troldesh | bf055e0f04414846fbfc039867115422f818bfb2b146ab12b965ec070a1c19d2

Analysis

max time kernel
143s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe
Size

970KB
MD5

f4f8ed0d68cc6573021d4b6f3e495ee2
SHA1

a2dbbcbfd5cec333d9297d1e36a64cb6c1d86edb
SHA256

bf055e0f04414846fbfc039867115422f818bfb2b146ab12b965ec070a1c19d2
SHA512

f81d61b142a102076b972b50e581a9794c5968d3c5f95261b17eda59eccc9b166f00a80fb060e07b3bc9ddc0fb31a9168e2ec347524daefca0e4021587c66b00
SSDEEP

24576:Wz0v09F1DrAIe6w0zpKlp+eSO/oA9QBYBjvwfg:G0cF/AW4df2BYt

Score

10^/10

troldesh discovery persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2324 set thread context of 876	2324	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	82

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/876-2-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral2/memory/876-3-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral2/memory/876-4-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral2/memory/876-5-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral2/memory/876-6-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral2/memory/876-8-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral2/memory/876-7-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral2/memory/876-14-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral2/memory/876-48-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral2/memory/876-49-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral2/memory/876-51-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral2/memory/876-180-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral2/memory/876-181-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral2/memory/876-182-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral2/memory/876-183-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral2/memory/876-188-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral2/memory/876-191-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral2/memory/876-192-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral2/memory/876-193-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral2/memory/876-216-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral2/memory/876-217-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral2/memory/876-218-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral2/memory/876-219-0x0000000000400000-0x00000000005DF000-memory.dmp	upx
behavioral2/memory/876-220-0x0000000000400000-0x00000000005DF000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exef4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid	Process
3444	WINWORD.EXE
3444	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe

pid	Process
876	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe
876	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe
876	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe
876	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

WINWORD.EXE

pid	Process
3444	WINWORD.EXE
3444	WINWORD.EXE
3444	WINWORD.EXE
3444	WINWORD.EXE
3444	WINWORD.EXE
3444	WINWORD.EXE
3444	WINWORD.EXE
3444	WINWORD.EXE
3444	WINWORD.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exef4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2324 wrote to memory of 876	2324	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	82
PID 2324 wrote to memory of 876	2324	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	82
PID 2324 wrote to memory of 876	2324	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	82
PID 2324 wrote to memory of 876	2324	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	82
PID 2324 wrote to memory of 876	2324	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	82
PID 2324 wrote to memory of 876	2324	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	82
PID 2324 wrote to memory of 876	2324	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	82
PID 2324 wrote to memory of 876	2324	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	82
PID 876 wrote to memory of 3444	876	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	84
PID 876 wrote to memory of 3444	876	f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f4f8ed0d68cc6573021d4b6f3e495ee2_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9273700F.rtf" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9273700F.rtf

Filesize
20KB

MD5
01565b01777c655e265ee32f64b1ea80

SHA1
ba287f227caace28d5b4b20c5e32a7578ff3ead8

SHA256
a8c4f5a281a014df865d5b3ec1edce30d4f48b6bf4f66b649e8fb34f441145b4

SHA512
4f50153822a9002a32c041267f82ecb0a53b95f6354b6606aa7bf0f75ab7f9698671c09e2fb9784e270111a810e445744b1ddef73a2f7f5e425048451168524e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDFA4.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
b910be3ccc9a5f33d0cf2f585709ccb7

SHA1
0f27eaab3fc829ad661c973064b67db8b9b49462

SHA256
e9087f58adbc2742d2c5e2468021fdb5fe0c0e4d5d482adc93c333888383252f

SHA512
d18c69bd918229e2b64e538fc0ad78a99b7c92a0f324efd305e13d36b6bfd01d61a73832ca79db677219446f3cb860858044771a03317f58dff895f55a5279c3

Download Submit
memory/876-181-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/876-192-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/876-6-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/876-8-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/876-7-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/876-14-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/876-220-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/876-219-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/876-218-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/876-217-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/876-216-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/876-48-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/876-193-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/876-5-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/876-191-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/876-188-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/876-183-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/876-182-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/876-4-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/876-180-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/876-3-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/876-2-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/876-51-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/876-49-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2324-1-0x0000000002240000-0x000000000230D000-memory.dmp

