guloader | 230e0f29f18d2af16d1e4e79af80b32f2f400761bc578f02addf9e313ccbcd8c

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

751414880f93e6d9d8995cd7359ed197_JaffaCakes118.exe
Size

112KB
MD5

751414880f93e6d9d8995cd7359ed197
SHA1

1298a2d8d9c1c926ea8986b37440a97d4ca4732f
SHA256

230e0f29f18d2af16d1e4e79af80b32f2f400761bc578f02addf9e313ccbcd8c
SHA512

a271cf407d99fb37703cebde4d804a4cdbe7eba4d3b9b7447eca29dbcd3df25754a846378660dc33f9aef1479647e1f143ddcd49de2dc39ced5e266f185889e5
SSDEEP

1536:JdEA/0tfCxl6IWBkpCm1JY5DmDdg9jeOC+zeO4d:Jd//yCpNy5DmDO9jeOC+zeO4d

Score

10^/10

guloader discovery downloader

Malware Config

Extracted

Family

guloader

https://drive.google.com/uc?export=download&id=1MLCjjDez6CHX_73RaJptihCCRAt7lMyi

https://hzz1.at/rochaspa_HKRuWeae151.bin

xor.base64

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	751414880f93e6d9d8995cd7359ed197_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2412	751414880f93e6d9d8995cd7359ed197_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\751414880f93e6d9d8995cd7359ed197_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\751414880f93e6d9d8995cd7359ed197_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2412-3-0x0000000077AC1000-0x0000000077BC2000-memory.dmp

Filesize
1.0MB

Download
memory/2412-2-0x0000000000330000-0x000000000033B000-memory.dmp

Filesize
44KB

Download