Taken from Threatglass.com: http://threatglass.com/malicious_urls/bg-mamma-com

Compromised Domain and Infection Chain
  • 2015-03-18 17:17:53 UTC - 94.156.15.157 - www.bg-mama.com - GET /
  • 2015-03-18 17:17:56 UTC - 94.156.15.152 - ads.bg-mama.COM - GET /www/delivery/ajs.php?zoneid=87&BoardID=home&cb=89555794061&charset=windows-1251&loc=http%3A//www.bg-mamma.com/

Sweet Orange EK
  • 2015-03-18 17:17:57 UTC - 217.172.185.43 - berg.liiberg.com - GET /vspdiu2.html
  • 2015-03-18 17:17:58 UTC - 95.167.6.136 - bujklo.buero101.ch:8181 - GET /bad/christmas.php?utilities=221527&strategy=196581&paper=125&create=143883&hardware=128696
  • 2015-03-18 17:18:07 UTC - 95.167.6.136 - bujklo.buero101.ch:8181 - GET /bad/lkZzpzmDX840ZRi
Post-Infection Traffic
  • 2015-03-18 17:18:23 UTC - 52.1.254.162 - ipinfo.io - GET /ip
  • 2015-03-18 17:18:23 UTC - 104.27.172.20 - 7tno4hib47vlep5o.42kjb11.net - GET /state1.php?[BASE64 ENCODED STRING 1]
  • 2015-03-18 17:18:25 UTC - 104.27.172.20 - 7tno4hib47vlep5o.42kjb11.net - GET /state1.php?[BASE64 ENCODED STRING 2]
Contents of Base64 Encoded URI Strings
Subject=Ping&key=50E833FD8E8DEA9E275E1956BFDF47BDD87B18ED4F6A904E2723A63F4A662603&addr=18ZPD9sgY3emxSYoh1YiLxMtacKBwaeWpr&files=0&size=0&version=0.3.3c&date=1426713500&OS=2600&ID=33&subid=0&gate=G0&is_admin=1&is_64=0&ip=64.235.155.80  
Subject=Crypted&key=50E833FD8E8DEA9E275E1956BFDF47BDD87B18ED4F6A904E2723A63F4A662603&addr=18ZPD9sgY3emxSYoh1YiLxMtacKBwaeWpr&files=92&size=6&version=0.3.3c&date=1426713502&OS=2600&ID=33&subid=0&gate=G0&is_admin=1&is_64=0&ip=64.235.155.80  
Known URI Commands and Decriptions
Commands Description
Subject=Ping Ping request to the server
version= Malware version
addr= Bitcoin Address
date= Timestamp
OS= OS version
ID= Uniquely generated ID
is_admin Checking login from user or admin panel
&ip= Retrieving user IP address

SOURCE: https://blogs.mcafee.com/mcafee-labs/teslacrypt-joins-ransomware-field

Bitcoin Wallet Information

The wallet of the sample has been empty, and can be observed here: https://blockchain.info/address/18ZPD9sgY3emxSYoh1YiLxMtacKBwaeWpr

