A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #25760  by Cody Johnston
 Thu Apr 30, 2015 7:44 pm
AlphaCrypt - this looks heavily based on TeslaCrypt (based on some quick static analysis anyways)

I originally found a post about it here http://www.malware-traffic-analysis.net ... index.html

Attaching the sample for convenience

https://www.virustotal.com/en/file/7bdc ... 430412022/
Attachments
Password: infected
(264.08 KiB) Downloaded 149 times
 #25796  by dejl13
 Mon May 04, 2015 11:57 pm
Tried the new sample in a VM and can confirm, it looks exactly like TelsaCrypt. Thanks for posting the sample :)
 #25846  by Grinler
 Mon May 11, 2015 5:47 pm
Latest teslacrypt. Appends EXX extension and no longer has a name associated with it.

Key.dat renamed to storage.bin.
Attachments
(352.03 KiB) Downloaded 155 times
 #26756  by r3shl4k1sh
 Thu Sep 17, 2015 6:30 pm
Intimacygel wrote:http://www.isightpartners.com/2015/09/t ... nications/

Anyone got any samples for this supposed "Tesla Crypt 2.0" ?
In attach the sample mentioned in the article:
https://www.virustotal.com/en/file/f01c ... /analysis/
Attachments
pass: infected
(197.19 KiB) Downloaded 122 times
 #27227  by nullptr
 Sat Nov 14, 2015 11:46 am
Teslacrypt
MD-5 d7575e4455e4d805fd29effb43591454
SHA-1 ce9a91c24aad1ec93936d9ba7203de84ae2b94c7

Original + Decrypted.
pwd: malware
(353.42 KiB) Downloaded 107 times
 #27309  by sysopfb
 Wed Nov 25, 2015 5:28 pm
Signed teslacrypt attached

SN: 6f 17 f2 ec 42 0a cc 9e c6 74 a4 ef 5e 76 32 f6

CN = Certum Level III CA
OU = Certum Certification Authority
O = Unizeto Technologies S.A.
C = PL

E = vipul@bscp-lim.com
CN = Open Source Developer, Andrea Jane Paxton
O = BSCP
C = GB

C2 list:
Code: Select all
http://genesistut.com/misc.php
http://sreedhanwanthari.org/wp-content/themes/inzane/misc.php
http://umrdafasojigi.org/wp-content/themes/the-cause/misc.php
http://royaleventsbytrina.com/wp-content/themes/twentythirteen/misc.php
http://geets.xyz/wp-content/themes/mobile/misc.php
http://rgkschool.com/modules/mod_ariimageslider/misc.php 
Similar to a cryptowall script you can check if the php script is still there via misc.php?testmode

Version 2.2
C2 traffic can be decrypted using one of the decoded strings: 987546lkdfgjj3093laksdglast2391
AES in CBC mode the key is the sha256 of the previously mentioned string
The IV is hardcoded: FFFFAAAA0000BEEFDEAD0000BEFFFFFF
Attachments
pw:infected
(219.44 KiB) Downloaded 83 times
 #27338  by AaLl86
 Tue Dec 01, 2015 2:18 pm
There is a new variant outside. It encrypts the files adding a ".vvv" extension. Somebody has the MD5 or the sample to share?

Thanks in advance
Andrea
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7