, 0);
Also by hardcoded mutex name "dslhufdks3" you can find some references in google :)

File exts.
Code: Select all
pass: infected
(114.05 KiB) Downloaded 151 times
 #25564  by Grinler
 Thu Apr 02, 2015 6:12 pm
This is teslacrypt. Notice the version number in the GUI title and game extensions.
 #25565  by Grinler
 Thu Apr 02, 2015 6:22 pm
Yup, to confirm I just installed and its TeslaCrypt. Not sure why you saw the CW 3.0 screen. That's strange.

Some minor changes in this version include new ransom note filenames:


Still has open img dir:

  • 1
  • 2
  • 3
  • 4
  • 5
  • 7