Extracted

• • Target

    5220119e225daa8de7871e3f37183496_JaffaCakes118

  • Size

    3.8MB

  • MD5

    5220119e225daa8de7871e3f37183496

  • SHA1

    eef71aab10366c2b255d37bdbc1e781edad26f7d

  • SHA256

    570ba7e85cdfb0cdbeaf7e73c53bbfb89ac887922f6aa52e5f30dd1385416e57

  • SHA512

    da8f76f7d0cb02c9b5f14bc5bab6ede78979856e2592d09c5ffa46a857088a717a870cf10998eb82e4dba3f8cd9beaca38d3a88559782bae1e5a52e83de8967a

  • SSDEEP

    98304:ch5GLUmHEfWAT6tgGsMztidl3/f8e1R7ze3jME:ch5QxaTSIMulsqR7

  Score

  10^/10

  gluptebametasploitbackdoordiscoverydropperevasionloaderpersistenceprivilege_escalationrootkittrojan

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba payload

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Windows security bypass

    evasiontrojan

  • Modifies boot configuration data using bcdedit

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    evasion

  • Possible attempt to disable PatchGuard

    Rootkits can use kernel patching to embed themselves in an operating system.

    evasion

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Manipulates WinMon driver.

    Roottkits write to WinMon to hide PIDs from being detected.

    rootkitevasion

  • Manipulates WinMonFS driver.

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  behavioral1behavioral2