Troldesh (Malware Family)

win.troldesh (Back to overview)

Troldesh

aka: Shade

URLhaus

There is no description at this point.

References

https://blog.avast.com/ransomware-strain-troldesh-spikes

https://blog.checkpoint.com/2015/06/01/troldesh-new-ransomware-from-russia/

https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/

https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/

https://securelist.com/the-shade-encryptor-a-double-threat/72087/

https://support.kaspersky.com/13059

https://www.paloaltonetworks.jp/company/in-the-news/2019/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada

https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/

Yara Rules

[TLP:WHITE] win_troldesh_auto (20190620 | autogenerated rule brought to you by yara-signator)

rule win_troldesh_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-07-05"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.2a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh"
        malpedia_version = "20190620"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { ff4dec 75?? 8b45fc 8b4df8 832000 6a00 ff75e0 }
            // n = 7, score = 600
            //   ff4dec               | dec                 dword ptr [ebp - 0x14]
            //   75??                 |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   832000               | and                 dword ptr [eax], 0
            //   6a00                 | push                0
            //   ff75e0               | push                dword ptr [ebp - 0x20]

        $sequence_1 = { ff750c e8???????? 59 40 50 ff750c 6a00 }
            // n = 7, score = 600
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   40                   | inc                 eax
            //   50                   | push                eax
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   6a00                 | push                0

        $sequence_2 = { ff750c 8bcb e8???????? 59 85c0 74?? 6a01 }
            // n = 7, score = 600
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   74??                 |                     
            //   6a01                 | push                1

        $sequence_3 = { ffd7 50 8d75cc e8???????? 8d5df4 e9???????? ba00020000 }
            // n = 7, score = 600
            //   ffd7                 | call                edi
            //   50                   | push                eax
            //   8d75cc               | lea                 esi, [ebp - 0x34]
            //   e8????????           |                     
            //   8d5df4               | lea                 ebx, [ebp - 0xc]
            //   e9????????           |                     
            //   ba00020000           | mov                 edx, 0x200

        $sequence_4 = { ff750c b900010000 53 e8???????? 83c410 85c0 0f8????????? }
            // n = 7, score = 600
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   b900010000           | mov                 ecx, 0x100
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   85c0                 | test                eax, eax
            //   0f8?????????         |                     

        $sequence_5 = { ff7508 e8???????? eb?? 837d0c02 75?? ff7704 ff7604 }
            // n = 7, score = 600
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   eb??                 |                     
            //   837d0c02             | cmp                 dword ptr [ebp + 0xc], 2
            //   75??                 |                     
            //   ff7704               | push                dword ptr [edi + 4]
            //   ff7604               | push                dword ptr [esi + 4]

        $sequence_6 = { ff15???????? 8945f4 8d4ddc e8???????? 85c0 74?? 8b83b4000000 }
            // n = 7, score = 600
            //   ff15????????         |                     
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8d4ddc               | lea                 ecx, [ebp - 0x24]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   74??                 |                     
            //   8b83b4000000         | mov                 eax, dword ptr [ebx + 0xb4]

        $sequence_7 = { ff37 8bc8 e8???????? 8b7708 83c40c 8945fc 3bf3 }
            // n = 7, score = 600
            //   ff37                 | push                dword ptr [edi]
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8b7708               | mov                 esi, dword ptr [edi + 8]
            //   83c40c               | add                 esp, 0xc
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   3bf3                 | cmp                 esi, ebx

        $sequence_8 = { ff75f8 8b8888000000 ffb0b4000000 83c30c ffb0ac000000 53 8d5de4 }
            // n = 7, score = 600
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   8b8888000000         | mov                 ecx, dword ptr [eax + 0x88]
            //   ffb0b4000000         | push                dword ptr [eax + 0xb4]
            //   83c30c               | add                 ebx, 0xc
            //   ffb0ac000000         | push                dword ptr [eax + 0xac]
            //   53                   | push                ebx
            //   8d5de4               | lea                 ebx, [ebp - 0x1c]

        $sequence_9 = { ff75dc 2b4ddc 8b5718 e8???????? 59 8b4d08 894718 }
            // n = 7, score = 600
            //   ff75dc               | push                dword ptr [ebp - 0x24]
            //   2b4ddc               | sub                 ecx, dword ptr [ebp - 0x24]
            //   8b5718               | mov                 edx, dword ptr [edi + 0x18]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   894718               | mov                 dword ptr [edi + 0x18], eax

    condition:
        7 of them
}

Download all Yara Rules

Troldesh Propose Change

References

Yara Rules

Troldesh