Extracted

• • Target

    506695f323a3e831b28cf194e14d572a_JaffaCakes118

  • Size

    4.5MB

  • MD5

    506695f323a3e831b28cf194e14d572a

  • SHA1

    15d120115c0e52ff5aaa62bcf39e148c1a4b0436

  • SHA256

    5a410e2d5807f2337a8cf55a7fbfdfa490e9835e5409660591fd6fad7eafcda0

  • SHA512

    19b179919accf088c2d233ea00624a0aceee6e4b928841e15be19b3aacab4d030739822bf6ffca2f1511a893247a24f731a58080f37a8af12da5af56bb3f895e

  • SSDEEP

    98304:dtG1sk31IjxYRPzCEqGQWxo+8hrWhbl6L5W3zcILrjjqKAvGLcHfY:fGKk3gazNQWP6LaNmSc/Y

  Score

  10^/10

  gluptebametasploitbackdoordiscoverydropperevasionloaderpersistenceprivilege_escalationrootkittrojan

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba payload

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Windows security bypass

    evasiontrojan

  • Modifies boot configuration data using bcdedit

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    evasion

  • Possible attempt to disable PatchGuard

    Rootkits can use kernel patching to embed themselves in an operating system.

    evasion

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Manipulates WinMon driver.

    Roottkits write to WinMon to hide PIDs from being detected.

    rootkitevasion

  • Manipulates WinMonFS driver.

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion

  • Drops file in System32 directory

  behavioral1behavioral2