troldesh | bf055e0f04414846fbfc039867115422f818bfb2b146ab12b965ec070a1c19d2

General

Target

f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe
Size

970KB
MD5

f4f8ed0d68cc6573021d4b6f3e495ee2
SHA1

a2dbbcbfd5cec333d9297d1e36a64cb6c1d86edb
SHA256

bf055e0f04414846fbfc039867115422f818bfb2b146ab12b965ec070a1c19d2
SHA512

f81d61b142a102076b972b50e581a9794c5968d3c5f95261b17eda59eccc9b166f00a80fb060e07b3bc9ddc0fb31a9168e2ec347524daefca0e4021587c66b00
SSDEEP

24576:Wz0v09F1DrAIe6w0zpKlp+eSO/oA9QBYBjvwfg:G0cF/AW4df2BYt

Score

10^/10

troldesh discovery persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2672 set thread context of 2188	2672	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	30

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2188-4-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/2188-8-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/2188-6-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/2188-7-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/2188-9-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/2188-10-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/2188-11-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/2188-16-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/2188-23-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/2188-24-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/2188-25-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/2188-27-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/2188-28-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/2188-29-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/2188-30-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/2188-33-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/2188-34-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/2188-35-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/2188-36-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/2188-37-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/2188-56-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/2188-57-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/2188-58-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/2188-59-0x0000000000400000-0x00000000005DF000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exef4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exeWINWORD.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid	Process
2892	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe

pid	Process
2188	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe
2188	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid	Process
2892	WINWORD.EXE
2892	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exef4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exeWINWORD.EXE

description	pid	Process	procid_target
PID 2672 wrote to memory of 2188	2672	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2188	2672	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2188	2672	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2188	2672	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2188	2672	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2188	2672	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2188	2672	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2188	2672	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2188	2672	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2892	2188	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	31
PID 2188 wrote to memory of 2892	2188	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	31
PID 2188 wrote to memory of 2892	2188	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	31
PID 2188 wrote to memory of 2892	2188	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	31
PID 2892 wrote to memory of 2308	2892	WINWORD.EXE	33
PID 2892 wrote to memory of 2308	2892	WINWORD.EXE	33
PID 2892 wrote to memory of 2308	2892	WINWORD.EXE	33
PID 2892 wrote to memory of 2308	2892	WINWORD.EXE	33

C:\Users\Admin\AppData\Local\Temp\f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\B5D04CE4.rtf"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B5D04CE4.rtf

Filesize
20KB

MD5
01565b01777c655e265ee32f64b1ea80

SHA1
ba287f227caace28d5b4b20c5e32a7578ff3ead8

SHA256
a8c4f5a281a014df865d5b3ec1edce30d4f48b6bf4f66b649e8fb34f441145b4

SHA512
4f50153822a9002a32c041267f82ecb0a53b95f6354b6606aa7bf0f75ab7f9698671c09e2fb9784e270111a810e445744b1ddef73a2f7f5e425048451168524e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
7269c418550d2c8affab1f686f2a4a62

SHA1
c228bfbdae15dee017b837ea3a7602b80358a7fe

SHA256
f3a166c3d06f222faafddca5c2c8a7a9edc87ef67986dde98508e064de0ffafa

SHA512
646035f48f10e0fffc2072b98f34d1dd4937f9c183da083650cb9bbae61b7ee8e223c2aa089bcb407dae792466fcad9b8808c216bb8c50e6b208a04ee08f7228

Download Submit
memory/2188-24-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2188-34-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2188-8-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2188-6-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2188-7-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2188-9-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2188-25-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2188-11-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2188-58-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2188-16-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2188-56-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2188-37-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2188-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2188-23-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2188-59-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2188-57-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2188-10-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2188-27-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2188-28-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2188-29-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2188-30-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2188-33-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2188-4-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2188-35-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2188-36-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2672-1-0x00000000002E0000-0x00000000003AA000-memory.dmp

Filesize
808KB

Download
memory/2672-0-0x00000000002E0000-0x00000000003AA000-memory.dmp

Filesize
808KB

Download
memory/2892-19-0x0000000070EED000-0x0000000070EF8000-memory.dmp

Filesize
44KB

Download
memory/2892-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2892-18-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2892-26-0x0000000070EED000-0x0000000070EF8000-memory.dmp

Filesize
44KB

Download
memory/2892-17-0x000000002FD71000-0x000000002FD72000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads