guloader | b31f4aeb39edab45b99780aebf98451f2b9a045bb42814d2f0b3458ff2a3995d

General

Target

418a345985b3014859baebf1fb029ae8_JaffaCakes118.exe
Size

104KB
MD5

418a345985b3014859baebf1fb029ae8
SHA1

0eb5e89db92c78699f15d66c6adbedf52225c3c2
SHA256

b31f4aeb39edab45b99780aebf98451f2b9a045bb42814d2f0b3458ff2a3995d
SHA512

aea4ada28c2392728b18e269698e8b5e6ede1fb4a413e287cc0b17dd315a978f5e5cc9ab3402e734af207eb15ac0af4025849b5d930b1c78e54b00396a3c6f4b
SSDEEP

768:qY0Kk0AP0UM/ikfJ+1bmamD+OlQncbNyywqx2grUX7TUi:X1AP017B+1bP+jQqUqnrFi

Score

10^/10

guloader downloader persistence

Malware Config

Extracted

Family

guloader

C2

http://rudraagrointernational.com/cgi-bins/bin/98kksjh.bin

http://cassiagumrefined.com/css/animates/bin/98kksjh.bin

xor.base64

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Executes dropped EXE 1 IoCs

pid	Process
2596	office365.exe

Loads dropped DLL 4 IoCs

pid	Process
2904	418a345985b3014859baebf1fb029ae8_JaffaCakes118.exe
2904	418a345985b3014859baebf1fb029ae8_JaffaCakes118.exe
2596	office365.exe
2524	office365.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\crome = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sub\\office365.vbs"	418a345985b3014859baebf1fb029ae8_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\crome = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sub\\office365.vbs"	office365.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1736	418a345985b3014859baebf1fb029ae8_JaffaCakes118.exe
2904	418a345985b3014859baebf1fb029ae8_JaffaCakes118.exe
2596	office365.exe
2524	office365.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1736 set thread context of 2904	1736	418a345985b3014859baebf1fb029ae8_JaffaCakes118.exe	30
PID 2596 set thread context of 2524	2596	office365.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1736	418a345985b3014859baebf1fb029ae8_JaffaCakes118.exe
2596	office365.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1736	418a345985b3014859baebf1fb029ae8_JaffaCakes118.exe
2596	office365.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2904	1736	418a345985b3014859baebf1fb029ae8_JaffaCakes118.exe	30
PID 1736 wrote to memory of 2904	1736	418a345985b3014859baebf1fb029ae8_JaffaCakes118.exe	30
PID 1736 wrote to memory of 2904	1736	418a345985b3014859baebf1fb029ae8_JaffaCakes118.exe	30
PID 1736 wrote to memory of 2904	1736	418a345985b3014859baebf1fb029ae8_JaffaCakes118.exe	30
PID 1736 wrote to memory of 2904	1736	418a345985b3014859baebf1fb029ae8_JaffaCakes118.exe	30
PID 2904 wrote to memory of 2596	2904	418a345985b3014859baebf1fb029ae8_JaffaCakes118.exe	31
PID 2904 wrote to memory of 2596	2904	418a345985b3014859baebf1fb029ae8_JaffaCakes118.exe	31
PID 2904 wrote to memory of 2596	2904	418a345985b3014859baebf1fb029ae8_JaffaCakes118.exe	31
PID 2904 wrote to memory of 2596	2904	418a345985b3014859baebf1fb029ae8_JaffaCakes118.exe	31
PID 2596 wrote to memory of 2524	2596	office365.exe	32
PID 2596 wrote to memory of 2524	2596	office365.exe	32
PID 2596 wrote to memory of 2524	2596	office365.exe	32
PID 2596 wrote to memory of 2524	2596	office365.exe	32
PID 2596 wrote to memory of 2524	2596	office365.exe	32

C:\Users\Admin\AppData\Local\Temp\418a345985b3014859baebf1fb029ae8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\418a345985b3014859baebf1fb029ae8_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\418a345985b3014859baebf1fb029ae8_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\418a345985b3014859baebf1fb029ae8_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\sub\office365.exe
    "C:\Users\Admin\AppData\Local\Temp\sub\office365.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Users\Admin\AppData\Local\Temp\sub\office365.exe
      "C:\Users\Admin\AppData\Local\Temp\sub\office365.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sub\office365.exe

Filesize
104KB

MD5
418a345985b3014859baebf1fb029ae8

SHA1
0eb5e89db92c78699f15d66c6adbedf52225c3c2

SHA256
b31f4aeb39edab45b99780aebf98451f2b9a045bb42814d2f0b3458ff2a3995d

SHA512
aea4ada28c2392728b18e269698e8b5e6ede1fb4a413e287cc0b17dd315a978f5e5cc9ab3402e734af207eb15ac0af4025849b5d930b1c78e54b00396a3c6f4b

Download Submit
memory/1736-2-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/1736-3-0x0000000077501000-0x0000000077602000-memory.dmp

Filesize
1.0MB

Download
memory/1736-6-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/1736-7-0x0000000077500000-0x00000000776A9000-memory.dmp

Filesize
1.7MB

Download
memory/1736-22-0x0000000077500000-0x00000000776A9000-memory.dmp

Filesize
1.7MB

Download
memory/2524-29-0x0000000077500000-0x00000000776A9000-memory.dmp

Filesize
1.7MB

Download
memory/2596-23-0x0000000077500000-0x00000000776A9000-memory.dmp

Filesize
1.7MB

Download
memory/2904-8-0x0000000077500000-0x00000000776A9000-memory.dmp

Filesize
1.7MB

Download
memory/2904-4-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2904-19-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads