General
-
Target
6bf2156d9758b896d7914a7279ef1493_JaffaCakes118
-
Size
3.9MB
-
Sample
240523-xlsmbsce4z
-
MD5
6bf2156d9758b896d7914a7279ef1493
-
SHA1
74793ca6a602aae0a81fad7808d63b3d0d5a8070
-
SHA256
1aa494bed3c60e98e9f25c40e71f4f709c79d46f00f04dfc2ba09d6e465de172
-
SHA512
3bf97144fb7605682786c01251f29ec0d378e495e65a967179cdfefaa516ce55da0914f515934103779cd9f354454b223bbe48b5243a4fabbb5ff4862c919592
-
SSDEEP
98304:dmGnePFpOW96HNA0bxKyyfdPfWbTua44/FMyI2S:dmGnePb96tATYbTZ9
Malware Config
Targets
-
-
Target
6bf2156d9758b896d7914a7279ef1493_JaffaCakes118
-
Size
3.9MB
-
MD5
6bf2156d9758b896d7914a7279ef1493
-
SHA1
74793ca6a602aae0a81fad7808d63b3d0d5a8070
-
SHA256
1aa494bed3c60e98e9f25c40e71f4f709c79d46f00f04dfc2ba09d6e465de172
-
SHA512
3bf97144fb7605682786c01251f29ec0d378e495e65a967179cdfefaa516ce55da0914f515934103779cd9f354454b223bbe48b5243a4fabbb5ff4862c919592
-
SSDEEP
98304:dmGnePFpOW96HNA0bxKyyfdPfWbTua44/FMyI2S:dmGnePb96tATYbTZ9
Score10/10-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload
-
Windows security bypass
-
Modifies Windows Firewall
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver.
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Modifies boot configuration data using bcdedit
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1