Home / malwarePDF  

Ransom:Win32/Tescrypt.A


First posted on 09 May 2015.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Tescrypt.A.

Explanation :

Threat behavior

Installation

This threat copies itself as a randomly named file in the %APPDATA% folder (for example, C:\Documents and Settings\\Application Data\qubmvec.exe, C:\Users\\AppData\Roaming\qubmvec.exe).

It might also install the following files in the %APPDATA% folder:

  • key.dat - user specific bitcoin address
  • log.html - contains a list of encrypted files


It modifies one of the following registry entries so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: crypto13
With data: C:\Documents and Settings\\Application Data\.exe

As of April 2015, we have observed an increase in Tescrypt activity as it gets dropped by a few exploit kits such as Exploit:SWF/Axpergle (Angler), Exploit:JS/Neclu (Nuclear), JS/Fiexp (Fiesta), and JS/Anogre (Sweet Orange).

Payload

This ransomware can search for files in all of the folders with the following extensions and then encrypt them:

.001 .css .fsh .lvl .p7b .rim .upk .3fr .csv .gdb .m2 .p7c .rofl .vdf .7z .d3dbsp .gho .m3u .pak .rtf .vfs0 .accdb .das .hkdb .m4a .pdd .rw2 .vpk .ai .dayzprofile .hkx .map .pdf .rwl .vpp_pc .apk .dazip .hplg .mcgame .pef .sav .vtf .arch00 .db0 .hvpl .mcmeta .pem .sb .w3x .arw .dbfv .ibank .mdb .pfx .sc2save .wb2 .asset .dcr .icxs .mdbackup .pkpass .sid .wma .avi .der .indd .mddata .png .sidd .wmo .bar .desc .itdb .mdf .ppt .sidn .wmv .bay .dmp .itl .mef .pptm .sie .wotreplay .bc6 .dng .itm .menu .pptx .sis .wpd .bc7 .doc .iwd .mlx .psd .slm .wps .big .docm .iwi .mpqge .psk .snx .x3f .bik .docx .jpe .mrwref .pst .sr2 .xf .bkf .dwg .jpeg .ncf .ptx .srf .xlk .bkp .dxg .jpg .nrw .py .srw .xls .blob .epk .js .ntl .qdf .sum .xlsb .bsa .eps .kdb .odb .qic .svg .xlsm .cas .erf .kdc .odc .r3d .syncdb .xlsx .cdr .esm .kf .odm .raf .t12 .xxx .cer .ff .layout .odp .rar .t13 .ztmp .cfr .flv .lbf .ods .raw .tax .cr2 .forge .litemod .odt .rb .tor .crt .fos .lrf .orf .re4 .txt .crw .fpk .ltx .p12 .rgss3a .unity3d



After the files are encrypted, the ransomware renames the files by appending ".ecc" or ".ezz" in the affected file extension. For example, from .png to .png.ecc, or .jpg to .jpg.ezz.

It displays a lock screen similar to the following screenshots:





This ransomware also creates the following files under %desktopdirectory%

  • CryptoLocker.lnk - points to and runs the malicious executable file in %APPDATA% folder
  • HELP_TO_DECRYPT_YOUR_FILES.TXT - contains encryption message or notification
  • HELP_TO_DECRYPT_YOUR_FILES.BMP - sets the file as the desktop wallpaper that also contains encryption message or notification


It also deletes shadow files to prevent you from restoring your files from a local backup.



Analysis by Jireh Sanico

Symptoms

The following can indicate that you have this threat on your PC:

  • You have these files:
    • CryptoLocker.lnk
    • HELP_TO_DECRYPT_YOUR_FILES.TXT
    • HELP_TO_DECRYPT_YOUR_FILES.BMP
    • key.dat
    • log.html
  • You see these entries or keys in your registry:
    • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      Sets value: crypto13
      With data: C:\Documents and Settings\\Application Data\.exe
  • You see these lock screens:






Last update 09 May 2015

 

TOP

Malware :

Family: