Home / malware Behavior:Win32/Teerac.gen!A
First posted on 03 April 2019.
Source: MicrosoftAliases :
There are no other names known for Behavior:Win32/Teerac.gen!A.
Explanation :
Installation
Threats in this family can be downloaded by other malware, such as TrojanDownloader:O97M/Donoff. They can also arrive on your PC as a spam email attachment using a file name such as:
carta_certificada_784512.exe fatura.exe fatura.exe Pacchetto_839190.exe Pacchetto_839190_e.exe pacchetto_923212.exe Parcel_Information.exe Parcel_Information.exe PTT_Adres_Form.exe.exe PTTAdresForm.exe track_.exe track_ .exe Turkcell_Fatura_789180.exe
When run, they can inject themselves to valid system processes and drop a copy of itself in %windir% orwith a random name. For example:
ovijhbij.exe %windir% yjyricb.exe
They can also install other files onto your PC that can be used by the malware as reference startup points. We have seen it use the following format:
�0000000...02000000, for example c:programdataumevenupasyxuxof�0000000 ...02000000
Some variants install the following ransom note files in %desktop% directory:
DECRYPT_INSTRUCTIONS.html DECRYPT_INSTRUCTIONS.txt DESIFROVANI_POKYNY.html DESIFROVANI_POKYNY.txt ENTSCHLUSSELN_HINWEISE.html ENTSCHLUSSELN_HINWEISE.txt INSTRUCCIONES_DESCIFRADO.html INSTRUCCIONES_DESCIFRADO.txt INSTRUCTIONS_DE_DECRYPTAGE.html INSTRUCTIONS_DE_DECRYPTAGE.txt ISTRUZIONI_DECRITTAZIONE.html ISTRUZIONI_DECRITTAZIONE.txt SIFRE_COZME_TALIMATI.html SIFRE_COZME_TALIMATI.txt UNLOCK_INSTRUCTIONS.html UNLOCK_INSTRUCTIONS.t
They can change the following registry entries so that they run each time you start your PC:
In subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: "", for example "yjyricb"
With data: "%windir%.exe", for example "%windir%yjyricb.exe" In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: "", for example "uziviqow"
With data: ".exe", for example " ovijhbij.exe" The malware can also modify other registry entries as part of its installation, for example: In subkey: HKCUSoftwareBit Torrent ApplicationConfiguration
Sets value: "01000000"
With data: "%windir%.exe", for example "%windir%epabaleq.exe" In subkey: HKCUSoftware , for exampe HKCUSoftwareahawomuxevoporop
Sets value: "01000000"
With data: "", for example "m.." Payload
Encrypts your files
Threats in this family can encrypt files on your PC that have the following extensions.
avi bmp ico inf gif mp3 png txt wav xml
They add ".encrypted" to the extension names of the encrypted files, for example sample.avi.encrypted.
The malware avoids encrypting these file extensions and file paths:
bat chm cmd dll exe ini log lnk msi scr sys tmp
Shows you a ransom screen
Once your files are encrypted Win32/Teerac shows you the following ransom screens demanding payment to give you back access to your files.
Early versions used the following message:
More recent variants use this updated message:
The malware can also delete shadow files from your PC to prevent you from restoring it from local backup.
Connects to a remote server
We have seen some variants of this family connecting to the following domains:
cangrybirds493.ru koposorer.ru lagosadventures.com ryptdomain.dp.ua systemdriverupdate.ru 239.255.255.250
Analysis by Marianne Mallen and Jireh Sanico
Last update 03 April 2019
