glupteba | 6f0af1f782289f75b963ac429399a3fecd4562b43d92ec8af604a697fc65d570

General

Target

f56cbedf051f473ce6bc625706b029dd_JaffaCakes118.exe
Size

4.5MB
MD5

f56cbedf051f473ce6bc625706b029dd
SHA1

4513d8f1905194c1537088097bbe0d6f09b47ebc
SHA256

6f0af1f782289f75b963ac429399a3fecd4562b43d92ec8af604a697fc65d570
SHA512

fb5b6d0afb4f3f1428e9bce03b99c6c3b0c35f5fd17274a649665ce3342ce0b3a18676e1b2866e1fdfe5d40ddb7ab5e80605549ae219016168d5b3f05ca9c820
SSDEEP

98304:QDdR08gz5K/dKINhNCPjTl24xdoV/w+HX8xAglnLoL:1F1KjhNCLB+XglUL

Score

10^/10

glupteba metasploit backdoor dropper evasion loader trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1476-2-0x00000000058C0000-0x00000000061E6000-memory.dmp	family_glupteba
behavioral2/memory/1476-3-0x0000000000400000-0x000000000367B000-memory.dmp	family_glupteba
behavioral2/memory/1476-4-0x0000000000400000-0x000000000367B000-memory.dmp	family_glupteba
behavioral2/memory/1476-6-0x00000000058C0000-0x00000000061E6000-memory.dmp	family_glupteba
behavioral2/memory/4948-8-0x0000000000400000-0x000000000367B000-memory.dmp	family_glupteba
behavioral2/memory/2440-16-0x0000000000400000-0x000000000367B000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2688 netsh.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4416 schtasks.exe
GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 35 Go-http-client/1.1
HTTP User-Agent header 36 Go-http-client/1.1
HTTP User-Agent header 20 Go-http-client/1.1

pid	process
2688	netsh.exe

pid	process
4416	schtasks.exe

description	flow	ioc
HTTP User-Agent header	35	Go-http-client/1.1
HTTP User-Agent header	36	Go-http-client/1.1
HTTP User-Agent header	20	Go-http-client/1.1

C:\Users\Admin\AppData\Local\Temp\f56cbedf051f473ce6bc625706b029dd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f56cbedf051f473ce6bc625706b029dd_JaffaCakes118.exe"
1⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\f56cbedf051f473ce6bc625706b029dd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f56cbedf051f473ce6bc625706b029dd_JaffaCakes118.exe"
2⤵
PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:3576

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2688

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /197-197
3⤵
PID:2440

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:4416

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
PID:4532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1400 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:3668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.5MB

MD5
f56cbedf051f473ce6bc625706b029dd

SHA1
4513d8f1905194c1537088097bbe0d6f09b47ebc

SHA256
6f0af1f782289f75b963ac429399a3fecd4562b43d92ec8af604a697fc65d570

SHA512
fb5b6d0afb4f3f1428e9bce03b99c6c3b0c35f5fd17274a649665ce3342ce0b3a18676e1b2866e1fdfe5d40ddb7ab5e80605549ae219016168d5b3f05ca9c820

Download Submit
memory/1476-2-0x00000000058C0000-0x00000000061E6000-memory.dmp

Filesize
9.1MB

Download
memory/1476-3-0x0000000000400000-0x000000000367B000-memory.dmp

Filesize
50.5MB

Download
memory/1476-4-0x0000000000400000-0x000000000367B000-memory.dmp

Filesize
50.5MB

Download
memory/1476-6-0x00000000058C0000-0x00000000061E6000-memory.dmp

Filesize
9.1MB

Download
memory/1476-1-0x0000000005470000-0x00000000058B6000-memory.dmp

Filesize
4.3MB

Download
memory/2440-28-0x0000000000400000-0x000000000367B000-memory.dmp

Filesize
50.5MB

Download
memory/2440-30-0x0000000000400000-0x000000000367B000-memory.dmp

Filesize
50.5MB

Download
memory/2440-15-0x0000000005800000-0x0000000005D00000-memory.dmp

Filesize
5.0MB

Download
memory/2440-16-0x0000000000400000-0x000000000367B000-memory.dmp

Filesize
50.5MB

Download
memory/2440-17-0x0000000000400000-0x000000000367B000-memory.dmp

Filesize
50.5MB

Download
memory/2440-36-0x0000000000400000-0x000000000367B000-memory.dmp

Filesize
50.5MB

Download
memory/2440-23-0x0000000000400000-0x000000000367B000-memory.dmp

Filesize
50.5MB

Download
memory/2440-24-0x0000000005800000-0x0000000005D00000-memory.dmp

Filesize
5.0MB

Download
memory/2440-25-0x0000000000400000-0x000000000367B000-memory.dmp

Filesize
50.5MB

Download
memory/2440-26-0x0000000000400000-0x000000000367B000-memory.dmp

Filesize
50.5MB

Download
memory/2440-27-0x0000000000400000-0x000000000367B000-memory.dmp

Filesize
50.5MB

Download
memory/2440-35-0x0000000000400000-0x000000000367B000-memory.dmp

Filesize
50.5MB

Download
memory/2440-29-0x0000000000400000-0x000000000367B000-memory.dmp

Filesize
50.5MB

Download
memory/2440-34-0x0000000000400000-0x000000000367B000-memory.dmp

Filesize
50.5MB

Download
memory/2440-31-0x0000000000400000-0x000000000367B000-memory.dmp

Filesize
50.5MB

Download
memory/2440-32-0x0000000000400000-0x000000000367B000-memory.dmp

Filesize
50.5MB

Download
memory/2440-33-0x0000000000400000-0x000000000367B000-memory.dmp

Filesize
50.5MB

Download
memory/4948-13-0x0000000000400000-0x000000000367B000-memory.dmp

Filesize
50.5MB

Download
memory/4948-7-0x00000000053A0000-0x00000000057E1000-memory.dmp

Filesize
4.3MB

Download
memory/4948-8-0x0000000000400000-0x000000000367B000-memory.dmp

Filesize
50.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads