Win32/Filecoder.TeslaCrypt [Threat Name] go to Threat

Win32/Filecoder.TeslaCrypt.A [Threat Variant Name]

Category	trojan
Size	167936 B
Aliases	Backdoor.Win32.Androm.glog (Kaspersky)
	Ransom:Win32/Tescrypt.A (Microsoft)
	FileCryptor.AMX.trojan (AVG)

Short description

Win32/Filecoder.TeslaCrypt.A is a trojan that encrypts files on local drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.

Installation

When executed, the trojan copies itself into the following location:

%appdata%\%variable%.exe

A string with variable content is used instead of %variable% .

The file is then executed.

The trojan deletes the original file.

The trojan creates the following file:

%desktop%\Cryptolocker.lnk

The file is a shortcut to a malicious file.

The trojan may set the following Registry entries:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "svv_e" = "%appdata%\%variable%.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
- "*svv_e" = "%appdata%\%variable%.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "svv_e" = "%appdata%\%variable%.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
- "*svv_e" = "%appdata%\%variable%.exe"

This causes the trojan to be executed on every system start.

The trojan creates the following files:

%appdata%\log.html
%appdata%\key.dat
%desktop%\HELP_TO_SAVE_YOUR_FILES.bmp
%desktop%\HELP_TO_SAVE_YOUR_FILES.txt

Payload information

The trojan encrypts files on local disks.

The trojan searches local drives for files with the following file extensions:

*.3fr
*.7z
*.accdb
*.ai
*.apk
*.arch00
*.arw
*.asset
*.avi
*.bar
*.bay
*.bc6
*.bc7
*.big
*.bik
*.bkf
*.bkp
*.blob
*.bsa
*.cas
*.cdr
*.cer
*.cfr
*.cr2
*.crt
*.crw
*.css
*.csv
*.d3dbsp
*.das
*.dazip
*.db
*.db0
*.dbf
*.dcr
*.der
*.desc
*.dmp
*.dng
*.doc
*.docm
*.docx
*.dwg
*.dxg
*.epk
*.eps
*.erf
*.esm
*.ff
*.flv
*.forge
*.fos
*.fpk
*.fsh
*.gdb
*.gho
*.hkdb
*.hkx
*.hplg
*.hvpl
*.ibank
*.icxs
*.indd
*.itdb
*.itl
*.itm
*.iwd
*.iwi
*.jpe
*.jpeg
*.jpg
*.js
*.kdb
*.kdc
*.kf
*.layout
*.lbf
*.litemod
*.lrf
*.ltx
*.lvl
*.m2
*.m3u
*.m4a
*.map
*.mcmeta
*.mdb
*.mdbackup
*.mddata
*.mdf
*.mef
*.menu
*.mlx
*.mov
*.mp4
*.mpqge
*.mrwref
*.ncf
*.nrw
*.ntl
*.odb
*.odc
*.odm
*.odp
*.ods
*.odt
*.orf
*.p12
*.p7b
*.p7c
*.pak
*.pdd
*.pdf
*.pef
*.pem
*.pfx
*.pkpass
*.png
*.ppt
*.pptm
*.pptx
*.psd
*.psk
*.pst
*.ptx
*.py
*.qdf
*.qic
*.r3d
*.raf
*.rar
*.raw
*.rb
*.re4
*.rgss3a
*.rim
*.rofl
*.rtf
*.rw2
*.rwl
*.sav
*.sb
*.sid
*.sidd
*.sidn
*.sie
*.sis
*.slm
*.snx
*.sql
*.sr2
*.srf
*.srw
*.sum
*.svg
*.syncdb
*.t12
*.t13
*.tax
*.tor
*.txt
*.unity3d
*.upk
*.vcf
*.vdf
*.vfs0
*.vpk
*.vpp_pc
*.vtf
*.w3x
*.wb2
*.wma
*.wmo
*.wmv
*.wotreplay
*.wpd
*.wps
*.x3f
*.xf
*.xlk
*.xls
*.xlsb
*.xlsm
*.xlsx
*.xxx
*.zip
*.ztmp

Only folders which do not contain one of the following string in their path are searched:

%programfiles%
%windir%

The trojan encrypts the file content.

The AES encryption algorithm is used.

An additional ".ecc" extension is appended.

To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.

The trojan displays the following dialog box:

Some examples follow.

Information stealing

The trojan collects the following information:

operating system version
external IP address of the network device
cryptographic keys

The trojan attempts to send gathered information to a remote machine.

The trojan contains a list of (6) URLs. The HTTP protocol is used in the communication.

Other information

The trojan terminates processes with any of the following strings in the path:

taskmgr
procexp
regedit
msconfig
cmd.exe

The following Registry entries are set:

[HKEY_CURRENT_USER\Control Panel\Desktop]
- "Wallpaper" = "%desktop%\HELP_TO_SAVE_YOUR_FILES.bmp"
- "WallpaperStyle" = 0
- "TileWallpaper" = 0

The trojan executes the following command:

vssadmin.exe delete shadows /all /Quiet