General

  • Target

    JaffaCakes118_2a1d1d328b63ae957c6694ffd5c090ab7fc2c776e640d7ab15c6963b7959da43

  • Size

    4.1MB

  • Sample

    241230-xplm7atpek

  • MD5

    c2a449136bca877644cd20ebe17a20f6

  • SHA1

    15a3c7e4e8c18687a394e88847c1068cb33cd6d8

  • SHA256

    2a1d1d328b63ae957c6694ffd5c090ab7fc2c776e640d7ab15c6963b7959da43

  • SHA512

    02a344f78fa01643b24690a5f237617b34e1d681f0faddb0023a98ab7e3db88b4462535044a16e671402700f43a075f2d5d4663bfbaa5d94af618f48229d1bb9

  • SSDEEP

    98304:ivkWGAjgnQMWAUDdKZRLg13geyT4YicLMwZPxtdBCQH9n:eGUgQP5DdKZiCf0Y/MQZtdBj

Malware Config

Targets

    • Target

      JaffaCakes118_2a1d1d328b63ae957c6694ffd5c090ab7fc2c776e640d7ab15c6963b7959da43

    • Size

      4.1MB

    • MD5

      c2a449136bca877644cd20ebe17a20f6

    • SHA1

      15a3c7e4e8c18687a394e88847c1068cb33cd6d8

    • SHA256

      2a1d1d328b63ae957c6694ffd5c090ab7fc2c776e640d7ab15c6963b7959da43

    • SHA512

      02a344f78fa01643b24690a5f237617b34e1d681f0faddb0023a98ab7e3db88b4462535044a16e671402700f43a075f2d5d4663bfbaa5d94af618f48229d1bb9

    • SSDEEP

      98304:ivkWGAjgnQMWAUDdKZRLg13geyT4YicLMwZPxtdBCQH9n:eGUgQP5DdKZiCf0Y/MQZtdBj

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba family

    • Glupteba payload

    • Windows security bypass

    • Modifies boot configuration data using bcdedit

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Manipulates WinMon driver.

      Roottkits write to WinMon to hide PIDs from being detected.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

MITRE ATT&CK Enterprise v15

Tasks