Home / malware Win32/Tescrypt
First posted on 24 April 2016.
Source: MicrosoftAliases :
There are no other names known for Win32/Tescrypt.
Explanation :
Installation
The threat might be dropped by exploit kits such as Exploit:SWF/Axpergle (Angler), Exploit:JS/Neclu (Nuclear), JS/Fiexp (Fiesta), and JS/Anogre (Sweet Orange).
This threat copies itself to the following folders:
- %APPDATA% folder
- %USERPROFILE%\Documents
- %SystemRoot%
It uses a random name for its copy, for example:
- apsjnlkvgvvi.exe
- qubmvec.exe
- lclrgoijwqhr.exe
- yndtyyg.exe
For example, the location and name of the malware copy might look like this:
- C:\Documents and Settings\
\Application Data\qubmvec.exe - C:\Users\
\AppData\Roaming\qubmvec.exe)
It might also install the following files in the %APPDATA% folder:
- key.dat - user specific bitcoin address
- log.html - contains a list of encrypted files
It modifies one of the following registry entries so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value:
With data:
We have seen it use the following strings for the:
- 12_23-dst
- 1qw23qw4qe-r2r1t3
- 1qwqwqe-r213
- AVrSvc
- AVSvc
- crypto13
- dsfgsdf-67897869
- gatert-12010
- mscon
- msconfig
- msdedf
- mssvc
- qwer-sadkfgsa
- rimage-v5
- srv-2016
- svv_e
- verif-8746
- werity-32452345
- wertret
- zsevice-34
- zsevice-455
It might also set the registry key to use cmd.exe to run the malware file copy, for example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value:
With data: "\cmd.exe /c start "" " ""
Alternatively, it might drop and run a batch script (.bat) file to create the registry key. We have seen it use the following script to do this:
- reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v
/t REG_SZ /d " " /f
Payload
This ransomware can search for files in all of the folders with the following extensions and then encrypt them:​
- .3fr
- .7z
- .accdb
- .ai
- .apk
- .arch00
- .arw
- .asset
- .avi
- .bar
- .bay
- .bc6
- .bc7
- .big
- .bik
- .bkf
- .bkp
- .blob
- .bsa
- .cas
- .cdr
- .cer
- .cfr
- .cr2
- .crt
- .crw
- .css
- .csv
- .d3dbsp
- .das
- .dayzprofile
- .dazip
- .db0
- .dbfv
- .dcr
- .der
- .desc
- .dmp
- .dng
- .doc
- .docm
- .docx
- .dwg
- .dxg
- .epk
- .eps
- .erf
- .esm
- .ff
- .flv
- .forge
- .fos
- .fpk
- .fsh
- .gdb
- .gho
- .hkdb
- .hkx
- .hplg
- .hvpl
- .ibank
- .icxs
- .indd
- .itdb
- .itl
- .itm
- .iwd
- .iwi
- .jpe
- .jpeg
- .jpg
- .js
- .kdb
- .kdc
- .kf
- .layout
- .lbf
- .litemod
- .lrf
- .ltx
- .lvl
- .m2
- .m3u
- .m4a
- .map
- .mcgame
- .mcmeta
- .mdb
- .mdbackup
- .mddata
- .mdf
- .mef
- .menu
- .mlx
- .mpqge
- .mrwref
- .ncf
- .nrw
- .ntl
- .odb
- .odc
- .odm
- .odp
- .ods
- .odt
- .orf
- .p12
- .p7b
- .p7c
- .pak
- .pdd
- .pef
- .pem
- .pfx
- .pkpass
- .png
- .ppt
- .pptm
- .pptx
- .psd
- .psk
- .pst
- .ptx
- .py
- .qdf
- .qic
- .r3d
- .raf
- .rar
- .raw
- .rb
- .re4
- .rgss3a
- .rim
- .rofl
- .rtf
- .rw2
- .rwl
- .sav
- .sb
- .sc2save
- .sid
- .sidd
- .sidn
- .sie
- .sis
- .slm
- .snx
- .sr2
- .srf
- .srw
- .sum
- .svg
- .syncdb
- .t12
- .t13
- .tax
- .tor
- .txt
- .unity3d
- .upk
- .vdf
- .vfs0
- .vpk
- .vpp_pc
- .vtf
- .w3x
- .wb2
- .wma
- .wmo
- .wmv
- .wotreplay
- .wpd
- .wps
- .x3f
- .xf
- .xlk
- .xls
- .xlsb
- .xlsm
- .xlsx
- .xxx
- .ztmp
After the files are encrypted, the ransomware renames the files by changing the file extension to one of the following:
- .crypted
- .ecc
- .ess
- .exx
- .ezz
- .micro
- .mp3
- .vvv
It displays a dialog box similar to the following screenshots:
When you click the ransomware window button, it opens a dialog box similar to the following screenshot:
Then it opens the decryption site:
When you enter the BitCoin address supplied to access the Alpha Crypt payment page, it displays an encryption notification message similar to the following screenshot:
This ransomware also creates the following files under %USERPROFILE%\Desktop:
- CryptoLocker.lnk - points to and runs the malicious executable file in %APPDATA% folder
It drops files to your %USERPROFILE%\Documents directory that contain instructions on how to decrypt your files. It uses a number of file names and file types, including plain text (.txt), web page (.html), and image (.bmp and .png) file types. The following are some examples of the file names we have seen:
- _h_e_l_p_recover_instructions+
- _recovery_+
- help_recover_instructions+
- help_restore_files_
- help_to_decrypt_your_files
- HELP_TO_SAVE_FILES
- help_to_save_your_files
- how_recover+
- recovery_file_
- restore_files_
It might set the image files as your desktop wallpaper so you see the message whenever you log in.
It also deletes shadow files to prevent you from restoring your files from a local backup. We have seen it run the following commands:
\wbem\WMIC.exe shadowcopy delete /nointeractive \vssadmin.exe delete shadows /all /Quiet
Analysis by Jireh SanicoLast update 24 April 2016