guloader | be4448eb3e5f348051538b82b3e9b63191da49d028e6c5f2b8de4cbc6135c84a

General

Target

4cea5d8cb3e0a17e942812e31667120a_JaffaCakes118.msi
Size

124KB
MD5

4cea5d8cb3e0a17e942812e31667120a
SHA1

c526373cc21495053cdf3ff735f10e4f031659b7
SHA256

be4448eb3e5f348051538b82b3e9b63191da49d028e6c5f2b8de4cbc6135c84a
SHA512

1eed5b3fa630ca2e4998e5eae400cab82a2e65005107f9bae0ae04a7ed7b32373ffaaf486578acca13bf74c38193e62fbb51da381555fec8d45c10a40cc962f7
SSDEEP

1536:LEuul/7WYt61BPnueWzlCd46+Ml3ybnWbHPs:LEu4/7Rt61BPue4+46+s5HE

Score

10^/10

guloader downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MSI2FC9.tmpMSI2FC9.tmp

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	MSI2FC9.tmp
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	MSI2FC9.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MSI2FC9.tmp

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\PANTOPTEROUS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AGONIED\\KLUMSEDE.vbs"	MSI2FC9.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

MSI2FC9.tmpMSI2FC9.tmp

pid process

3036 MSI2FC9.tmp
1208 MSI2FC9.tmp
Suspicious use of SetThreadContext 1 IoCs

Processes:

MSI2FC9.tmp

description pid process target process

PID 3036 set thread context of 1208 3036 MSI2FC9.tmp MSI2FC9.tmp

pid	process
3036	MSI2FC9.tmp
1208	MSI2FC9.tmp

description	pid	process	target process
PID 3036 set thread context of 1208	3036	MSI2FC9.tmp	MSI2FC9.tmp

Drops file in Windows directory 10 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f762edd.msi	msiexec.exe
File created	C:\Windows\Installer\f762ee0.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f762edd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2FA8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2FC9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f762ee0.ipi	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

MSI2FC9.tmp

pid process

3036 MSI2FC9.tmp
Loads dropped DLL 1 IoCs

Processes:

MSI2FC9.tmp

pid process

1208 MSI2FC9.tmp

pid	process
3036	MSI2FC9.tmp

pid	process
1208	MSI2FC9.tmp

Modifies data under HKEY_USERS 43 IoCs

Processes:

DrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

1632 msiexec.exe
1632 msiexec.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

MSI2FC9.tmp

pid process

3036 MSI2FC9.tmp

pid	process
1632	msiexec.exe
1632	msiexec.exe

pid	process
3036	MSI2FC9.tmp

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exe

description	pid	process
Token: SeShutdownPrivilege	1724	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1632	msiexec.exe
Token: SeTakeOwnershipPrivilege	1632	msiexec.exe
Token: SeSecurityPrivilege	1632	msiexec.exe
Token: SeCreateTokenPrivilege	1724	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1724	msiexec.exe
Token: SeLockMemoryPrivilege	1724	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1724	msiexec.exe
Token: SeMachineAccountPrivilege	1724	msiexec.exe
Token: SeTcbPrivilege	1724	msiexec.exe
Token: SeSecurityPrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeLoadDriverPrivilege	1724	msiexec.exe
Token: SeSystemProfilePrivilege	1724	msiexec.exe
Token: SeSystemtimePrivilege	1724	msiexec.exe
Token: SeProfSingleProcessPrivilege	1724	msiexec.exe
Token: SeIncBasePriorityPrivilege	1724	msiexec.exe
Token: SeCreatePagefilePrivilege	1724	msiexec.exe
Token: SeCreatePermanentPrivilege	1724	msiexec.exe
Token: SeBackupPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeShutdownPrivilege	1724	msiexec.exe
Token: SeDebugPrivilege	1724	msiexec.exe
Token: SeAuditPrivilege	1724	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1724	msiexec.exe
Token: SeChangeNotifyPrivilege	1724	msiexec.exe
Token: SeRemoteShutdownPrivilege	1724	msiexec.exe
Token: SeUndockPrivilege	1724	msiexec.exe
Token: SeSyncAgentPrivilege	1724	msiexec.exe
Token: SeEnableDelegationPrivilege	1724	msiexec.exe
Token: SeManageVolumePrivilege	1724	msiexec.exe
Token: SeImpersonatePrivilege	1724	msiexec.exe
Token: SeCreateGlobalPrivilege	1724	msiexec.exe
Token: SeBackupPrivilege	1976	vssvc.exe
Token: SeRestorePrivilege	1976	vssvc.exe
Token: SeAuditPrivilege	1976	vssvc.exe
Token: SeBackupPrivilege	1632	msiexec.exe
Token: SeRestorePrivilege	1632	msiexec.exe
Token: SeRestorePrivilege	2672	DrvInst.exe
Token: SeRestorePrivilege	2672	DrvInst.exe
Token: SeRestorePrivilege	2672	DrvInst.exe
Token: SeRestorePrivilege	2672	DrvInst.exe
Token: SeRestorePrivilege	2672	DrvInst.exe
Token: SeRestorePrivilege	2672	DrvInst.exe
Token: SeRestorePrivilege	2672	DrvInst.exe
Token: SeLoadDriverPrivilege	2672	DrvInst.exe
Token: SeLoadDriverPrivilege	2672	DrvInst.exe
Token: SeLoadDriverPrivilege	2672	DrvInst.exe
Token: SeRestorePrivilege	1632	msiexec.exe
Token: SeTakeOwnershipPrivilege	1632	msiexec.exe
Token: SeRestorePrivilege	1632	msiexec.exe
Token: SeTakeOwnershipPrivilege	1632	msiexec.exe
Token: SeRestorePrivilege	1632	msiexec.exe
Token: SeTakeOwnershipPrivilege	1632	msiexec.exe
Token: SeRestorePrivilege	1632	msiexec.exe
Token: SeTakeOwnershipPrivilege	1632	msiexec.exe
Token: SeRestorePrivilege	1632	msiexec.exe
Token: SeTakeOwnershipPrivilege	1632	msiexec.exe
Token: SeRestorePrivilege	1632	msiexec.exe
Token: SeTakeOwnershipPrivilege	1632	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1724 msiexec.exe
1724 msiexec.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSI2FC9.tmp

