troldesh | 419b58241dbd45290d73edbaa31b5e61a31aef66c6a7549f7e57b2f7bc3d5c47

General

Target

e6ad148b2d8468bcde2d5aad16934ca6_JaffaCakes118.exe
Size

1006KB
MD5

e6ad148b2d8468bcde2d5aad16934ca6
SHA1

4b7da2ffbe51de47c2a688bb51e83d72e65189c1
SHA256

419b58241dbd45290d73edbaa31b5e61a31aef66c6a7549f7e57b2f7bc3d5c47
SHA512

8049ce523e041d5969a392a674a4b40ccbe88e7a9cf11b403dcaa975622e376aa372473192bb97b283c41e710e88ee4fd85fd0435282703791e7251b79ce79cf
SSDEEP

24576:4ijAr3rB+EL+UyuMdVIKyBJyqBCu7/Wedrh2O:XetL3yuMtmFCatf

Score

10^/10

troldesh discovery persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1720-4-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/1720-6-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/1720-7-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/1720-5-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/1720-8-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/1720-9-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/1720-10-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/1720-15-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/1720-22-0x0000000000400000-0x00000000005DF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	e6ad148b2d8468bcde2d5aad16934ca6_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2848 set thread context of 1720	2848	e6ad148b2d8468bcde2d5aad16934ca6_JaffaCakes118.exe	31

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6ad148b2d8468bcde2d5aad16934ca6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6ad148b2d8468bcde2d5aad16934ca6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2708	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1720	e6ad148b2d8468bcde2d5aad16934ca6_JaffaCakes118.exe
1720	e6ad148b2d8468bcde2d5aad16934ca6_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2708	WINWORD.EXE
2708	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 1720	2848	e6ad148b2d8468bcde2d5aad16934ca6_JaffaCakes118.exe	31
PID 2848 wrote to memory of 1720	2848	e6ad148b2d8468bcde2d5aad16934ca6_JaffaCakes118.exe	31
PID 2848 wrote to memory of 1720	2848	e6ad148b2d8468bcde2d5aad16934ca6_JaffaCakes118.exe	31
PID 2848 wrote to memory of 1720	2848	e6ad148b2d8468bcde2d5aad16934ca6_JaffaCakes118.exe	31
PID 2848 wrote to memory of 1720	2848	e6ad148b2d8468bcde2d5aad16934ca6_JaffaCakes118.exe	31
PID 2848 wrote to memory of 1720	2848	e6ad148b2d8468bcde2d5aad16934ca6_JaffaCakes118.exe	31
PID 2848 wrote to memory of 1720	2848	e6ad148b2d8468bcde2d5aad16934ca6_JaffaCakes118.exe	31
PID 2848 wrote to memory of 1720	2848	e6ad148b2d8468bcde2d5aad16934ca6_JaffaCakes118.exe	31
PID 2848 wrote to memory of 1720	2848	e6ad148b2d8468bcde2d5aad16934ca6_JaffaCakes118.exe	31
PID 1720 wrote to memory of 2708	1720	e6ad148b2d8468bcde2d5aad16934ca6_JaffaCakes118.exe	32
PID 1720 wrote to memory of 2708	1720	e6ad148b2d8468bcde2d5aad16934ca6_JaffaCakes118.exe	32
PID 1720 wrote to memory of 2708	1720	e6ad148b2d8468bcde2d5aad16934ca6_JaffaCakes118.exe	32
PID 1720 wrote to memory of 2708	1720	e6ad148b2d8468bcde2d5aad16934ca6_JaffaCakes118.exe	32
PID 2708 wrote to memory of 2588	2708	WINWORD.EXE	34
PID 2708 wrote to memory of 2588	2708	WINWORD.EXE	34
PID 2708 wrote to memory of 2588	2708	WINWORD.EXE	34
PID 2708 wrote to memory of 2588	2708	WINWORD.EXE	34

C:\Users\Admin\AppData\Local\Temp\e6ad148b2d8468bcde2d5aad16934ca6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e6ad148b2d8468bcde2d5aad16934ca6_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\e6ad148b2d8468bcde2d5aad16934ca6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e6ad148b2d8468bcde2d5aad16934ca6_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4093D16C.rtf"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4093D16C.rtf

Filesize
20KB

MD5
01565b01777c655e265ee32f64b1ea80

SHA1
ba287f227caace28d5b4b20c5e32a7578ff3ead8

SHA256
a8c4f5a281a014df865d5b3ec1edce30d4f48b6bf4f66b649e8fb34f441145b4

SHA512
4f50153822a9002a32c041267f82ecb0a53b95f6354b6606aa7bf0f75ab7f9698671c09e2fb9784e270111a810e445744b1ddef73a2f7f5e425048451168524e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
9b297e2343a48b3ef7e76fd3d12a6b2d

SHA1
3637f2669ec41e0a7d2da09fc98608a89d9df180

SHA256
7d43d79a42ad7b834a02cd0ee1ab4d9191daf29d07b95cb4a5074af1136b13ad

SHA512
220e938f627a7aec90a83752f916b2c346fa87635d0352a6659e3bf6989c3f06c87fa1d7071c121a708e5f73456a57b3c61f75970f327e11173a792dad028144

Download Submit
memory/1720-9-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1720-15-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1720-7-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1720-5-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1720-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1720-8-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1720-22-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1720-10-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1720-4-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/1720-6-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2708-17-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2708-18-0x0000000070FFD000-0x0000000071008000-memory.dmp

Filesize
44KB

Download
memory/2708-16-0x000000002F771000-0x000000002F772000-memory.dmp

Filesize
4KB

Download
memory/2708-23-0x0000000070FFD000-0x0000000071008000-memory.dmp

Filesize
44KB

Download
memory/2708-43-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2848-0-0x00000000003E0000-0x00000000004AA000-memory.dmp

Filesize
808KB

Download
memory/2848-1-0x00000000003E0000-0x00000000004AA000-memory.dmp

Filesize
808KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads