troldesh | 2656b3bed5bed61f95dd140fbc74a6768e99a548f988411ed2bdb3b9a158bb51

General

Target

de8a03cda24007751d76f6db55b8a14b_JaffaCakes118.exe
Size

957KB
MD5

de8a03cda24007751d76f6db55b8a14b
SHA1

fa117e501780dd846f52b7317d040c5625046e08
SHA256

2656b3bed5bed61f95dd140fbc74a6768e99a548f988411ed2bdb3b9a158bb51
SHA512

3c7b371b90eed92db9793d3814b517e3c6dcdd1797b77db253d6668b26a6cabacc70cae9bb9dda803c542463c266afa5546ec2102fdb84b0ec495a2cd5e722f7
SSDEEP

24576:8a1UfIsnPQpBMQtURHxlqi5edeoBRkmb:8a1YIGoBMpKi5ed7x

Score

10^/10

troldesh discovery persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1992-5-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/1992-6-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/1992-7-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/1992-4-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/1992-8-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/1992-10-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/1992-9-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/1992-15-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/1992-22-0x0000000000400000-0x00000000005DF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	de8a03cda24007751d76f6db55b8a14b_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2184 set thread context of 1992	2184	de8a03cda24007751d76f6db55b8a14b_JaffaCakes118.exe	30

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de8a03cda24007751d76f6db55b8a14b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de8a03cda24007751d76f6db55b8a14b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1620	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1992	de8a03cda24007751d76f6db55b8a14b_JaffaCakes118.exe
1992	de8a03cda24007751d76f6db55b8a14b_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1620	WINWORD.EXE
1620	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 1992	2184	de8a03cda24007751d76f6db55b8a14b_JaffaCakes118.exe	30
PID 2184 wrote to memory of 1992	2184	de8a03cda24007751d76f6db55b8a14b_JaffaCakes118.exe	30
PID 2184 wrote to memory of 1992	2184	de8a03cda24007751d76f6db55b8a14b_JaffaCakes118.exe	30
PID 2184 wrote to memory of 1992	2184	de8a03cda24007751d76f6db55b8a14b_JaffaCakes118.exe	30
PID 2184 wrote to memory of 1992	2184	de8a03cda24007751d76f6db55b8a14b_JaffaCakes118.exe	30
PID 2184 wrote to memory of 1992	2184	de8a03cda24007751d76f6db55b8a14b_JaffaCakes118.exe	30
PID 2184 wrote to memory of 1992	2184	de8a03cda24007751d76f6db55b8a14b_JaffaCakes118.exe	30
PID 2184 wrote to memory of 1992	2184	de8a03cda24007751d76f6db55b8a14b_JaffaCakes118.exe	30
PID 2184 wrote to memory of 1992	2184	de8a03cda24007751d76f6db55b8a14b_JaffaCakes118.exe	30
PID 1992 wrote to memory of 1620	1992	de8a03cda24007751d76f6db55b8a14b_JaffaCakes118.exe	31
PID 1992 wrote to memory of 1620	1992	de8a03cda24007751d76f6db55b8a14b_JaffaCakes118.exe	31
PID 1992 wrote to memory of 1620	1992	de8a03cda24007751d76f6db55b8a14b_JaffaCakes118.exe	31
PID 1992 wrote to memory of 1620	1992	de8a03cda24007751d76f6db55b8a14b_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2812	1620	WINWORD.EXE	33
PID 1620 wrote to memory of 2812	1620	WINWORD.EXE	33
PID 1620 wrote to memory of 2812	1620	WINWORD.EXE	33
PID 1620 wrote to memory of 2812	1620	WINWORD.EXE	33

C:\Users\Admin\AppData\Local\Temp\de8a03cda24007751d76f6db55b8a14b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de8a03cda24007751d76f6db55b8a14b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\de8a03cda24007751d76f6db55b8a14b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\de8a03cda24007751d76f6db55b8a14b_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\C0FB29B0.rtf"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C0FB29B0.rtf

Filesize
20KB

MD5
01565b01777c655e265ee32f64b1ea80

SHA1
ba287f227caace28d5b4b20c5e32a7578ff3ead8

SHA256
a8c4f5a281a014df865d5b3ec1edce30d4f48b6bf4f66b649e8fb34f441145b4

SHA512
4f50153822a9002a32c041267f82ecb0a53b95f6354b6606aa7bf0f75ab7f9698671c09e2fb9784e270111a810e445744b1ddef73a2f7f5e425048451168524e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
69696bcc549456afbb64563a1d366130

SHA1
09b5b6e2024d53956d20d128be3a53dead4c1c52

SHA256
184e2a531fd5af64971456c7fa6dee1f6f917af08d139b8d169e62d76e39c4be

SHA512
9fa5d57a0e122148f411b47d1801b6b3a95734b0c5be2a12e22b6fd76c2b3b745b1d266f39b8c7411caabf194db8387421de646a8f74d1215b34d247c30062a2

Download Submit
memory/1620-16-0x000000002FBA1000-0x000000002FBA2000-memory.dmp

Filesize
4KB

Download
memory/1620-43-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1620-23-0x0000000070ADD000-0x0000000070AE8000-memory.dmp

Filesize
44KB

Download
memory/1620-18-0x0000000070ADD000-0x0000000070AE8000-memory.dmp

Filesize
44KB

Download
memory/1620-17-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1992-7-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1992-10-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1992-9-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1992-8-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1992-15-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1992-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1992-4-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1992-22-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1992-6-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1992-5-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2184-0-0x0000000000220000-0x00000000002EA000-memory.dmp

Filesize
808KB

Download
memory/2184-1-0x0000000000220000-0x00000000002EA000-memory.dmp

Filesize
808KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads