Notes
  • Did most of this last night, but posting today (4/27)
  • Updated TeslaCrypt sample from the previous entry I have here

PCAP and Malware
Compromised Domain and Redirection

2015-04-26 03:15:53 UTC - 192.185.16.46 - www.coastalluxury.com - GET /

Angler EK Traffic

2015-04-26 03:15:55 UTC - 104.243.44.166 - onle-curassim.netstega.com - GET /hyperboloid-bidding-ardour- mammoth/539752540108432879
2015-04-26 03:15:58 UTC - 104.243.44.166 - onle-curassim.netstega.com - GET /ir0dXUGPu8ls840SgDdv1RcIBD5HDZSYd-YWKPdiAOcScxRC
2015-04-26 03:16:00 UTC - 104.243.44.166 - onle-curassim.netstega.com - GET /0xJxty3MAPtO7bp3w5L6VZlYEK0kkTKZtIkblV14jLfpuxlE

  • Note: "-" in URI string should be "_"
Post-Infection Traffic

2015-04-26 03:16:15 UTC - 54.210.80.108 - ipinfo.io - GET /ip
2015-04-26 03:16:15 UTC - 104.24.101.120 - dpckd2ftmf7lelsa.aenf387awmx28.com - GET /tsdfewr2.php?[Base64 Encoded String 1]
2015-04-26 03:17:34 UTC - 104.24.101.120 - dpckd2ftmf7lelsa.aenf387awmx28.com - GET /tsdfewr2.php?[Base64 Encoded String 2]
2015-04-26 03:18:36 UTC - 104.24.101.120 - qcuikaiye577q3p2.aenf387awmx28.com - GET /?enc=1KNWH2BoScSw9gvSg6oS4WBAkfQvAe32cY
2015-04-26 03:18:37 UTC - 104.24.101.120 - qcuikaiye577q3p2.aenf387awmx28.com - GET /check.php
2015-04-26 03:18:37 UTC - 104.24.101.120 - qcuikaiye577q3p2.aenf387awmx28.com - GET /style.css
2015-04-26 03:18:38 UTC - 104.24.101.120 - qcuikaiye577q3p2.aenf387awmx28.com - GET /img/curr.svg
2015-04-26 03:18:38 UTC - 104.24.101.120 - qcuikaiye577q3p2.aenf387awmx28.com - GET /img/decrypt.svg
2015-04-26 03:18:39 UTC - 104.24.101.120 - qcuikaiye577q3p2.aenf387awmx28.com - GET /favicon.ico
2015-04-26 03:18:40 UTC - 104.24.101.120 - qcuikaiye577q3p2.aenf387awmx28.com - GET /img/curr_hover.svg

TeslaCrypt Check-In
Subject=Ping&key=E036011ACDAB76CBF18C693AF15CF8B4BA3AB1BDE714381F7AABC496FDBD9FF9&addr=1KNWH2BoScSw9gvSg6oS4WBAkfQvAe32cY&files=0&size=0&version=0.3.6b&date=1430104575&OS=7601&ID=78&subid=0&gate=G0&is_admin=1&is_64=1&ip=xx.xx.xx.xx&exe_type=1

Subject=Crypted&key=E036011ACDAB76CBF18C693AF15CF8B4BA3AB1BDE714381F7AABC496FDBD9FF9&addr=1KNWH2BoScSw9gvSg6oS4WBAkfQvAe32cY&files=38&size=52&version=0.3.6b&date=1430104654&OS=7601&ID=78&subid=0&gate=G0&is_admin=1&is_64=1&ip=xx.xx.xx.xx&exe_type=1ΓΌ
Known TeslaCrypt URI Commands and Decriptions
Commands Description
Subject=Ping Ping request to the server
version= Malware version
addr= Bitcoin Address
date= Timestamp
OS= OS version
ID= Uniquely generated ID
is_admin Checking login from user or admin panel
&ip= Retrieving user IP address

SOURCE: https://blogs.mcafee.com/mcafee-labs/teslacrypt-joins-ransomware-field

Note: Here are additional commands in the second response to the C2 server:

  • Crypted = as a confirmation the key exchange was completed, and the victim machine was encrypted
  • Files = Number of files encrypted
  • Size = Size of encrypted files? (unsure)
  • is_64 = 64-bit OS check? (unsure)
Preliminary Malware Analysis

Angler EK Payload -> TeslaCrypt 0.3.6

TeslaCrypt Splash Page

Desktop Background was changed to:

Text of Images:

All your documents, photos, databases and other important files have been encrypted with strongest encryption RSA-2048 key, generated for this computer.

Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.
If you see the main encryptor red window, examine it and follow the instructions.
Otherwise, it seems that you or your antivirus deleted the encryptor program.

Now you have the last chance to decrypt your files. Open hxxp://qcuikaiye577q3p2.aenf387awmx28[.]com or hxxp://qcuikaiye577q3p2.od9wjn4iene29[.]com ,
hxxps://qcuikaiye577q3p2.s5.tor-gateways[.]de/ in your browser.
They are public gates to the secret server.
Copy and paste the following Bitcoin address in the input form on server. Avoid missprints.
1KNWH2BoScSw9gvSg6oS4WBAkfQvAe32cY

Follow the instructions on the server. If you have problems with gates, use direct connection:
1. Download Tor Browser from hxxp://torproject[.]org
2. In the Tor Browser open the hxxp://qcuikaiye577q3p2[.]onion/
Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints.
1KNWH2BoScSw9gvSg6oS4WBAkfQvAe32cY
Follow the instructions on the server.

Bitcoin Wallet Information

The wallet of the sample has been empty, and can be observed here: https://blockchain.info/address/1KNWH2BoScSw9gvSg6oS4WBAkfQvAe32cY

TeslaCrypt Browser Information

PCAP and Malware

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates