Home / malwarePDF  

Win32/Tescrypt


First posted on 24 April 2016.
Source: Microsoft

Aliases :

There are no other names known for Win32/Tescrypt.

Explanation :

Installation

The threat might be dropped by exploit kits such as Exploit:SWF/Axpergle (Angler), Exploit:JS/Neclu (Nuclear), JS/Fiexp (Fiesta), and JS/Anogre (Sweet Orange).

This threat copies itself to the following folders:

  • %APPDATA% folder
  • %USERPROFILE%\Documents
  • %SystemRoot%


It uses a random name for its copy, for example:
  • apsjnlkvgvvi.exe
  • qubmvec.exe
  • lclrgoijwqhr.exe
  • yndtyyg.exe


For example, the location and name of the malware copy might look like this:
  • C:\Documents and Settings\\Application Data\qubmvec.exe
  • C:\Users\\AppData\Roaming\qubmvec.exe)


It might also install the following files in the %APPDATA% folder:
  • key.dat - user specific bitcoin address
  • log.html - contains a list of encrypted files


It modifies one of the following registry entries so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

Sets value:
With data:

We have seen it use the following strings for the :
  • 12_23-dst
  • 1qw23qw4qe-r2r1t3
  • 1qwqwqe-r213
  • AVrSvc
  • AVSvc
  • crypto13
  • dsfgsdf-67897869
  • gatert-12010
  • mscon
  • msconfig
  • msdedf
  • mssvc
  • qwer-sadkfgsa
  • rimage-v5
  • srv-2016
  • svv_e
  • verif-8746
  • werity-32452345
  • wertret
  • zsevice-34
  • zsevice-455


It might also set the registry key to use cmd.exe to run the malware file copy, for example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value:
With data: "\cmd.exe /c start "" """

Alternatively, it might drop and run a batch script (.bat) file to create the registry key. We have seen it use the following script to do this:
  • reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v /t REG_SZ /d "" /f


Payload

This ransomware can search for files in all of the folders with the following extensions and then encrypt them:​
  • .3fr
  • .7z
  • .accdb
  • .ai
  • .apk
  • .arch00
  • .arw
  • .asset
  • .avi
  • .bar
  • .bay
  • .bc6
  • .bc7
  • .big
  • .bik
  • .bkf
  • .bkp
  • .blob
  • .bsa
  • .cas
  • .cdr
  • .cer
  • .cfr
  • .cr2
  • .crt
  • .crw
  • .css
  • .csv
  • .d3dbsp
  • .das
  • .dayzprofile
  • .dazip
  • .db0
  • .dbfv
  • .dcr
  • .der
  • .desc
  • .dmp
  • .dng
  • .doc
  • .docm
  • .docx
  • .dwg
  • .dxg
  • .epk
  • .eps
  • .erf
  • .esm
  • .ff
  • .flv
  • .forge
  • .fos
  • .fpk
  • .fsh
  • .gdb
  • .gho
  • .hkdb
  • .hkx
  • .hplg
  • .hvpl
  • .ibank
  • .icxs
  • .indd
  • .itdb
  • .itl
  • .itm
  • .iwd
  • .iwi
  • .jpe
  • .jpeg
  • .jpg
  • .js
  • .kdb
  • .kdc
  • .kf
  • .layout
  • .lbf
  • .litemod
  • .lrf
  • .ltx
  • .lvl
  • .m2
  • .m3u
  • .m4a
  • .map
  • .mcgame
  • .mcmeta
  • .mdb
  • .mdbackup
  • .mddata
  • .mdf
  • .mef
  • .menu
  • .mlx
  • .mpqge
  • .mrwref
  • .ncf
  • .nrw
  • .ntl
  • .odb
  • .odc
  • .odm
  • .odp
  • .ods
  • .odt
  • .orf
  • .p12
  • .p7b
  • .p7c
  • .pak
  • .pdd
  • .pdf
  • .pef
  • .pem
  • .pfx
  • .pkpass
  • .png
  • .ppt
  • .pptm
  • .pptx
  • .psd
  • .psk
  • .pst
  • .ptx
  • .py
  • .qdf
  • .qic
  • .r3d
  • .raf
  • .rar
  • .raw
  • .rb
  • .re4
  • .rgss3a
  • .rim
  • .rofl
  • .rtf
  • .rw2
  • .rwl
  • .sav
  • .sb
  • .sc2save
  • .sid
  • .sidd
  • .sidn
  • .sie
  • .sis
  • .slm
  • .snx
  • .sr2
  • .srf
  • .srw
  • .sum
  • .svg
  • .syncdb
  • .t12
  • .t13
  • .tax
  • .tor
  • .txt
  • .unity3d
  • .upk
  • .vdf
  • .vfs0
  • .vpk
  • .vpp_pc
  • .vtf
  • .w3x
  • .wb2
  • .wma
  • .wmo
  • .wmv
  • .wotreplay
  • .wpd
  • .wps
  • .x3f
  • .xf
  • .xlk
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx
  • .xxx
  • .ztmp


After the files are encrypted, the ransomware renames the files by changing the file extension to one of the following:
  • .crypted
  • .ecc
  • .ess
  • .exx
  • .ezz
  • .micro
  • .mp3
  • .vvv


It displays a dialog box similar to the following screenshots:



When you click the ransomware window button, it opens a dialog box similar to the following screenshot:



Then it opens the decryption site:

When you enter the BitCoin address supplied to access the Alpha Crypt payment page, it displays an encryption notification message similar to the following screenshot:

This ransomware also creates the following files under %USERPROFILE%\Desktop:
  • CryptoLocker.lnk - points to and runs the malicious executable file in %APPDATA% folder


It drops files to your %USERPROFILE%\Documents directory that contain instructions on how to decrypt your files. It uses a number of file names and file types, including plain text (.txt), web page (.html), and image (.bmp and .png) file types. The following are some examples of the file names we have seen:
  • _h_e_l_p_recover_instructions+
  • _recovery_+
  • help_recover_instructions+
  • help_restore_files_
  • help_to_decrypt_your_files
  • HELP_TO_SAVE_FILES
  • help_to_save_your_files
  • how_recover+
  • recovery_file_
  • restore_files_


It might set the image files as your desktop wallpaper so you see the message whenever you log in.

It also deletes shadow files to prevent you from restoring your files from a local backup. We have seen it run the following commands:
  • \wbem\WMIC.exe shadowcopy delete /nointeractive
  • \vssadmin.exe delete shadows /all /Quiet




Analysis by Jireh Sanico

Last update 24 April 2016

 

TOP

Malware :