Filesize
820KB

Download
memory/3444-21-0x00007FFF97C90000-0x00007FFF97E85000-memory.dmp

Filesize
2.0MB

Download
memory/3444-29-0x00007FFF97C90000-0x00007FFF97E85000-memory.dmp

Filesize
2.0MB

Download
memory/3444-34-0x00007FFF97C90000-0x00007FFF97E85000-memory.dmp

Filesize
2.0MB

Download
memory/3444-33-0x00007FFF97C90000-0x00007FFF97E85000-memory.dmp

Filesize
2.0MB

Download
memory/3444-32-0x00007FFF97C90000-0x00007FFF97E85000-memory.dmp

Filesize
2.0MB

Download
memory/3444-50-0x00007FFF97C90000-0x00007FFF97E85000-memory.dmp

Filesize
2.0MB

Download
memory/3444-52-0x00007FFF97D2D000-0x00007FFF97D2E000-memory.dmp

Filesize
4KB

Download
memory/3444-31-0x00007FFF55510000-0x00007FFF55520000-memory.dmp

Filesize
64KB

Download
memory/3444-53-0x00007FFF97C90000-0x00007FFF97E85000-memory.dmp

Filesize
2.0MB

Download
memory/3444-25-0x00007FFF97C90000-0x00007FFF97E85000-memory.dmp

Filesize
2.0MB

Download
memory/3444-62-0x00007FFF97C90000-0x00007FFF97E85000-memory.dmp

Filesize
2.0MB

Download
memory/3444-26-0x00007FFF97C90000-0x00007FFF97E85000-memory.dmp

Filesize
2.0MB

Download
memory/3444-30-0x00007FFF55510000-0x00007FFF55520000-memory.dmp

Filesize
64KB

Download
memory/3444-27-0x00007FFF97C90000-0x00007FFF97E85000-memory.dmp

Filesize
2.0MB

Download
memory/3444-28-0x00007FFF97C90000-0x00007FFF97E85000-memory.dmp

Filesize
2.0MB

Download
memory/3444-35-0x00007FFF97C90000-0x00007FFF97E85000-memory.dmp

Filesize
2.0MB

Download
memory/3444-23-0x00007FFF97C90000-0x00007FFF97E85000-memory.dmp

Filesize
2.0MB

Download
memory/3444-24-0x00007FFF97C90000-0x00007FFF97E85000-memory.dmp

Filesize
2.0MB

Download
memory/3444-22-0x00007FFF97C90000-0x00007FFF97E85000-memory.dmp

Filesize
2.0MB

Download
memory/3444-20-0x00007FFF57D10000-0x00007FFF57D20000-memory.dmp

Filesize
64KB

Download
memory/3444-212-0x00007FFF57D10000-0x00007FFF57D20000-memory.dmp

Filesize
64KB

Download
memory/3444-214-0x00007FFF57D10000-0x00007FFF57D20000-memory.dmp

Filesize
64KB

Download
memory/3444-213-0x00007FFF57D10000-0x00007FFF57D20000-memory.dmp

Filesize
64KB

Download
memory/3444-211-0x00007FFF57D10000-0x00007FFF57D20000-memory.dmp

Filesize
64KB

Download
memory/3444-215-0x00007FFF97C90000-0x00007FFF97E85000-memory.dmp

Filesize
2.0MB

Download
memory/3444-19-0x00007FFF57D10000-0x00007FFF57D20000-memory.dmp

Filesize
64KB

Download
memory/3444-17-0x00007FFF57D10000-0x00007FFF57D20000-memory.dmp

Filesize
64KB

Download
memory/3444-18-0x00007FFF57D10000-0x00007FFF57D20000-memory.dmp

Filesize
64KB

Download
memory/3444-16-0x00007FFF97D2D000-0x00007FFF97D2E000-memory.dmp

Filesize
4KB

Download
memory/3444-15-0x00007FFF57D10000-0x00007FFF57D20000-memory.dmp

Filesize
64KB

Download