2016-04-05 - TESLACRYPT RANSOMWARE ACTIVITY

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-04-05-TeslaCrypt-ransomware-infection-traffic.pcap.zip  1.0 MB (1,027,562 bytes)
• 2016-04-05-files-from-TeslaCrypt-ransomware-activity.zip  329.6 kB (329,618 bytes)

 

NOTES:

• Today I saw emails with .js-based attachments deliver TeslaCrypt ransomware similar to activity already reported, such as:

• https://blog.dynamoo.com/2016/03/malware-spam-additional-information.html

 

EMAILS

EMAIL EXAMPLES:

• From: Rosanna Aguiar -- Subj: Actual Status on Your Balance 27003
• From: Morton Seal -- Subj: Actual Status on Your Balance 93990
• From: Benetta Guillory -- Subj: Actual Status on Your Balance 88860
• From: Leigh Mcclung -- Subj: Actual Status on Your Balance 94249
• From: Kelvin Corl -- Subj: Actual Status on Your Balance 97835

 

ATTACHMENTS:

• Attachment name: bill_invoices_427897.zip -- MD5 hash: 75db7be6455f400b2e61b515a83b2714
• Attachment name: copy_greg_589120.zip -- MD5 hash: c961ce40b1a6e0c560ed2733c4540130
• Attachment name: cassie_copy_500450.zip -- MD5 hash: 5b76de1afb1fe48859aac03442d8603c
• Attachment name: copy_m8r-o0m7rg_613733.zip -- MD5 hash: 5a9051d0064bbdf68d4cef0e444ac753
• Attachment name: bam_copy_474035.zip -- MD5 hash: a805af25e93bb25625e3eb473d7d2c88

 

EXTRACTED .JS FILES:

• Extracted file name: report_qvThfu.js -- MD5 hash: 11df3084f0438d8ca6bda38c13b70a38
• Extracted file name: report_xfGUmj.js -- MD5 hash: 1086fd107f8137f5e2103208352ee16a
• Extracted file name: transaction_yoReNp.js -- MD5 hash: 3b1b73508474bd1cf8166343ce48d201
• Extracted file name: document_rCDXCI.js -- MD5 hash: 02a7f25a7b295bdefdf404a3c85e7215
• Extracted file name: doc_iMXGLN.js -- MD5 hash: d067919f1b9e8db0d916a44ab6959faa

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

NOTE: I ran each of the extracted .js files on a host in my lab.  Notice the 3 different IP addresses for marvellrulesqq[.]com.

ASSOCIATED DOMAINS:

• 54.212.162[.]6 port 80 - marvellrulesqq[.]com - GET /70.exe?1
• 104.161.60[.]151 port 80 - marvellrulesqq[.]com - GET /70.exe?1
• 185.118.142[.]154 port 80 - marvellrulesqq[.]com - GET /70.exe?1
• 23.229.239[.]227 port 80 - addagapublicschool[.]com - POST /binfile.php
• 194.228.3[.]204 port 80 - helpdesk.keldon[.]info - POST /plugins/editors/tinymce/jscripts/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/binfile.php

 

MALWARE

CONTENTS OF TODAY'S EMAIL AND MALWARE ARCHIVE:

• 2016-04-05-TeslaCrypt-ransomware-decrypt-insructions.html
• 2016-04-05-TeslaCrypt-ransomware-decrypt-insructions.png
• 2016-04-05-TeslaCrypt-ransomware-decrypt-insructions.txt

• 2016-04-05-TeslaCrypt-ransomware.exe   (Virus Total link)

• 2016-04-05-email-pushing-TeslaCrypt-ransomware-example-01.eml
• 2016-04-05-email-pushing-TeslaCrypt-ransomware-example-02.eml
• 2016-04-05-email-pushing-TeslaCrypt-ransomware-example-03.eml
• 2016-04-05-email-pushing-TeslaCrypt-ransomware-example-04.eml
• 2016-04-05-email-pushing-TeslaCrypt-ransomware-example-05.eml

• bam_copy_474035.zip
• bill_invoices_427897.zip
• cassie_copy_500450.zip
• copy_greg_589120.zip
• copy_m8r-o0m7rg_613733.zip

• doc_iMXGLN.js
• document_rCDXCI.js
• report_qvThfu.js
• report_xfGUmj.js
• transaction_yoReNp.js

 

IMAGES

Shown above:  An example of the Windows desktop infected with TeslaCrypt ransomware.

 

Click here to return to the main page.