TelsaCrypt Analysis

Ransomware Malware can be delivered in emails sent directly to a unsuspecting recipient or in a Drive by from a compromised website via  an Exploit Kit. Exploit Kits scan a users browsers to check their systems to see if its unpatched. Flash has been the most common vulnerability for malware delivery for some time. If the browser is not patched to the latest versions they get directed to a second site referred to as a Gate and finally a Malware site where the file gets served.

Detonation of the malware executable


POST Activity after detonation of the malware executable

Persistance is established by injecting a file in the RUN key which is a common technique malware authors use to ensure the malware can’t be removed by AntiVirus.


Persistence is established

Once infected with Ransomware Malware the decryption instructions are dropped in every directory. The instructions are so helpful and as kindly as can be they explain how they are protecting your files. The Victims typically have 48 hours to pay the Ransom or lose their files.




This is easy to avoid.

  • update your Web Browser
  • Backup your files. If you have a backup it doesn’t matter if your files get encrypted.
  • Don’t pay. Ransomeware is becoming very popular because so many of the victims are paying.
  • Detach your external storage device. The malware will encrypt all files on the PC as well as any network drive or external storage the PC is attached to.




The malware file is password protected with the usual password. If you don’t know it email me at


Malware Domain Lists

If you analyse pcaps often and are looking for a way to quickly see if any of the domains are on a Domain Blacklist, this script may help.

The Python script will do the following:

  • Download a current malware domain Blacklist and parse out the domains.
  • Run a tshark command on your pcap and pull all the domains.
  • Compare the two lists and print to the screen the malicious domain on you have on your network.

Python Script

       print(“Please change your pcap filename to new.pcap”)
       import urllib2

       # file to be written to
       file = “domains.txt”

       # download a current domain blacklist
       url = “”
       response = urllib2.urlopen(url)

       # You can also use the with statement:
       with open(file, ‘w’) as f: f.write(

       # Clean the file and remove all the extra stuff
       import subprocess
       COMMAND = “cat domains.txt | awk ‘{print $1}’ | sort |uniq >         BLdomains.txt”, shell=True)

       # Grab all domains from the pcap
       #pcapfile = raw_input(“What is the pcap file name?”)
       COMMAND = “tshark -N n -r new.pcap | awk ‘{print $3}’ | sort |uniq > localdomains.txt”, shell=True)

       # print to screen any domains from pcap that are listed in domain blacklist.
       COMMAND = “grep -F -f BLdomains.txt localdomains.txt”, shell=True)





  • Change the pcap filename to new.pcap
  • Change the attached file extension to .py as shown in screenshot.






Phish – Credential Harvester

We have been seeing a wave of USAA Phish in the last few months. All of the hooks are similar i.e. “suspicious activity detected on your account please login”, “Update your records”etc. The emails have all contained a PDF attachment with a link to credential harvesting site. In this example we have a PDF attachment prompting user to get a online document.

        Subject: Suspicious Activity Detected
        Malicious Domain:
        Malicious URI: /cache/mon.html

        Attachment: UPDATE SERVICE.pdf



Hovering over the link in the email exposes the credential harvesting site aryasanatco[.]ir/cache/mon.html.


  • Always hover over links to see the actual URL
  • Avoid the temptation of clicking links on phones. Hackers take advantage of those small screens.