- Sep 22, 2014
- 1,767
A quick post that version 4.1b of the TeslaCrypt Ransomware has been released. According to TeslaCrypt research BloodDolly, the first 4.1b sample that he has is dated 4/19/16. After a quick analysis, the changes that were made are:
TeslaCrypt 4.1b HTML Ransom Note
When TeslaCrypt first begins encrypting your data, it will connect to one of the Command & Control server gateways and send an encrypted POST message. When this message is decrypted, one of the values in the message is calledversion and contains the current version of TeslaCrypt. You can see an example of a decoded 4.1b request below.
Sub=Ping&dh=[PublicKeyRandom1_octet|AES_PrivateKeyMaster]&addr=[bitcoin_address]&size=0&version=4.1b&OS=[build_id]&ID=[?]&inst_id=[victim_id]
It also appears that TeslaCrypt is only using WMIC to delete Shadow Volume Copies, though this may have also been the case in earlier version. The command used is C:\Windows\system32\wbem\WMIC.exe shadowcopy delete /nointeractive.
WMIC Shadow Copy Deletion
If any new info comes out, I will be sure to update this post.
Updated 4/21/16 - Added analysis by BloodDolly.
TeslaCrypt 4.1b Files
%UserProfile%\Desktop\-!RecOveR!-[random_chars]++.Txt
%UserProfile%\Desktop\-!RecOveR!-[random_chars]++.Htm
%UserProfile%\Desktop\-!RecOveR!-[random_chars]++.Png
%UserProfile%\Documents\[random].exe
%UserProfile%\Documents\-!recover!-!file!-.txt
%UserProfile%\Documents\desctop._ini
TeslaCrypt 4.1b Registry Entries
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random] C:\Windows\SYSTEM32\CMD.EXE /C START %UserProfile%\Documents\[random].exe
HKCU\Software\[victim_id]
HKCU\Software\[victim_id]\data
- Data file renamed to %MyDocuments%\desctop._ini
- Size of recovery file changed to 252 from 264.
- Name of the Run Registry value is now hostslert[6chars]
TeslaCrypt 4.1b HTML Ransom Note
When TeslaCrypt first begins encrypting your data, it will connect to one of the Command & Control server gateways and send an encrypted POST message. When this message is decrypted, one of the values in the message is calledversion and contains the current version of TeslaCrypt. You can see an example of a decoded 4.1b request below.
Sub=Ping&dh=[PublicKeyRandom1_octet|AES_PrivateKeyMaster]&addr=[bitcoin_address]&size=0&version=4.1b&OS=[build_id]&ID=[?]&inst_id=[victim_id]
It also appears that TeslaCrypt is only using WMIC to delete Shadow Volume Copies, though this may have also been the case in earlier version. The command used is C:\Windows\system32\wbem\WMIC.exe shadowcopy delete /nointeractive.
WMIC Shadow Copy Deletion
If any new info comes out, I will be sure to update this post.
Updated 4/21/16 - Added analysis by BloodDolly.
TeslaCrypt 4.1b Files
%UserProfile%\Desktop\-!RecOveR!-[random_chars]++.Txt
%UserProfile%\Desktop\-!RecOveR!-[random_chars]++.Htm
%UserProfile%\Desktop\-!RecOveR!-[random_chars]++.Png
%UserProfile%\Documents\[random].exe
%UserProfile%\Documents\-!recover!-!file!-.txt
%UserProfile%\Documents\desctop._ini
TeslaCrypt 4.1b Registry Entries
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random] C:\Windows\SYSTEM32\CMD.EXE /C START %UserProfile%\Documents\[random].exe
HKCU\Software\[victim_id]
HKCU\Software\[victim_id]\data
