General

  • Target

    JaffaCakes118_a89cf174dcb2daadea7b9f252308040d5277dfa07538f5fd7bdf8834fffb9f65

  • Size

    4.1MB

  • Sample

    241224-v2pt9stjgk

  • MD5

    22857e924f1a0153faac98c513e3a823

  • SHA1

    01b234b9161ef7d69b34059f73b65b45b1a07a7d

  • SHA256

    a89cf174dcb2daadea7b9f252308040d5277dfa07538f5fd7bdf8834fffb9f65

  • SHA512

    3c3342138a967cbf743d042a4dc8d56e110ad2451a7da0c33c7e73e1c5cdd478acc8635912d92480d03bf60a9e3635308e4c0e82e01214f45499ab3a9eb61b92

  • SSDEEP

    98304:nwbZJ20mG4DY+TCNLq6lOAbBcSU0YNFCfSR80szEp9eBGDI2VFzxso5:wlmA+ALbbSSUJP1Rfh97DXFzum

Malware Config

Targets

    • Target

      JaffaCakes118_a89cf174dcb2daadea7b9f252308040d5277dfa07538f5fd7bdf8834fffb9f65

    • Size

      4.1MB

    • MD5

      22857e924f1a0153faac98c513e3a823

    • SHA1

      01b234b9161ef7d69b34059f73b65b45b1a07a7d

    • SHA256

      a89cf174dcb2daadea7b9f252308040d5277dfa07538f5fd7bdf8834fffb9f65

    • SHA512

      3c3342138a967cbf743d042a4dc8d56e110ad2451a7da0c33c7e73e1c5cdd478acc8635912d92480d03bf60a9e3635308e4c0e82e01214f45499ab3a9eb61b92

    • SSDEEP

      98304:nwbZJ20mG4DY+TCNLq6lOAbBcSU0YNFCfSR80szEp9eBGDI2VFzxso5:wlmA+ALbbSSUJP1Rfh97DXFzum

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba family

    • Glupteba payload

    • Windows security bypass

    • Modifies boot configuration data using bcdedit

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Manipulates WinMon driver.

      Roottkits write to WinMon to hide PIDs from being detected.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

MITRE ATT&CK Enterprise v15

Tasks