Win32/Tescrypt

Installation

The threat might be dropped by exploit kits such as Exploit:SWF/Axpergle (Angler), Exploit:JS/Neclu (Nuclear), JS/Fiexp (Fiesta), and JS/Anogre (Sweet Orange).

This threat copies itself to the following folders:

• %APPDATA% folder
• %USERPROFILE%\Documents
• %SystemRoot%

It uses a random name for its copy, for example:

• apsjnlkvgvvi.exe
• qubmvec.exe
• lclrgoijwqhr.exe
• yndtyyg.exe

For example, the location and name of the malware copy might look like this:

• C:\Documents and Settings\<username>\Application Data\qubmvec.exe
• C:\Users\<username>\AppData\Roaming\qubmvec.exe)

It might also install the following files in the %APPDATA% folder:

• key.dat - user specific bitcoin address
• log.html - contains a list of encrypted files

It modifies one of the following registry entries so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

Sets value: <value name>
With data: <location and name of the malware copy>

We have seen it use the following strings for the <value name>:

• 12_23-dst
• 1qw23qw4qe-r2r1t3
• 1qwqwqe-r213
• AVrSvc
• AVSvc
• crypto13
• dsfgsdf-67897869
• gatert-12010
• mscon
• msconfig
• msdedf
• mssvc
• qwer-sadkfgsa
• rimage-v5
• srv-2016
• svv_e
• verif-8746
• werity-32452345
• wertret
• zsevice-34
• zsevice-455

It might also set the registry key to use cmd.exe to run the malware file copy, for example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: <value name>
With data: "<system folder>\cmd.exe /c start "" "<location and name of the malware copy>""

Alternatively, it might drop and run a batch script (.bat) file to create the registry key. We have seen it use the following script to do this:

• reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v <value name> /t REG_SZ  /d "<location and name of the malware copy>" /f

Payload

This ransomware can search for files in all of the folders with the following extensions and then encrypt them:​

After the files are encrypted, the ransomware renames the files by changing the file extension to one of the following:

• .crypted
• .ecc
• .ess
• .exx
• .ezz
• .micro
• .mp3
• .vvv

It displays a dialog box similar to the following screenshots:

When you click the ransomware window button, it opens a dialog box similar to the following screenshot:

Then it opens the decryption site:

When you enter the BitCoin address supplied to access the Alpha Crypt payment page, it displays an encryption notification message similar to the following screenshot:

This ransomware also creates the following files under %USERPROFILE%\Desktop:

• CryptoLocker.lnk - points to and runs the malicious executable file in %APPDATA% folder

It drops files to your %USERPROFILE%\Documents directory that contain instructions on how to decrypt your files. It uses a number of file names and file types, including plain text (.txt), web page (.html), and image (.bmp and .png) file types. The following are some examples of the file names we have seen:

• _h_e_l_p_recover_instructions+<random>
• _recovery_+<random>
• help_recover_instructions+<random>
• help_restore_files_<random>
• help_to_decrypt_your_files
• HELP_TO_SAVE_FILES
• help_to_save_your_files
• how_recover+<random>
• recovery_file_<random>
• restore_files_<random>

It might set the image files as your desktop wallpaper so you see the message whenever you log in. 

It also deletes shadow files to prevent you from restoring your files from a local backup. We have seen it run the following commands:

• <system folder> \wbem\WMIC.exe shadowcopy delete /nointeractive
• <system folder> \vssadmin.exe delete shadows /all /Quiet

Analysis by Jireh Sanico