Extracted

• • Target

    JaffaCakes118_600ed74dfaa58d87a357b38a4ea5f4a15207802597950b065910e367eb9cad10

  • Size

    4.3MB

  • MD5

    cfe223cd0b38172afb5fbc07f716bf95

  • SHA1

    09fafcccd50700cebdc610b1805ffa234b2e26ae

  • SHA256

    600ed74dfaa58d87a357b38a4ea5f4a15207802597950b065910e367eb9cad10

  • SHA512

    8321b81e03bc9004a0338722ead30c3d65a19c10bbd2f673ffae1960d1f9d2fb2665d0fb654fbb927c29c7b56ee3829cd72a36b6a42ce67079626ec1bf03292b

  • SSDEEP

    98304:293cSuc+vqnFCgtykvxp2Z0XAB+5c1rRAYlkSIHyArtxV4G1h5PO1:sspc+Qtxp2ZAm+5cd2YD4RxVbtc

  Score

  10^/10

  gluptebametasploitbackdoordiscoverydropperevasionloaderpersistenceprivilege_escalationrootkittrojan

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba family

    glupteba

  • Glupteba payload

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Metasploit family

    metasploit

  • Windows security bypass

    evasiontrojan

  • Modifies boot configuration data using bcdedit

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    evasion

  • Possible attempt to disable PatchGuard

    Rootkits can use kernel patching to embed themselves in an operating system.

    evasion

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Manipulates WinMon driver.

    Roottkits write to WinMon to hide PIDs from being detected.

    rootkitevasion

  • Manipulates WinMonFS driver.

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  behavioral1behavioral2