Win32/Filecoder.TeslaCrypt [Threat Name] go to Threat

Win32/Filecoder.TeslaCrypt.A [Threat Variant Name]

Category trojan
Size 167936 B
Detection created Feb 04, 2015
Signature database version 11123
Aliases Backdoor.Win32.Androm.glog (Kaspersky)
  Ransom:Win32/Tescrypt.A (Microsoft)
  FileCryptor.AMX.trojan (AVG)
Short description

Win32/Filecoder.TeslaCrypt.A is a trojan that encrypts files on local drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­%variable%.exe

A string with variable content is used instead of %variable% .


The file is then executed.


The trojan deletes the original file.


The trojan creates the following file:

  • %desktop%\­Cryptolocker.lnk

The file is a shortcut to a malicious file.


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "svv_e" = "%appdata%\­%variable%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "*svv_e" = "%appdata%\­%variable%.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "svv_e" = "%appdata%\­%variable%.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "*svv_e" = "%appdata%\­%variable%.exe"

This causes the trojan to be executed on every system start.


The trojan creates the following files:

  • %appdata%\­log.html
  • %appdata%\­key.dat
  • %desktop%\­HELP_TO_SAVE_YOUR_FILES.bmp
  • %desktop%\­HELP_TO_SAVE_YOUR_FILES.txt
Payload information

The trojan encrypts files on local disks.


The trojan searches local drives for files with the following file extensions:

  • *.3fr
  • *.7z
  • *.accdb
  • *.ai
  • *.apk
  • *.arch00
  • *.arw
  • *.asset
  • *.avi
  • *.bar
  • *.bay
  • *.bc6
  • *.bc7
  • *.big
  • *.bik
  • *.bkf
  • *.bkp
  • *.blob
  • *.bsa
  • *.cas
  • *.cdr
  • *.cer
  • *.cfr
  • *.cr2
  • *.crt
  • *.crw
  • *.css
  • *.csv
  • *.d3dbsp
  • *.das
  • *.dazip
  • *.db
  • *.db0
  • *.dbf
  • *.dcr
  • *.der
  • *.desc
  • *.dmp
  • *.dng
  • *.doc
  • *.docm
  • *.docx
  • *.dwg
  • *.dxg
  • *.epk
  • *.eps
  • *.erf
  • *.esm
  • *.ff
  • *.flv
  • *.forge
  • *.fos
  • *.fpk
  • *.fsh
  • *.gdb
  • *.gho
  • *.hkdb
  • *.hkx
  • *.hplg
  • *.hvpl
  • *.ibank
  • *.icxs
  • *.indd
  • *.itdb
  • *.itl
  • *.itm
  • *.iwd
  • *.iwi
  • *.jpe
  • *.jpeg
  • *.jpg
  • *.js
  • *.kdb
  • *.kdc
  • *.kf
  • *.layout
  • *.lbf
  • *.litemod
  • *.lrf
  • *.ltx
  • *.lvl
  • *.m2
  • *.m3u
  • *.m4a
  • *.map
  • *.mcmeta
  • *.mdb
  • *.mdbackup
  • *.mddata
  • *.mdf
  • *.mef
  • *.menu
  • *.mlx
  • *.mov
  • *.mp4
  • *.mpqge
  • *.mrwref
  • *.ncf
  • *.nrw
  • *.ntl
  • *.odb
  • *.odc
  • *.odm
  • *.odp
  • *.ods
  • *.odt
  • *.orf
  • *.p12
  • *.p7b
  • *.p7c
  • *.pak
  • *.pdd
  • *.pdf
  • *.pef
  • *.pem
  • *.pfx
  • *.pkpass
  • *.png
  • *.ppt
  • *.pptm
  • *.pptx
  • *.psd
  • *.psk
  • *.pst
  • *.ptx
  • *.py
  • *.qdf
  • *.qic
  • *.r3d
  • *.raf
  • *.rar
  • *.raw
  • *.rb
  • *.re4
  • *.rgss3a
  • *.rim
  • *.rofl
  • *.rtf
  • *.rw2
  • *.rwl
  • *.sav
  • *.sb
  • *.sid
  • *.sidd
  • *.sidn
  • *.sie
  • *.sis
  • *.slm
  • *.snx
  • *.sql
  • *.sr2
  • *.srf
  • *.srw
  • *.sum
  • *.svg
  • *.syncdb
  • *.t12
  • *.t13
  • *.tax
  • *.tor
  • *.txt
  • *.unity3d
  • *.upk
  • *.vcf
  • *.vdf
  • *.vfs0
  • *.vpk
  • *.vpp_pc
  • *.vtf
  • *.w3x
  • *.wb2
  • *.wma
  • *.wmo
  • *.wmv
  • *.wotreplay
  • *.wpd
  • *.wps
  • *.x3f
  • *.xf
  • *.xlk
  • *.xls
  • *.xlsb
  • *.xlsm
  • *.xlsx
  • *.xxx
  • *.zip
  • *.ztmp

Only folders which do not contain one of the following string in their path are searched:

  • %programfiles%
  • %windir%

The trojan encrypts the file content.


The AES encryption algorithm is used.


An additional ".ecc" extension is appended.


To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.


The trojan displays the following dialog box:

Some examples follow.

Information stealing

The trojan collects the following information:

  • operating system version
  • external IP address of the network device
  • cryptographic keys

The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (6) URLs. The HTTP protocol is used in the communication.

Other information

The trojan terminates processes with any of the following strings in the path:

  • taskmgr
  • procexp
  • regedit
  • msconfig
  • cmd.exe

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Control Panel\­Desktop]
    • "Wallpaper" = "%desktop%\­HELP_TO_SAVE_YOUR_FILES.bmp"
    • "WallpaperStyle" = 0
    • "TileWallpaper" = 0

The trojan executes the following command:

  • vssadmin.exe delete shadows /all /Quiet

Please enable Javascript to ensure correct displaying of this content and refresh this page.