Win32/Filecoder.TeslaCrypt [Threat Name] go to Threat
Win32/Filecoder.TeslaCrypt.A [Threat Variant Name]
Category | trojan |
Size | 167936 B |
Aliases | Backdoor.Win32.Androm.glog (Kaspersky) |
Ransom:Win32/Tescrypt.A (Microsoft) | |
FileCryptor.AMX.trojan (AVG) |
Short description
Win32/Filecoder.TeslaCrypt.A is a trojan that encrypts files on local drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.
Installation
When executed, the trojan copies itself into the following location:
- %appdata%\%variable%.exe
A string with variable content is used instead of %variable% .
The file is then executed.
The trojan deletes the original file.
The trojan creates the following file:
- %desktop%\Cryptolocker.lnk
The file is a shortcut to a malicious file.
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "svv_e" = "%appdata%\%variable%.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
- "*svv_e" = "%appdata%\%variable%.exe"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "svv_e" = "%appdata%\%variable%.exe"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
- "*svv_e" = "%appdata%\%variable%.exe"
This causes the trojan to be executed on every system start.
The trojan creates the following files:
- %appdata%\log.html
- %appdata%\key.dat
- %desktop%\HELP_TO_SAVE_YOUR_FILES.bmp
- %desktop%\HELP_TO_SAVE_YOUR_FILES.txt
Payload information
The trojan encrypts files on local disks.
The trojan searches local drives for files with the following file extensions:
- *.3fr
- *.7z
- *.accdb
- *.ai
- *.apk
- *.arch00
- *.arw
- *.asset
- *.avi
- *.bar
- *.bay
- *.bc6
- *.bc7
- *.big
- *.bik
- *.bkf
- *.bkp
- *.blob
- *.bsa
- *.cas
- *.cdr
- *.cer
- *.cfr
- *.cr2
- *.crt
- *.crw
- *.css
- *.csv
- *.d3dbsp
- *.das
- *.dazip
- *.db
- *.db0
- *.dbf
- *.dcr
- *.der
- *.desc
- *.dmp
- *.dng
- *.doc
- *.docm
- *.docx
- *.dwg
- *.dxg
- *.epk
- *.eps
- *.erf
- *.esm
- *.ff
- *.flv
- *.forge
- *.fos
- *.fpk
- *.fsh
- *.gdb
- *.gho
- *.hkdb
- *.hkx
- *.hplg
- *.hvpl
- *.ibank
- *.icxs
- *.indd
- *.itdb
- *.itl
- *.itm
- *.iwd
- *.iwi
- *.jpe
- *.jpeg
- *.jpg
- *.js
- *.kdb
- *.kdc
- *.kf
- *.layout
- *.lbf
- *.litemod
- *.lrf
- *.ltx
- *.lvl
- *.m2
- *.m3u
- *.m4a
- *.map
- *.mcmeta
- *.mdb
- *.mdbackup
- *.mddata
- *.mdf
- *.mef
- *.menu
- *.mlx
- *.mov
- *.mp4
- *.mpqge
- *.mrwref
- *.ncf
- *.nrw
- *.ntl
- *.odb
- *.odc
- *.odm
- *.odp
- *.ods
- *.odt
- *.orf
- *.p12
- *.p7b
- *.p7c
- *.pak
- *.pdd
- *.pef
- *.pem
- *.pfx
- *.pkpass
- *.png
- *.ppt
- *.pptm
- *.pptx
- *.psd
- *.psk
- *.pst
- *.ptx
- *.py
- *.qdf
- *.qic
- *.r3d
- *.raf
- *.rar
- *.raw
- *.rb
- *.re4
- *.rgss3a
- *.rim
- *.rofl
- *.rtf
- *.rw2
- *.rwl
- *.sav
- *.sb
- *.sid
- *.sidd
- *.sidn
- *.sie
- *.sis
- *.slm
- *.snx
- *.sql
- *.sr2
- *.srf
- *.srw
- *.sum
- *.svg
- *.syncdb
- *.t12
- *.t13
- *.tax
- *.tor
- *.txt
- *.unity3d
- *.upk
- *.vcf
- *.vdf
- *.vfs0
- *.vpk
- *.vpp_pc
- *.vtf
- *.w3x
- *.wb2
- *.wma
- *.wmo
- *.wmv
- *.wotreplay
- *.wpd
- *.wps
- *.x3f
- *.xf
- *.xlk
- *.xls
- *.xlsb
- *.xlsm
- *.xlsx
- *.xxx
- *.zip
- *.ztmp
Only folders which do not contain one of the following string in their path are searched:
- %programfiles%
- %windir%
The trojan encrypts the file content.
The AES encryption algorithm is used.
An additional ".ecc" extension is appended.
To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.
The trojan displays the following dialog box:
Some examples follow.
Information stealing
The trojan collects the following information:
- operating system version
- external IP address of the network device
- cryptographic keys
The trojan attempts to send gathered information to a remote machine.
The trojan contains a list of (6) URLs. The HTTP protocol is used in the communication.
Other information
The trojan terminates processes with any of the following strings in the path:
- taskmgr
- procexp
- regedit
- msconfig
- cmd.exe
The following Registry entries are set:
- [HKEY_CURRENT_USER\Control Panel\Desktop]
- "Wallpaper" = "%desktop%\HELP_TO_SAVE_YOUR_FILES.bmp"
- "WallpaperStyle" = 0
- "TileWallpaper" = 0
The trojan executes the following command:
- vssadmin.exe delete shadows /all /Quiet