Malware Analysis Report

2025-04-03 14:29

Sample ID 240930-c8henaybkg
Target ffcbc73f372e91fc6ea51b6e3f4605f5_JaffaCakes118
SHA256 c56e3b354b7cce95f09d642c243ee9851b314028683f3c0e2fa0ce1c8a929bb8
Tags
guloader discovery downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c56e3b354b7cce95f09d642c243ee9851b314028683f3c0e2fa0ce1c8a929bb8

Threat Level: Known bad

The file ffcbc73f372e91fc6ea51b6e3f4605f5_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

guloader discovery downloader

Guloader,Cloudeye

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-30 02:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-30 02:44

Reported

2024-09-30 02:47

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Product Specification.jpg.exe"

Signatures

Guloader,Cloudeye

downloader guloader

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Product Specification.jpg.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Product Specification.jpg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Product Specification.jpg.exe

"C:\Users\Admin\AppData\Local\Temp\Product Specification.jpg.exe"

Network

N/A

Files

memory/800-2-0x0000000000350000-0x000000000035B000-memory.dmp

memory/800-3-0x0000000077531000-0x0000000077632000-memory.dmp

memory/800-4-0x0000000000350000-0x000000000035B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-30 02:44

Reported

2024-09-30 02:47

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Product Specification.jpg.exe"

Signatures

Guloader,Cloudeye

downloader guloader

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Product Specification.jpg.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Product Specification.jpg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Product Specification.jpg.exe

"C:\Users\Admin\AppData\Local\Temp\Product Specification.jpg.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/1180-2-0x0000000002350000-0x000000000235B000-memory.dmp

memory/1180-3-0x0000000002350000-0x000000000235B000-memory.dmp