guloader | 3488a33e978dbb1cfb03897e5d717a0a116e8ec7aa4c237ae96892081e236c40 | Triage

Sharing

General

Target

JaffaCakes118_3488a33e978dbb1cfb03897e5d717a0a116e8ec7aa4c237ae96892081e236c40
Size

91KB
Sample

241229-f1gd6stmek
MD5

151e6b10a9fc5d46ef2fe47db9341299
SHA1

d45038f32b1c203004eb68dbcccb292329707314
SHA256

3488a33e978dbb1cfb03897e5d717a0a116e8ec7aa4c237ae96892081e236c40
SHA512

079660de624f04ce8d33c846e03f79c333adb038f0aacd3a22622d758fbb82ac7d50a6a6d09dfa52b8ce45b29863379b1c846525cdb1bec42edc06f668ed3382
SSDEEP

1536:6i/+uE7ixfTxj7/agTmpC5+MkpMBoCROhmIKyjr18mYFmSbm7wYsdtcwGLZXnzcP:vGB7ilT1/hoFpcRIKyP18mEbwaVihnzG

Score

10^/10

guloader defense_evasion discovery downloader persistence

Malware Config

Targets

- Target
  
  JaffaCakes118_3488a33e978dbb1cfb03897e5d717a0a116e8ec7aa4c237ae96892081e236c40
- Size
  
  91KB
- MD5
  
  151e6b10a9fc5d46ef2fe47db9341299
- SHA1
  
  d45038f32b1c203004eb68dbcccb292329707314
- SHA256
  
  3488a33e978dbb1cfb03897e5d717a0a116e8ec7aa4c237ae96892081e236c40
- SHA512
  
  079660de624f04ce8d33c846e03f79c333adb038f0aacd3a22622d758fbb82ac7d50a6a6d09dfa52b8ce45b29863379b1c846525cdb1bec42edc06f668ed3382
- SSDEEP
  
  1536:6i/+uE7ixfTxj7/agTmpC5+MkpMBoCROhmIKyjr18mYFmSbm7wYsdtcwGLZXnzcP:vGB7ilT1/hoFpcRIKyP18mEbwaVihnzG
Score

10^/10

guloader defense_evasion discovery downloader persistence
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderdefense_evasiondiscoverydownloaderpersistence

behavioral2

guloaderdefense_evasiondiscoverydownloaderpersistence