IDS alerts using the Emerging Threats Pro Ruleset

03/18/2015-17:18:07 192.168.37.10:1067 -> 95.167.6.136:8181 ET POLICY Outdated Windows Flash Version IE
03/18/2015-17:18:07 192.168.37.10:1067 -> 95.167.6.136:8181 ET CURRENT EVENTS Sweet Orange EK Flash Exploit IE March 03 2015
03/18/2015-17:18:08 192.168.37.10:1075 -> 95.167.6.136:8181 ET CURRENT EVENTS Possible Sweet Orange CVE-2014-6332 Payload Request
03/18/2015-17:18:08 95.167.6.136:8181 -> 192.168.37.10:1075 ET POLICY PE EXE or DLL Windows file download HTTP
03/18/2015-17:19:12 104.27.172.20:80 -> 192.168.37.10:1079 ETPRO TROJAN Win32/Tescrypt Ransomware HTTP CnC Beacon Response
03/18/2015-17:18:23 192.168.37.10:1078 -> 52.1.254.162:80 ETPRO POLICY Possible External IP Lookup ipinfo.io
03/18/2015-17:18:25 192.168.37.10:1079 -> 104.27.172.20:80 ETPRO TROJAN Win32/Tescrypt Ransomware HTTP CnC Beacon M1
03/18/2015-17:18:25 192.168.37.10:1079 -> 104.27.172.20:80 ETPRO TROJAN Win32/Tescrypt Ransomware HTTP CnC Beacon M2
03/18/2015-17:18:25 104.27.172.20:80 -> 192.168.37.10:1079 ETPRO TROJAN Win32/Tescrypt Ransomware HTTP CnC Beacon Response
03/18/2015-17:18:26 192.168.37.10:1079 -> 104.27.172.20:80 ETPRO TROJAN Win32/Tescrypt Ransomware HTTP CnC Beacon M1
03/18/2015-17:18:26 192.168.37.10:1079 -> 104.27.172.20:80 ETPRO TROJAN Win32/Tescrypt Ransomware HTTP CnC Beacon M2
03/18/2015-17:18:23 192.168.37.10:1062 -> 4.2.2.3:53 ETPRO TROJAN Win32/Tescrypt Ransomware .onion domain (7tno4hib47vlep5o)

Preliminary Malware Analysis

Flash Exploit

Malware Payload

Known Targeted Filetypes of TeslaCrypt

7z;.rar;.m4a;.wma;.avi;.wmv;.csv;.d3dbsp;.sc2save;.sie;.sum;.ibank;.t13;.t12;.qdf;.gdb;.tax;.pkpass;.bc6;.bc7;.bkp;.qic;.bkf;.sidn;.sidd;.mddata;.itl;.itdb;.icxs;.hvpl; .hplg;.hkdb;.mdbackup;.syncdb;.gho;.cas;.svg;.map;.wmo;.itm;.sb;.fos;.mcgame;.vdf;.ztmp;.sis;.sid;.ncf;.menu;.layout;.dmp;.blob;.esm;.001;.vtf;.dazip;.fpk;.mlx;.kf;.iwd; .vpk;.tor;.psk;.rim;.w3x;.fsh;.ntl;.arch00;.lvl;.snx;.cfr;.ff;.vpp_pc;.lrf;.m2;.mcmeta;.vfs0;.mpqge;.kdb;.db0;.DayZProfile;.rofl;.hkx;.bar;.upk;.das;.iwi;.litemod;.asset; .forge;.ltx;.bsa;.apk;.re4;.sav;.lbf;.slm;.bik;.epk;.rgss3a;.pak;.big;.unity3d;.wotreplay;.xxx;.desc;.py;.m3u;.flv;.js;.css;.rb;.png;.jpeg;.txt;.p7c;.p7b;.p12;.pfx;.pem; .crt;.cer;.der;.x3f;.srw;.pef;.ptx;.r3d;.rw2;.rwl;.raw;.raf;.orf;.nrw;.mrwref;.mef;.erf;.kdc;.dcr;.cr2;.crw;.bay;.sr2;.srf;.arw;.3fr;.dng;.jpe;.jpg;.cdr;.indd;.ai;.eps; .pdf;.pdd;.psd;.dbfv;.mdf;.wb2;.rtf;.wpd;.dxg;.xf;.dwg;.pst;.accdb;.mdb;.pptm;.pptx;.ppt;.xlk;.xlsb;.xlsm;.xlsx;.xls;.wps;.docm;.docx;.doc;.odb;.odc;.odm;.odp;.ods;.odt;

NOTE: TeslaCrypt is making an extra effort to encrypt filetypes used by popular games such as MineCraft, Day Z, etc. Additionally, it is finding save files of those games as well (e.g. .unity3d, .wotreplay, etc)

SOURCE: https://blogs.mcafee.com/mcafee-labs/teslacrypt-joins-ransomware-field

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates