Skip to content

Latest commit

 

History

History
64 lines (40 loc) · 2.47 KB

README.md

File metadata and controls

64 lines (40 loc) · 2.47 KB

TeslaCrypt Analysis

Overview

TeslaCrypt was a ransomware trojan that emerged in early 2015. It primarily targeted Windows systems and encrypted files, demanding a ransom payment in Bitcoin for the decryption key. Below are some key points about TeslaCrypt:

Key Points

  • Targeted Systems: Windows
  • Ransom Payment: Bitcoin
  • Encryption Algorithms: AES-256 and RSA-2048
  • Distribution Methods:
    • Exploit kits (e.g., Angler exploit kit)
    • Malicious email attachments
    • Compromised websites

Early Versions

Early versions of TeslaCrypt targeted gaming files, including saves and profiles from popular video games like “Minecraft,” “Call of Duty,” and “World of Warcraft.” This focus expanded to include a wide range of file types in later versions.

Encryption and Evolution

TeslaCrypt used strong encryption algorithms (AES-256 and RSA-2048) to lock users’ files. The ransomware generated a unique encryption key for each infected machine, making it difficult to decrypt files without paying the ransom. TeslaCrypt went through several versions, with each iteration improving its encryption methods and evasion techniques. TeslaCrypt 4.0, one of the final versions, was particularly notorious for its effectiveness.

Steps on Malware Analysis

In this experiment, I will focus on the following approach to analyze TeslaCrypt ransomware:

  1. File Identification

    • Tools: TrIDNET, Detect it Easy

  2. Custom Packer Detection

    • Tool: PEStudio

  3. Unpacking the Ransomware

    • Tool: xdbg Debugger

  4. Memory Dumping

    • Tool: Process Hacker

  5. Further Analysis

    • Tool: Ghidra (Powerful Disassembler)

Detailed Analysis Steps

1. File Identification

  • Utilize TrIDNET and Detect it Easy to identify the file type and gather initial information.

2. Custom Packer Detection

  • Use PEStudio to detect any custom packers used in the ransomware.

3. Unpacking the Ransomware

  • Employ the xdbg debugger tool to unpack the ransomware and reveal its hidden contents.

4. Memory Dumping

  • Use Process Hacker to dump the memory for a more in-depth analysis.

5. Further Analysis

  • Leverage Ghidra, a powerful disassembler, to analyze the unpacked file and understand its behavior and functionalities.

This README provides a structured approach to analyzing TeslaCrypt ransomware, utilizing various tools and techniques to dissect and understand its mechanisms.