A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #25566  by Grinler
 Thu Apr 02, 2015 7:00 pm
Both BleepingComputer's and Bromium's writeups state that it uses AES. Only the malware exec states that it uses RSA.

Have you tested being able to decrypt using the key.dat?
 #25569  by Blaze
 Fri Apr 03, 2015 7:31 am
Grinler wrote:This is teslacrypt. Notice the version number in the GUI title and game extensions.
Yep, I suspected it was TeslaCrypt, but was unsure when I got the CryptoWall message. Maybe this user had both installed at one point, but the shortcuts to the ransom note were (still) of CryptoWall.
 #25587  by AaLl86
 Tue Apr 07, 2015 7:26 am
Grinler wrote:Both BleepingComputer's and Bromium's writeups state that it uses AES. Only the malware exec states that it uses RSA.

Have you tested being able to decrypt using the key.dat?
Yes I have tested it, I am able to recover the key from that file...

Andre
 #25592  by Grinler
 Tue Apr 07, 2015 10:32 pm
AaLl86 wrote:
Grinler wrote:Both BleepingComputer's and Bromium's writeups state that it uses AES. Only the malware exec states that it uses RSA.

Have you tested being able to decrypt using the key.dat?
Yes I have tested it, I am able to recover the key from that file...

Andre
And you are able to decrypt files using it? If so, do you plan on releasing a decrypter to help those affected?
 #25594  by Blaze
 Wed Apr 08, 2015 1:41 pm
Grinler wrote: And you are able to decrypt files using it? If so, do you plan on releasing a decrypter to help those affected?
Yes, you can recover a key from there, but not sure which one it is as you need 2 keys. A decryption key AND a verification key. So not sure if this would be possible.

Two more samples attached.
Attachments
(352.47 KiB) Downloaded 126 times
 #25596  by Grinler
 Wed Apr 08, 2015 11:07 pm
Blaze wrote:
Grinler wrote: And you are able to decrypt files using it? If so, do you plan on releasing a decrypter to help those affected?
Yes, you can recover a key from there, but not sure which one it is as you need 2 keys. A decryption key AND a verification key. So not sure if this would be possible.

Two more samples attached.
Yup, I know a key and bitcoin address resides in there, but can it actually be used to decrypt your data?

Or is this the victims private encryption key which was then encrypted by the devs master public key, which has become common lately.
 #25710  by AaLl86
 Tue Apr 21, 2015 10:37 pm
Based on the test that I have made, a new dropper is on the wild. This new version produces the "key.dat" file that is 0x2f0 bytes wide...
I think that the new release brings something new. If someone gets the chance to obtain this new dropper please ping me...

Andrea
 #25715  by AaLl86
 Wed Apr 22, 2015 10:03 am
22 April 2015 Dropper
(348.76 KiB) Downloaded 100 times
Here is the new dropper. It produces "key.dat" file 0x2f0 bytes wide.
I have had still no time to deep analyse it but it brings some new light differences (like the storing of the master key in the windows registry - Software\Microsoft\Windows\CurrentVersion\SET key).

Attached the archive with the original dropper and the unpacked one...

Andrea
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7