Overview

overview

10

Static

static

3

03f891aeb8...18.exe

windows7-x64

10

03f891aeb8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/04/2024, 00:23

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    03f891aeb8fd33cd03997d9bcc61d226_JaffaCakes118.exe

  • Size

    96KB

  • MD5

    03f891aeb8fd33cd03997d9bcc61d226

  • SHA1

    bb12d2d8bc7d3e049cdcda106a14090ee040402f

  • SHA256

    04fd4bdd959ef2dbc5b2cfa6bbd3c43ab6efe17f8b7b207674609632366ecaa3

  • SHA512

    86a7d98adc152b936dde1ccf424b006037761a9759d37156bdf9f2e84c8187f8ea06696b2863f812b2c08b4ca9c16af05a3eecf1b23a336056c25d8a23e55cbb

  • SSDEEP

    768:6QRDFK7Eii2bH6euqSQ77Vh1P1BL6C26Ks1QWDC19Q26nfaslZTb:6QRQw72baejLZ31Qd165fXF

Score
10/10
guloaderdownloaderpersistence

Malware Config

Extracted

Family

guloader

C2

https://bngsmartshop.com/frank.bin

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03f891aeb8fd33cd03997d9bcc61d226_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\03f891aeb8fd33cd03997d9bcc61d226_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:932
    • C:\Users\Admin\AppData\Local\Temp\03f891aeb8fd33cd03997d9bcc61d226_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\03f891aeb8fd33cd03997d9bcc61d226_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:4012
      • C:\Users\Admin\subfolder1\filename1.exe
        "C:\Users\Admin\subfolder1\filename1.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2052
        • C:\Users\Admin\subfolder1\filename1.exe
          "C:\Users\Admin\subfolder1\filename1.exe"
          4⤵
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          PID:3088

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\subfolder1\filename1.exe
          Filesize

          96KB

          MD5

          03f891aeb8fd33cd03997d9bcc61d226

          SHA1

          bb12d2d8bc7d3e049cdcda106a14090ee040402f

          SHA256

          04fd4bdd959ef2dbc5b2cfa6bbd3c43ab6efe17f8b7b207674609632366ecaa3

          SHA512

          86a7d98adc152b936dde1ccf424b006037761a9759d37156bdf9f2e84c8187f8ea06696b2863f812b2c08b4ca9c16af05a3eecf1b23a336056c25d8a23e55cbb

          Download Submit

        • memory/932-2-0x00000000020F0000-0x0000000002100000-memory.dmp

          Filesize

          64KB

          Download

        • memory/932-5-0x0000000077961000-0x0000000077A81000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/932-7-0x00000000020F0000-0x0000000002100000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2052-23-0x0000000002110000-0x0000000002120000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2052-27-0x0000000002110000-0x0000000002120000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3088-28-0x0000000000560000-0x0000000000660000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/4012-4-0x0000000000400000-0x000000000055D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4012-6-0x0000000000560000-0x0000000000660000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/4012-9-0x0000000077961000-0x0000000077A81000-memory.dmp

          Filesize

          1.1MB

          Download