Overview

overview

10

Static

static

3

03f891aeb8...18.exe

windows7-x64

10

03f891aeb8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    28/04/2024, 00:23

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    03f891aeb8fd33cd03997d9bcc61d226_JaffaCakes118.exe

  • Size

    96KB

  • MD5

    03f891aeb8fd33cd03997d9bcc61d226

  • SHA1

    bb12d2d8bc7d3e049cdcda106a14090ee040402f

  • SHA256

    04fd4bdd959ef2dbc5b2cfa6bbd3c43ab6efe17f8b7b207674609632366ecaa3

  • SHA512

    86a7d98adc152b936dde1ccf424b006037761a9759d37156bdf9f2e84c8187f8ea06696b2863f812b2c08b4ca9c16af05a3eecf1b23a336056c25d8a23e55cbb

  • SSDEEP

    768:6QRDFK7Eii2bH6euqSQ77Vh1P1BL6C26Ks1QWDC19Q26nfaslZTb:6QRQw72baejLZ31Qd165fXF

Score
10/10
guloaderdownloaderpersistence

Malware Config

Extracted

Family

guloader

C2

https://bngsmartshop.com/frank.bin

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03f891aeb8fd33cd03997d9bcc61d226_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\03f891aeb8fd33cd03997d9bcc61d226_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Users\Admin\AppData\Local\Temp\03f891aeb8fd33cd03997d9bcc61d226_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\03f891aeb8fd33cd03997d9bcc61d226_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Users\Admin\subfolder1\filename1.exe
        "C:\Users\Admin\subfolder1\filename1.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2796
        • C:\Users\Admin\subfolder1\filename1.exe
          "C:\Users\Admin\subfolder1\filename1.exe"
          4⤵
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          PID:2772

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\subfolder1\filename1.exe
          Filesize

          96KB

          MD5

          03f891aeb8fd33cd03997d9bcc61d226

          SHA1

          bb12d2d8bc7d3e049cdcda106a14090ee040402f

          SHA256

          04fd4bdd959ef2dbc5b2cfa6bbd3c43ab6efe17f8b7b207674609632366ecaa3

          SHA512

          86a7d98adc152b936dde1ccf424b006037761a9759d37156bdf9f2e84c8187f8ea06696b2863f812b2c08b4ca9c16af05a3eecf1b23a336056c25d8a23e55cbb

          Download Submit

        • memory/2452-2-0x00000000003D0000-0x00000000003E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2452-3-0x0000000077C40000-0x0000000077DE9000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/2452-7-0x0000000077E30000-0x0000000077F06000-memory.dmp

          Filesize

          856KB

          Download

        • memory/2452-6-0x00000000003D0000-0x00000000003E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2608-9-0x0000000077C40000-0x0000000077DE9000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/2608-8-0x00000000001B0000-0x00000000002B0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2608-11-0x0000000077E30000-0x0000000077F06000-memory.dmp

          Filesize

          856KB

          Download

        • memory/2608-4-0x0000000000400000-0x0000000000553000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2608-21-0x0000000000400000-0x0000000000553000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2772-31-0x00000000001B0000-0x00000000002B0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2796-25-0x0000000077C40000-0x0000000077DE9000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/2796-24-0x00000000002A0000-0x00000000002B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2796-28-0x00000000002A0000-0x00000000002B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2796-34-0x0000000077E30000-0x0000000077F06000-memory.dmp

          Filesize

          856KB

          Download