guloader | 3c33e6937e13636c74f6af17483efa0ce5985fa4cf24fa3b67aab656bd3d14a8

Analysis

max time kernel
132s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 07:03

Target

23bbcf4afa025004fe089a67cf444068_JaffaCakes118.exe
Size

68KB
MD5

23bbcf4afa025004fe089a67cf444068
SHA1

52f5b7911b81e7642a3ca57a82da9985b8651b96
SHA256

3c33e6937e13636c74f6af17483efa0ce5985fa4cf24fa3b67aab656bd3d14a8
SHA512

29a88f3181f65ee13fa2a6ec87a16558df9449f9f95c51d078c9b09416e389db30e19588aad0e69642ad3071a25b16f4da56a246a1a6b1a47e0eb222904481b8
SSDEEP

1536:zrTK7c6PAk8EJPPPPXMCiq1MU5BPWQjo4iktl:zSPjJPPPPXUNM1WN4P

Score

10^/10

Family

guloader

https://onedrive.live.com/download?cid=6BE8F132430D55A2&resid=6BE8F132430D55A2%21128&authkey=AB-gr2sRaVtcAns

xor.base64

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4244	23bbcf4afa025004fe089a67cf444068_JaffaCakes118.exe
4348	23bbcf4afa025004fe089a67cf444068_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4244 set thread context of 4348	4244	23bbcf4afa025004fe089a67cf444068_JaffaCakes118.exe	89

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4244	23bbcf4afa025004fe089a67cf444068_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4244	23bbcf4afa025004fe089a67cf444068_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 4348	4244	23bbcf4afa025004fe089a67cf444068_JaffaCakes118.exe	89
PID 4244 wrote to memory of 4348	4244	23bbcf4afa025004fe089a67cf444068_JaffaCakes118.exe	89
PID 4244 wrote to memory of 4348	4244	23bbcf4afa025004fe089a67cf444068_JaffaCakes118.exe	89
PID 4244 wrote to memory of 4348	4244	23bbcf4afa025004fe089a67cf444068_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\23bbcf4afa025004fe089a67cf444068_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\23bbcf4afa025004fe089a67cf444068_JaffaCakes118.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Users\Admin\AppData\Local\Temp\23bbcf4afa025004fe089a67cf444068_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\23bbcf4afa025004fe089a67cf444068_JaffaCakes118.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4348

memory/4244-2-0x0000000002130000-0x0000000002139000-memory.dmp

Filesize
36KB

Download
memory/4244-5-0x0000000076E81000-0x0000000076FA1000-memory.dmp

Filesize
1.1MB

Download
memory/4244-6-0x0000000002130000-0x0000000002139000-memory.dmp

Filesize
36KB

Download
memory/4348-8-0x0000000076E81000-0x0000000076FA1000-memory.dmp

Filesize
1.1MB

Download
memory/4348-7-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/4348-3-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download