General

  • Target

    f5ef6f1272125d6166ac834f0dc7d9b3a180376842d2f77364b8f9d148161fa2_JaffaCakes118

  • Size

    7.0MB

  • Sample

    240417-ra872sah28

  • MD5

    d21729d60ced8c477d5f57530304804d

  • SHA1

    97d7b61d1dc8d3d1df40285a3c8db9bf3cd34886

  • SHA256

    f5ef6f1272125d6166ac834f0dc7d9b3a180376842d2f77364b8f9d148161fa2

  • SHA512

    ec62a4b54da01abc23b5006c11cbf566cca7b55411fa421823c519238f08181b6720a2895c27c6471951d61aa947ec9f9d3fe5a43646aa760dfedcf6cd407d80

  • SSDEEP

    196608:BBNOLc47a43SUkAUIS5sCtSZ9OpZhic4tvt:BCha4nkA3S5rtSz+Zcc45t

Malware Config

Targets

    • Target

      f5ef6f1272125d6166ac834f0dc7d9b3a180376842d2f77364b8f9d148161fa2_JaffaCakes118

    • Size

      7.0MB

    • MD5

      d21729d60ced8c477d5f57530304804d

    • SHA1

      97d7b61d1dc8d3d1df40285a3c8db9bf3cd34886

    • SHA256

      f5ef6f1272125d6166ac834f0dc7d9b3a180376842d2f77364b8f9d148161fa2

    • SHA512

      ec62a4b54da01abc23b5006c11cbf566cca7b55411fa421823c519238f08181b6720a2895c27c6471951d61aa947ec9f9d3fe5a43646aa760dfedcf6cd407d80

    • SSDEEP

      196608:BBNOLc47a43SUkAUIS5sCtSZ9OpZhic4tvt:BCha4nkA3S5rtSz+Zcc45t

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Windows security bypass

    • Modifies boot configuration data using bcdedit

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Manipulates WinMon driver.

      Roottkits write to WinMon to hide PIDs from being detected.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks