Extracted

• • Target

    21f2e4762d6561f553b5cec43d198fc6_JaffaCakes118

  • Size

    4.4MB

  • MD5

    21f2e4762d6561f553b5cec43d198fc6

  • SHA1

    aa44403f4a81ecfd64ff9dbbd364ebb1cd062a30

  • SHA256

    a9294c433bbf08323194ea02fd2275c09f73280b5e4df1572ab001d9bca57126

  • SHA512

    6d2232b644bdc504865b272dc09f4fcb49673426807ed276fc95e53951db27adb64d8f32241755c33257c81a29833f173e867d7443f77a9eefb1c4660760908f

  • SSDEEP

    98304:g/5AoQZkoxd9PfzkBnhaqifi+D6Xmd+68xyvSAvYu:U5XqfJkRWc68cvSAh

  Score

  10^/10

  gluptebametasploitbackdoordiscoverydropperevasionloaderpersistenceprivilege_escalationrootkittrojan

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba payload

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Windows security bypass

    evasiontrojan

  • Modifies boot configuration data using bcdedit

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    evasion

  • Possible attempt to disable PatchGuard

    Rootkits can use kernel patching to embed themselves in an operating system.

    evasion

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Manipulates WinMon driver.

    Roottkits write to WinMon to hide PIDs from being detected.

    rootkitevasion

  • Manipulates WinMonFS driver.

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  behavioral1behavioral2