glupteba | 8aec9a6d0849cb10d68adb2ac069a69cbd34b099d410ace5756563dcf52fd79a | Triage

Submit
Reports

Overview

overview

Static

static

3

49b255c367...18.exe

windows7-x64

49b255c367...18.exe

windows10-2004-x64

Sharing

General

Target

49b255c3678aca8e3cf2a86c2610da0b_JaffaCakes118
Size

3.8MB
Sample

240516-gpelwafc46
MD5

49b255c3678aca8e3cf2a86c2610da0b
SHA1

837a833d0f2104a8609defcbd25e839d8d320c4f
SHA256

8aec9a6d0849cb10d68adb2ac069a69cbd34b099d410ace5756563dcf52fd79a
SHA512

0258025b96bf7ccec1e99083e0c013de256b0997ed2d043dc39cc63b917f656ca7fb11bfd62966f51fcc502a22f907a8d5ca528d836997cbc4c0043eb5a2a513
SSDEEP

98304:WqPTssyIDURgRgmLC75C3WJ1y4qjfPjvcP/x+VTgBwM:WsIsycURgRg9oq1y5jPIkVT6

Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

49b255c3678aca8e3cf2a86c2610da0b_JaffaCakes118.exe

Resource

win7-20240508-en

glupteba discovery dropper evasion loader persistence rootkit trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

49b255c3678aca8e3cf2a86c2610da0b_JaffaCakes118.exe

Resource

win10v2004-20240426-en

glupteba discovery dropper evasion loader persistence rootkit

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  49b255c3678aca8e3cf2a86c2610da0b_JaffaCakes118
- Size
  
  3.8MB
- MD5
  
  49b255c3678aca8e3cf2a86c2610da0b
- SHA1
  
  837a833d0f2104a8609defcbd25e839d8d320c4f
- SHA256
  
  8aec9a6d0849cb10d68adb2ac069a69cbd34b099d410ace5756563dcf52fd79a
- SHA512
  
  0258025b96bf7ccec1e99083e0c013de256b0997ed2d043dc39cc63b917f656ca7fb11bfd62966f51fcc502a22f907a8d5ca528d836997cbc4c0043eb5a2a513
- SSDEEP
  
  98304:WqPTssyIDURgRgmLC75C3WJ1y4qjfPjvcP/x+VTgBwM:WsIsycURgRg9oq1y5jPIkVT6
Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit trojan
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Windows security bypass
  evasion trojan
- Modifies Windows Firewall
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Manipulates WinMonFS driver.
  Roottkits write to WinMonFS to hide directories/files from being detected.
  rootkit evasion
- Modifies boot configuration data using bcdedit
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gluptebadiscoverydropperevasionloaderpersistencerootkittrojan

behavioral2

gluptebadiscoverydropperevasionloaderpersistencerootkit

© 2018-2025

Terms | Privacy