Skip to content
/ reverseEngineering-TeslaCryptRansomware Public

TeslaCrypt was a ransomware trojan that emerged in early 2015. It primarily targeted Windows systems and encrypted files, demanding a ransom payment in Bitcoin for the decryption key

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

makt96/reverseEngineering-TeslaCryptRansomware

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
File Identification
File Identification
 
 
Ghidra Analysis
Ghidra Analysis
 
 
malware sample 4
malware sample 4
 
 
README.md
README.md
 
 

Repository files navigation

TeslaCrypt Analysis

Overview

TeslaCrypt was a ransomware trojan that emerged in early 2015. It primarily targeted Windows systems and encrypted files, demanding a ransom payment in Bitcoin for the decryption key. Below are some key points about TeslaCrypt:

Key Points

  • Targeted Systems: Windows
  • Ransom Payment: Bitcoin
  • Encryption Algorithms: AES-256 and RSA-2048
  • Distribution Methods:
    • Exploit kits (e.g., Angler exploit kit)
    • Malicious email attachments
    • Compromised websites

Early Versions

Early versions of TeslaCrypt targeted gaming files, including saves and profiles from popular video games like “Minecraft,” “Call of Duty,” and “World of Warcraft.” This focus expanded to include a wide range of file types in later versions.

Encryption and Evolution

TeslaCrypt used strong encryption algorithms (AES-256 and RSA-2048) to lock users’ files. The ransomware generated a unique encryption key for each infected machine, making it difficult to decrypt files without paying the ransom. TeslaCrypt went through several versions, with each iteration improving its encryption methods and evasion techniques. TeslaCrypt 4.0, one of the final versions, was particularly notorious for its effectiveness.

Steps on Malware Analysis

In this experiment, I will focus on the following approach to analyze TeslaCrypt ransomware:

  1. File Identification

    • Tools: TrIDNET, Detect it Easy

  2. Custom Packer Detection

    • Tool: PEStudio

  3. Unpacking the Ransomware

    • Tool: xdbg Debugger

  4. Memory Dumping

    • Tool: Process Hacker

  5. Further Analysis

    • Tool: Ghidra (Powerful Disassembler)

Detailed Analysis Steps

1. File Identification

  • Utilize TrIDNET and Detect it Easy to identify the file type and gather initial information.

2. Custom Packer Detection

  • Use PEStudio to detect any custom packers used in the ransomware.

3. Unpacking the Ransomware

  • Employ the xdbg debugger tool to unpack the ransomware and reveal its hidden contents.

4. Memory Dumping

  • Use Process Hacker to dump the memory for a more in-depth analysis.

5. Further Analysis

  • Leverage Ghidra, a powerful disassembler, to analyze the unpacked file and understand its behavior and functionalities.

This README provides a structured approach to analyzing TeslaCrypt ransomware, utilizing various tools and techniques to dissect and understand its mechanisms.

About

TeslaCrypt was a ransomware trojan that emerged in early 2015. It primarily targeted Windows systems and encrypted files, demanding a ransom payment in Bitcoin for the decryption key

Topics

reverse-engineering threat-hunting malware-analysis windowsapi malware-detection

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published