General

  • Target

    JaffaCakes118_b29aa7bdfb6c1e7ee9e5532ef23befac8ba986ff6223d76c3469ccb78c78d2e3

  • Size

    4.3MB

  • Sample

    241229-dnhela1kcq

  • MD5

    26cefac7897d676110a89a07c959e8f6

  • SHA1

    8855963712801e9aacd2e6d1e5301e121cfdc93c

  • SHA256

    b29aa7bdfb6c1e7ee9e5532ef23befac8ba986ff6223d76c3469ccb78c78d2e3

  • SHA512

    8266168d109ca7b28311bfa1da984f46fa9d1e883e70dc72f60d9f89d6c5fef64467c94fc596d672adeb48d9db1be0891bc938d57c95cc2e05e609dfc091e46b

  • SSDEEP

    98304:6a7zpNftkUvrbe0N/Dr09zGVCU2GXDxCcxTmKMTk/C20I4B48Lqa:Z3CUvnnDqzGpF/IlQD0b1n

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Targets

    • Target

      JaffaCakes118_b29aa7bdfb6c1e7ee9e5532ef23befac8ba986ff6223d76c3469ccb78c78d2e3

    • Size

      4.3MB

    • MD5

      26cefac7897d676110a89a07c959e8f6

    • SHA1

      8855963712801e9aacd2e6d1e5301e121cfdc93c

    • SHA256

      b29aa7bdfb6c1e7ee9e5532ef23befac8ba986ff6223d76c3469ccb78c78d2e3

    • SHA512

      8266168d109ca7b28311bfa1da984f46fa9d1e883e70dc72f60d9f89d6c5fef64467c94fc596d672adeb48d9db1be0891bc938d57c95cc2e05e609dfc091e46b

    • SSDEEP

      98304:6a7zpNftkUvrbe0N/Dr09zGVCU2GXDxCcxTmKMTk/C20I4B48Lqa:Z3CUvnnDqzGpF/IlQD0b1n

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba family

    • Glupteba payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Metasploit family

    • Windows security bypass

    • Modifies boot configuration data using bcdedit

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Manipulates WinMon driver.

      Roottkits write to WinMon to hide PIDs from being detected.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

MITRE ATT&CK Enterprise v15

Tasks