guloader | 4f0b841c0625f3b5d2ca401e8c10149bbd42e0fb3c1a9da22ed75704258a3282

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-10-2024 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ff5c6f01fda5b5abac657c44da7ccda_JaffaCakes118.exe
Size

180KB
MD5

1ff5c6f01fda5b5abac657c44da7ccda
SHA1

f09db111607f52a9e555f94949002101cef5c820
SHA256

4f0b841c0625f3b5d2ca401e8c10149bbd42e0fb3c1a9da22ed75704258a3282
SHA512

553a3747d0889424e8c5e4d66514bd091a38b7f73834406bf4f2189d9d50458f5d3306b6be8a5c39803a8f6c45bc430b9b6eecc1233c4b110dca0d408a8889f8
SSDEEP

3072:cT5426q3h21svWcznVwfyR8k+DQAYCdOVgHdd2n315jQIoPUaT:cTagvtBwKR81YoMgKDu

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	1ff5c6f01fda5b5abac657c44da7ccda_JaffaCakes118.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	1ff5c6f01fda5b5abac657c44da7ccda_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3064	1ff5c6f01fda5b5abac657c44da7ccda_JaffaCakes118.exe
2900	1ff5c6f01fda5b5abac657c44da7ccda_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3064 set thread context of 2900	3064	1ff5c6f01fda5b5abac657c44da7ccda_JaffaCakes118.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ff5c6f01fda5b5abac657c44da7ccda_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ff5c6f01fda5b5abac657c44da7ccda_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3064	1ff5c6f01fda5b5abac657c44da7ccda_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3064	1ff5c6f01fda5b5abac657c44da7ccda_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2900	3064	1ff5c6f01fda5b5abac657c44da7ccda_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2900	3064	1ff5c6f01fda5b5abac657c44da7ccda_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2900	3064	1ff5c6f01fda5b5abac657c44da7ccda_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2900	3064	1ff5c6f01fda5b5abac657c44da7ccda_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2900	3064	1ff5c6f01fda5b5abac657c44da7ccda_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\1ff5c6f01fda5b5abac657c44da7ccda_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1ff5c6f01fda5b5abac657c44da7ccda_JaffaCakes118.exe"
1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\1ff5c6f01fda5b5abac657c44da7ccda_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1ff5c6f01fda5b5abac657c44da7ccda_JaffaCakes118.exe"
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2900-7-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2900-9-0x0000000077030000-0x00000000771D9000-memory.dmp

Filesize
1.7MB

Download
memory/2900-10-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/3064-2-0x0000000000270000-0x0000000000283000-memory.dmp

Filesize
76KB

Download
memory/3064-3-0x0000000000270000-0x0000000000283000-memory.dmp

Filesize
76KB

Download
memory/3064-4-0x0000000077031000-0x0000000077132000-memory.dmp

Filesize
1.0MB

Download
memory/3064-5-0x0000000077030000-0x00000000771D9000-memory.dmp

Filesize
1.7MB

Download
memory/3064-6-0x0000000000270000-0x0000000000283000-memory.dmp

Filesize
76KB

Download