Extracted

• • Target

    JaffaCakes118_87472a804db349889006ed49e1d00ef36ae4ec01c2c33dcdb44148468303cad8

  • Size

    4.3MB

  • MD5

    dd430a43241c37ae61c7634db7b30a72

  • SHA1

    f25211b0ee01fa7c32d8c804c9de97782ee3e081

  • SHA256

    87472a804db349889006ed49e1d00ef36ae4ec01c2c33dcdb44148468303cad8

  • SHA512

    ae5de489c0740331bcd3eb2f60683683464a2e6a17671e35cb1e380dbdd7b176ab23e7081ddbd2b68c6518f67b498f735696bc9e3d2a5b0f2024dd08c87cbb06

  • SSDEEP

    98304:fD92FqpfwDj81lii4tWg6yD/F7+CJ0eoxTM30Zico0wq1z:fB2Qpfw/8at5aC2eoxFZicvV

  Score

  10^/10

  gluptebametasploitbackdoordiscoverydropperevasionloaderpersistenceprivilege_escalationrootkittrojan

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba family

    glupteba

  • Glupteba payload

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Metasploit family

    metasploit

  • Windows security bypass

    evasiontrojan

  • Modifies boot configuration data using bcdedit

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    evasion

  • Possible attempt to disable PatchGuard

    Rootkits can use kernel patching to embed themselves in an operating system.

    evasion

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Manipulates WinMon driver.

    Roottkits write to WinMon to hide PIDs from being detected.

    rootkitevasion

  • Manipulates WinMonFS driver.

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  behavioral1behavioral2