General

  • Target

    JaffaCakes118_0f5921aaa13214fc1639e9404120f1656fe1c0e9e760db312341c5181076b9eb

  • Size

    4.4MB

  • Sample

    241224-sxbqqs1kdj

  • MD5

    0ac7860a9a8e51fb6d022fcfe14fd71a

  • SHA1

    99a4ed508cfe1fda1d1fdd56b5f8e01fcb18d6ba

  • SHA256

    0f5921aaa13214fc1639e9404120f1656fe1c0e9e760db312341c5181076b9eb

  • SHA512

    ad2ae3241e967bb3537ea080aacb1f2be01320e4b6efcb89d3a54b4cf67c3dc28835a3fae102613da6d95e37b88c715b5a1a58e4c95da6ee466f0426e9f57f8d

  • SSDEEP

    98304:DjclCdR7DBpAvFfu6BlluenFTKAut/2l6wCLD4H0qzJ2uXZOyn+Yr:8lCdR79MuEEebtfHtbnfr

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Targets

    • Target

      JaffaCakes118_0f5921aaa13214fc1639e9404120f1656fe1c0e9e760db312341c5181076b9eb

    • Size

      4.4MB

    • MD5

      0ac7860a9a8e51fb6d022fcfe14fd71a

    • SHA1

      99a4ed508cfe1fda1d1fdd56b5f8e01fcb18d6ba

    • SHA256

      0f5921aaa13214fc1639e9404120f1656fe1c0e9e760db312341c5181076b9eb

    • SHA512

      ad2ae3241e967bb3537ea080aacb1f2be01320e4b6efcb89d3a54b4cf67c3dc28835a3fae102613da6d95e37b88c715b5a1a58e4c95da6ee466f0426e9f57f8d

    • SSDEEP

      98304:DjclCdR7DBpAvFfu6BlluenFTKAut/2l6wCLD4H0qzJ2uXZOyn+Yr:8lCdR79MuEEebtfHtbnfr

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba family

    • Glupteba payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Metasploit family

    • Windows security bypass

    • Modifies boot configuration data using bcdedit

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Manipulates WinMon driver.

      Roottkits write to WinMon to hide PIDs from being detected.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

MITRE ATT&CK Enterprise v15

Tasks