Home / malwarePDF  

Win32/Troldesh


First posted on 14 July 2016.
Source: Microsoft

Aliases :

There are no other names known for Win32/Troldesh.

Explanation :

Installation

The threat creates the following files:

  • %APPDATA%\windows\crsrss.exe - copy of the malware
  • %ProgramData%\drivers\crsrss.exe - copy of the malware
  • %TEMP%\state.tmp - temporary file used for the encryption


It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Client Server Runtime Subsystem" or "CSRSS"
With data: ""

It also modifies the following registry entry - possibly as a way of storing configuration data the ransomware uses during encryption:

In subkey: HKLM\Software\System\Config
Sets value: "i"
With data: "", for example "f70cf3801cb6f9da2858"

Payload

Encrypts your files

This threat encrypts files on your PC that have the following extensions.
  • 1cd
  • 3ds
  • 3fr
  • 3g2
  • 3gp
  • 7z
  • accda
  • accdb
  • accdc
  • accde
  • accdt
  • accdw
  • adb
  • adp
  • ai
  • ai3
  • ai4
  • ai5
  • ai6
  • ai7
  • ai8
  • anim
  • arw
  • as
  • asa
  • asc
  • ascx
  • asm
  • asmx
  • asp
  • aspx
  • asr
  • asx
  • avi
  • avs
  • backup
  • bak
  • bay
  • bd
  • bin
  • bmp
  • bz2
  • c
  • cbf
  • cdr
  • cer
  • cf
  • cfc
  • cfm
  • cfml
  • cfu
  • chm
  • cin
  • class
  • clx
  • config
  • cpp
  • cr2
  • crt
  • crw
  • crypted
  • cs
  • css
  • csv
  • cub
  • dae
  • dat
  • db
  • dbf
  • dbx
  • dc3
  • dcm
  • dcr
  • der
  • dib
  • dic
  • dif
  • divx
  • djvu
  • dmp
  • dng
  • doc
  • docm
  • docx
  • dot
  • dotm
  • dotx
  • dpx
  • dqy
  • dsn
  • dt
  • dtd
  • dwg
  • dwt
  • dx
  • dxf
  • edml
  • efd
  • elf
  • emf
  • eml
  • emz
  • epf
  • eps
  • epsf
  • epsp
  • erf
  • exr
  • f4v
  • fbk
  • fdb
  • fido
  • fld
  • flm
  • flv
  • frm
  • fxg
  • geo
  • gif
  • grs
  • gz
  • h
  • hdr
  • hpp
  • hta
  • htc
  • htm
  • html
  • icb
  • ics
  • iff
  • inc
  • indd
  • ini
  • iqy
  • j2c
  • j2k
  • java
  • jp2
  • jpc
  • jpe
  • jpeg
  • jpf
  • jpg
  • jpx
  • js
  • jsf
  • json
  • jsp
  • kdc
  • kmz
  • kwm
  • lasso
  • lbi
  • lgf
  • lgp
  • log
  • lst
  • m1v
  • m4a
  • m4v
  • max
  • md
  • mda
  • mdb
  • mde
  • mdf
  • mdw
  • mef
  • mft
  • mfw
  • mht
  • mhtml
  • mka
  • mkidx
  • mkv
  • mos
  • mov
  • mp3
  • mp4
  • mpeg
  • mpg
  • mpv
  • mrw
  • msg
  • mtr
  • mxl
  • myd
  • myi
  • nef
  • nrw
  • obj
  • odb
  • odc
  • odm
  • odp
  • ods
  • oft
  • one
  • onepkg
  • onetoc2
  • opt
  • oqy
  • orf
  • p12
  • p7b
  • p7c
  • pam
  • pbm
  • pct
  • pcx
  • pdd
  • pdf
  • pdp
  • pef
  • pem
  • pff
  • pfm
  • pfx
  • pgm
  • php
  • php3
  • php4
  • php5
  • phtml
  • pict
  • pl
  • pls
  • pm
  • png
  • pnm
  • pot
  • potm
  • potx
  • ppa
  • ppam
  • ppm
  • pps
  • ppsm
  • ppt
  • pptm
  • pptx
  • prn
  • ps
  • psb
  • psd
  • pst
  • ptx
  • pub
  • pwm
  • pxr
  • py
  • qt
  • r3d
  • raf
  • rar
  • raw
  • rdf
  • rgbe
  • rle
  • rqy
  • rss
  • rtf
  • rw2
  • rwl
  • safe
  • sct
  • sdpx
  • shtm
  • shtml
  • slk
  • sln
  • sql
  • sr2
  • srf
  • srw
  • ssi
  • st
  • stm
  • svg
  • svgz
  • swf
  • tab
  • tar
  • tbb
  • tbi
  • tbk
  • tdi
  • tga
  • thmx
  • tib
  • tif
  • tiff
  • tld
  • torrent
  • tpl
  • txt
  • u3d
  • udl
  • uxdc
  • vault
  • vb
  • vbk
  • vbm
  • vbs
  • vcs
  • vda
  • vdr
  • vdw
  • vdx
  • vhd
  • vib
  • vrp
  • vsd
  • vss
  • vst
  • vsw
  • vsx
  • vtm
  • vtml
  • vtx
  • wav
  • wb2
  • wbm
  • wbmp
  • wim
  • wmf
  • wml
  • wmv
  • wpd
  • wps
  • x3f
  • xl
  • xla
  • xlam
  • xlk
  • xlm
  • xls
  • xlsb
  • xlsm
  • xlsx
  • xlt
  • xltm
  • xltx
  • xlw
  • xml
  • xps
  • xsd
  • xsf
  • xsl
  • xslt
  • xsn
  • xtp
  • xtp2
  • xyze
  • xz
  • zip


The encrypted files will have their extension changed to one of the following:
  • .da_vinci_code
  • .magic_software_syndicate


In earlier versions, from April 2015 to June 2016, we have seen this ransomware rename the encrypted file in the format =.xbtl, for example DWoqBAnMDpI9ij0IjGn1uaRpz-jzei37J5dFIrnROGE=.xtbl.

After it encrypts your files, the threat drops a ransom note in each folder where it encrypted files. The note has the file name in the format README.txt (for example, README8.txt) and looks like the following:

In July 2016 we've seen a newer version that sends victims to a Tor website for the recovery code and ransom payment process. Note, however, that during analysis the website was blocked or not responding, as showing the following screenshot:

It also displays a wallpaper that looks like the following (in some cases the message was garbled or included unidentifiable characters and symbols):

We've also seen the threat connect to the following remote servers on ports 443 and 80 to send information about your PC to a remote attacker:
  • 131.188.40.189
  • 194.109.206.212
  • 208.83.223.34
  • 86.59.21.38


It also connects to the legitiate website http://whatismyipaddress.com to determine the IP of the infected PC.



Analysis by Marianne Mallen and Patrick Estavillo

Last update 14 July 2016

 

TOP

Malware :