Home / malwarePDF  

Win32/Tescrypt


First posted on 10 May 2015.
Source: Microsoft

Aliases :

There are no other names known for Win32/Tescrypt.

Explanation :

Threat behavior

Installation

This threat copies itself as a randomly named file in the %APPDATA% folder (for example, C:\Documents and Settings\\Application Data\qubmvec.exe, C:\Users\\AppData\Roaming\qubmvec.exe).

It might also install the following files in the %APPDATA% folder:

  • key.dat - user specific bitcoin address
  • log.html - contains a list of encrypted files


It modifies one of the following registry entries so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: crypto13
With data: C:\Documents and Settings\\Application Data\.exe

As of April 2015, we have observed an increase in Tescrypt activity as it gets dropped by a few exploit kits such as Exploit:SWF/Axpergle (Angler), Exploit:JS/Neclu (Nuclear), JS/Fiexp (Fiesta), and JS/Anogre (Sweet Orange).

Payload

This ransomware can search for files in all of the folders with the following extensions and then encrypt them:

.001 .css .fsh .lvl .p7b .rim .upk .3fr .csv .gdb .m2 .p7c .rofl .vdf .7z .d3dbsp .gho .m3u .pak .rtf .vfs0 .accdb .das .hkdb .m4a .pdd .rw2 .vpk .ai .dayzprofile .hkx .map .pdf .rwl .vpp_pc .apk .dazip .hplg .mcgame .pef .sav .vtf .arch00 .db0 .hvpl .mcmeta .pem .sb .w3x .arw .dbfv .ibank .mdb .pfx .sc2save .wb2 .asset .dcr .icxs .mdbackup .pkpass .sid .wma .avi .der .indd .mddata .png .sidd .wmo .bar .desc .itdb .mdf .ppt .sidn .wmv .bay .dmp .itl .mef .pptm .sie .wotreplay .bc6 .dng .itm .menu .pptx .sis .wpd .bc7 .doc .iwd .mlx .psd .slm .wps .big .docm .iwi .mpqge .psk .snx .x3f .bik .docx .jpe .mrwref .pst .sr2 .xf .bkf .dwg .jpeg .ncf .ptx .srf .xlk .bkp .dxg .jpg .nrw .py .srw .xls .blob .epk .js .ntl .qdf .sum .xlsb .bsa .eps .kdb .odb .qic .svg .xlsm .cas .erf .kdc .odc .r3d .syncdb .xlsx .cdr .esm .kf .odm .raf .t12 .xxx .cer .ff .layout .odp .rar .t13 .ztmp .cfr .flv .lbf .ods .raw .tax .cr2 .forge .litemod .odt .rb .tor .crt .fos .lrf .orf .re4 .txt .crw .fpk .ltx .p12 .rgss3a .unity3d



After the files are encrypted, the ransomware renames the files by appending ".ecc" or ".ezz" in the affected file extension. For example, from .png to .png.ecc, or .jpg to .jpg.ezz.

It displays a dialog box similar to the following screenshots:





As of May 8, 2015, we have seen that when you click the ransomware window button, it opens a dialog box similar to the following screenshot:



Then it opens the decryption site:



When you enter the BitCoin address supplied to access the Alpha Crypt payment page, it displays an encryption notification message similar to the following screenshot:



This ransomware also creates the following files under %desktopdirectory%

  • CryptoLocker.lnk - points to and runs the malicious executable file in %APPDATA% folder
  • HELP_TO_DECRYPT_YOUR_FILES.TXT - contains encryption message or notification
  • HELP_TO_DECRYPT_YOUR_FILES.BMP - sets the file as the desktop wallpaper that also contains encryption message or notification
  • HELP_TO_SAVE_FILES.bmp
  • HELP_TO_SAVE_FILES.txt


It also deletes shadow files to prevent you from restoring your files from a local backup.



Analysis by Jireh Sanico

Symptoms

The following can indicate that you have this threat on your PC:

  • You have these files:
    • CryptoLocker.lnk
    • HELP_TO_DECRYPT_YOUR_FILES.TXT
    • HELP_TO_DECRYPT_YOUR_FILES.BMP
    • key.dat
    • log.html
  • You see these entries or keys in your registry:
    • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      Sets value: crypto13
      With data: C:\Documents and Settings\\Application Data\.exe
  • You see a dialog box similar to the following screenshots:












Last update 10 May 2015

 

TOP