glupteba | 2d7909db6a1d78f8db2c8d3b4338f484d4871d728cc8df14f9eb7482a97830c8 | Triage

Submit
Reports

Overview

overview

Static

static

3

df559463b0...18.exe

windows7-x64

df559463b0...18.exe

windows10-2004-x64

Sharing

General

Target

df559463b0a2106b2d19876a6a486a5b_JaffaCakes118
Size

3.8MB
Sample

240914-c3eftaselp
MD5

df559463b0a2106b2d19876a6a486a5b
SHA1

7e9d48fe122fd85ec9289c2633edc1772599e9be
SHA256

2d7909db6a1d78f8db2c8d3b4338f484d4871d728cc8df14f9eb7482a97830c8
SHA512

554cb5dd59b29be82c1de960725bd1ff3bdbe53d51a35022cd4a386a07600795a5d5331b232baea7330bbd5c1799b4d002dcf2bb9e25c303ad537c2e33d7c3ae
SSDEEP

98304:ZmI5a+EcATjIrJfbIejv66nq4veakSTO4AmCqV8ly:8GrhAHWlIuyieHSTjzVky

Score

10^/10

glupteba discovery dropper evasion loader persistence privilege_escalation rootkit

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

df559463b0a2106b2d19876a6a486a5b_JaffaCakes118.exe

Resource

win7-20240903-en

glupteba discovery dropper evasion loader persistence privilege_escalation

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

df559463b0a2106b2d19876a6a486a5b_JaffaCakes118.exe

Resource

win10v2004-20240802-en

glupteba discovery dropper evasion loader persistence privilege_escalation rootkit

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  df559463b0a2106b2d19876a6a486a5b_JaffaCakes118
- Size
  
  3.8MB
- MD5
  
  df559463b0a2106b2d19876a6a486a5b
- SHA1
  
  7e9d48fe122fd85ec9289c2633edc1772599e9be
- SHA256
  
  2d7909db6a1d78f8db2c8d3b4338f484d4871d728cc8df14f9eb7482a97830c8
- SHA512
  
  554cb5dd59b29be82c1de960725bd1ff3bdbe53d51a35022cd4a386a07600795a5d5331b232baea7330bbd5c1799b4d002dcf2bb9e25c303ad537c2e33d7c3ae
- SSDEEP
  
  98304:ZmI5a+EcATjIrJfbIejv66nq4veakSTO4AmCqV8ly:8GrhAHWlIuyieHSTjzVky
Score

10^/10

glupteba discovery dropper evasion loader persistence privilege_escalation rootkit
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Modifies Windows Firewall
  evasion
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Manipulates WinMonFS driver.
  Roottkits write to WinMonFS to hide directories/files from being detected.
  rootkit evasion
- Modifies boot configuration data using bcdedit
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gluptebadiscoverydropperevasionloaderpersistenceprivilege_escalation

behavioral2

gluptebadiscoverydropperevasionloaderpersistenceprivilege_escalationrootkit

© 2018-2024

Terms | Privacy