TROJ_CRYPTESLA.NM

 Analysis by: Homer Pacag

 ALIASES:

Ransom:Win32/Tescrypt.A (Microsoft); Symantec (Trojan.Cryptolocker.E)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes the initially executed copy of itself.

  TECHNICAL DETAILS

File Size:

420,864 bytes

File Type:

EXE

Initial Samples Received Date:

30 Apr 2015

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

  • %Application Data%\{random file name}.exe

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following files:

  • %Application Data%\key.dat
  • %Application Data%\log.html ->list of encrypted files
  • %User Profile%\My Documents\RECOVERY_FILE.TXT
  • {File path of encrypted files}\HELP_TO_SAVE_FILES.txt ->ransom note
  • %User Profile%\Desktop\HELP_TO_SAVE_FILES.bmp ->ransom wallpaper
  • %User Profile%\Desktop\Save_Files.lnk ->shortcut of itself

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
AVSvc = "%Application Data%\{random file name}.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
AVSvc = "%Application Data%\{random file name}.exe"

Other System Modifications

This Trojan changes the desktop wallpaper by modifying the following registry entries:

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = "%User Profile%\Desktop\HELP_TO_SAVE_FILES.bmp"

(Note: The default value data of the said registry entry is {User defined}.)

Other Details

This Trojan connects to the following URL(s) to get the affected system's IP address:

  • http://ipinfo.io/ip

It connects to the following possibly malicious URL:

  • {BLOCKED}ftmf7lelsa.{BLOCKED}u37an30.com/tsdfewr2.php
  • {BLOCKED}ftmf7lelsa.{BLOCKED}mnd7w31.com/tsdfewr2.php?

It encrypts files with the following extensions:

  • sql
  • mp4
  • 7z
  • rar
  • m4a
  • wma
  • avi
  • wmv
  • csv
  • d3dbsp
  • zip
  • sie
  • sum
  • ibank
  • t13
  • t12
  • qdf
  • gdb
  • tax
  • pkpass
  • bc6
  • bc7
  • bkp
  • qic
  • bkf
  • sidn
  • sidd
  • mddata
  • itl
  • itdb
  • icxs
  • hvpl
  • hplg
  • hkdb
  • mdbackup
  • syncdb
  • gho
  • cas
  • svg
  • map
  • wmo
  • itm
  • sb
  • fos
  • mov
  • vdf
  • ztmp
  • sis
  • sid
  • ncf
  • menu
  • layout
  • dmp
  • blob
  • esm
  • vcf
  • vtf
  • dazip
  • fpk
  • mlx
  • kf
  • iwd
  • vpk
  • tor
  • psk
  • rim
  • w3x
  • fsh
  • ntl
  • arch00
  • lvl
  • snx
  • cfr
  • ff
  • vpp_pc
  • lrf
  • m2
  • mcmeta
  • vfs0
  • mpqge
  • kdb
  • db0
  • dba
  • rofl
  • hkx
  • bar
  • upk
  • das
  • iwi
  • litemod
  • asset
  • forge
  • ltx
  • bsa
  • apk
  • re4
  • sav
  • lbf
  • slm
  • bik
  • epk
  • rgss3a
  • pak
  • big
  • wallet
  • wotreplay
  • xxx
  • desc
  • py
  • m3u
  • flv
  • js
  • css
  • rb
  • png
  • jpeg
  • txt
  • p7c
  • p7b
  • p12
  • pfx
  • pem
  • crt
  • cer
  • der
  • x3f
  • srw
  • pef
  • ptx
  • r3d
  • rw2
  • rwl
  • raw
  • raf
  • orf
  • nrw
  • mrwref
  • mef
  • erf
  • kdc
  • dcr
  • cr2
  • crw
  • bay
  • sr2
  • srf
  • arw
  • 3fr
  • dng
  • jpe
  • jpg
  • cdr
  • indd
  • ai
  • eps
  • pdf
  • pdd
  • psd
  • dbfmdf
  • wb2
  • rtf
  • wpd
  • dxg
  • xf
  • dwg
  • pst
  • accdb
  • mdb
  • pptm
  • pptx
  • ppt
  • xlk
  • xlsb
  • xlsm
  • xlsx
  • xls
  • wps
  • docm
  • docx
  • doc
  • odb
  • odc
  • odm
  • odp
  • ods
  • odt

It renames encrypted files using the following names:

  • {Original Filename}.ezz

It deletes the initially executed copy of itself