Malware Analysis Report

2024-09-22 12:22

Sample ID 240501-q9wwbsgd2w
Target 0bf909d7edbb48834020654296a99ea1_JaffaCakes118
SHA256 210597746fbea00553304ea445d786834b0f0114f9aab82296b1f6fb3103a166
Tags
troldesh persistence ransomware trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

210597746fbea00553304ea445d786834b0f0114f9aab82296b1f6fb3103a166

Threat Level: Known bad

The file 0bf909d7edbb48834020654296a99ea1_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

troldesh persistence ransomware trojan upx

Troldesh, Shade, Encoder.858

UPX packed file

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-01 13:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-01 13:58

Reported

2024-05-01 14:00

Platform

win7-20240419-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0bf909d7edbb48834020654296a99ea1_JaffaCakes118.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\0bf909d7edbb48834020654296a99ea1_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0bf909d7edbb48834020654296a99ea1_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0bf909d7edbb48834020654296a99ea1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0bf909d7edbb48834020654296a99ea1_JaffaCakes118.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49196 tcp
US 208.83.223.34:80 tcp
SE 171.25.193.9:80 tcp

Files

memory/1148-0-0x0000000001EA0000-0x0000000001F6E000-memory.dmp

memory/1148-1-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1148-2-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1148-3-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1148-6-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1148-4-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1148-9-0x0000000000400000-0x00000000005DE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-01 13:58

Reported

2024-05-01 14:00

Platform

win10v2004-20240419-en

Max time kernel

141s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0bf909d7edbb48834020654296a99ea1_JaffaCakes118.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\0bf909d7edbb48834020654296a99ea1_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\0bf909d7edbb48834020654296a99ea1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0bf909d7edbb48834020654296a99ea1_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
N/A 127.0.0.1:51432 tcp
US 8.8.8.8:53 g.bing.com udp
NL 194.109.206.212:443 tcp
DE 131.188.40.189:443 tcp
US 8.8.8.8:53 g.bing.com udp
SE 171.25.193.9:80 tcp

Files

memory/3184-0-0x00000000022B0000-0x000000000237E000-memory.dmp

memory/3184-1-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3184-2-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3184-3-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3184-4-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3184-6-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3184-9-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3184-10-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3184-11-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3184-12-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3184-13-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3184-16-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3184-17-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3184-18-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3184-19-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3184-20-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3184-21-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3184-22-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3184-23-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3184-24-0x0000000000400000-0x00000000005DE000-memory.dmp