General

  • Target

    JaffaCakes118_8dd5c780be1ed95ae82aac7f88e94fcb023efc736529358a0754f16b807b1192

  • Size

    4.1MB

  • Sample

    241225-dw8azswpek

  • MD5

    6bccd68eb748a31b7e4d64efb9103d2a

  • SHA1

    02c2be8ce749c366921d42344be7b4261c370b2c

  • SHA256

    8dd5c780be1ed95ae82aac7f88e94fcb023efc736529358a0754f16b807b1192

  • SHA512

    6110301f782cc4679e5afac18cb7895ab330b5a923449b82db161f9a5ddab3df3d1c4cf745f6a9c80ed887d5a8a488084d04876f30d7077c089139ff61335d82

  • SSDEEP

    98304:rUOR7DOJ1Vh0PKti+7huYVRXOOrli73kM/c6LJGW+AW1qNVEuL:AOl0JNtf1jrcjkM/jLgWrZ7EuL

Malware Config

Targets

    • Target

      JaffaCakes118_8dd5c780be1ed95ae82aac7f88e94fcb023efc736529358a0754f16b807b1192

    • Size

      4.1MB

    • MD5

      6bccd68eb748a31b7e4d64efb9103d2a

    • SHA1

      02c2be8ce749c366921d42344be7b4261c370b2c

    • SHA256

      8dd5c780be1ed95ae82aac7f88e94fcb023efc736529358a0754f16b807b1192

    • SHA512

      6110301f782cc4679e5afac18cb7895ab330b5a923449b82db161f9a5ddab3df3d1c4cf745f6a9c80ed887d5a8a488084d04876f30d7077c089139ff61335d82

    • SSDEEP

      98304:rUOR7DOJ1Vh0PKti+7huYVRXOOrli73kM/c6LJGW+AW1qNVEuL:AOl0JNtf1jrcjkM/jLgWrZ7EuL

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba family

    • Glupteba payload

    • Windows security bypass

    • Modifies boot configuration data using bcdedit

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Manipulates WinMon driver.

      Roottkits write to WinMon to hide PIDs from being detected.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

MITRE ATT&CK Enterprise v15

Tasks