pid process

3036 MSI2FC9.tmp

pid	process
1724	msiexec.exe
1724	msiexec.exe

pid	process
3036	MSI2FC9.tmp

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

msiexec.exeMSI2FC9.tmp

description	pid	process	target process
PID 1632 wrote to memory of 3036	1632	msiexec.exe	MSI2FC9.tmp
PID 1632 wrote to memory of 3036	1632	msiexec.exe	MSI2FC9.tmp
PID 1632 wrote to memory of 3036	1632	msiexec.exe	MSI2FC9.tmp
PID 1632 wrote to memory of 3036	1632	msiexec.exe	MSI2FC9.tmp
PID 3036 wrote to memory of 1208	3036	MSI2FC9.tmp	MSI2FC9.tmp
PID 3036 wrote to memory of 1208	3036	MSI2FC9.tmp	MSI2FC9.tmp
PID 3036 wrote to memory of 1208	3036	MSI2FC9.tmp	MSI2FC9.tmp
PID 3036 wrote to memory of 1208	3036	MSI2FC9.tmp	MSI2FC9.tmp
PID 3036 wrote to memory of 1208	3036	MSI2FC9.tmp	MSI2FC9.tmp

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4cea5d8cb3e0a17e942812e31667120a_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1724

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\Installer\MSI2FC9.tmp
"C:\Windows\Installer\MSI2FC9.tmp"
2⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\Installer\MSI2FC9.tmp
"C:\Windows\Installer\MSI2FC9.tmp"
3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Loads dropped DLL
PID:1208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000054C" "00000000000002B4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2672

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f762ee1.rbs
Filesize
663B

MD5
c4dc8a3c96c8609147ed812b1685e516

SHA1
92f5759ea7bca5a72aefcb38e13bb4234bcf2a2a

SHA256
c903f55d4a48dcfe87221613b17f37ce45b9d4563e982d2198870edba24a789d

SHA512
f46a278778a1a4d17a9e24d077f432c2915a13aa3da6f896da1be8ac0ce59392a2b4917972f0b9ad3d1b807cf75dbb28aeaf2e71f25a51f9a9223fb114b570d6

Download Submit
C:\Windows\Installer\MSI2FC9.tmp
Filesize
100KB

MD5
9c0f4f8b74d0c49c28997dcc175897c9

SHA1
56aedf510fe21edf7f5deb00b210e50f54f44443

SHA256
9fd8a479a9f54341cfea3c2906cbc779c8623a288708ac00e21a486f325e3934

SHA512
c2ff13b0737904fc97fdd57a17f9d4885776a5c07d1c3a884292e7143df2966397e4f4820a39450c950b2e3c68fdf2799091357fa9f129ef196e962f4c5e8ba3

Download Submit
memory/1208-20-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1208-23-0x00000000001B0000-0x00000000002B0000-memory.dmp

Filesize
1024KB

Download
memory/1208-34-0x00000000770C0000-0x0000000077269000-memory.dmp

Filesize
1.7MB

Download
memory/1208-35-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1208-38-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1208-40-0x00000000001B0000-0x00000000002B0000-memory.dmp

Filesize
1024KB

Download
memory/3036-15-0x0000000000250000-0x0000000000261000-memory.dmp

Filesize
68KB

Download
memory/3036-16-0x00000000770C0000-0x0000000077269000-memory.dmp

Filesize
1.7MB

Download
memory/3036-17-0x00000000772B0000-0x0000000077386000-memory.dmp

Filesize
856KB

Download
memory/3036-21-0x0000000000250000-0x0000000000261000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads