guloader | 22600bf939213458b0c557700031593aaf9fe0c2cd90fc330e29748ec66adb03

General

Target

JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe
Size

136KB
MD5

0177c423d33507eb5acfbf6180035561
SHA1

fe00bc95807fcc0ab3eebec288e3c35934de1f46
SHA256

22600bf939213458b0c557700031593aaf9fe0c2cd90fc330e29748ec66adb03
SHA512

389d20c2446f0d1e3c3d1f01f372453c02a7e165ef8ba835ea91e5df4550b32102a44ce88cad442e11f347f8825068dd1aab0cae0f408bf6daf654f893597d1d
SSDEEP

1536:7uQk9P70nl81EqOrI0goTQJ6ww7koXXyqqGphcZvnw2:i9D+81EDmAQVwIoYnhnH

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1876	JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe
4932	JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1876 set thread context of 4932	1876	JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe	95

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1876	JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1876	JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 4932	1876	JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe	95
PID 1876 wrote to memory of 4932	1876	JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe	95
PID 1876 wrote to memory of 4932	1876	JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe	95
PID 1876 wrote to memory of 4932	1876	JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe	95

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe"
1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe"
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\39154BC098F8D099CA8351CC7D4C5A31

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\39154BC098F8D099CA8351CC7D4C5A31

Filesize
420B

MD5
be03a882f6128efad98a06e0adbd34bd

SHA1
dda795e9e096ceefa09277c069ebda3bd160a721

SHA256
960097c45c628d5f2cdf560c3ec57910ad6ac4519f7cb567cac40521f7f4189c

SHA512
e4e6afadcccc09691a38b109e233ac34970a349f53683d7a7b94b055e2808ad54a93577afef7145c2c1eb6167a3a2f582f9f66d13dbd584a7150e4cbb39856f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\39154BC098F8D099CA8351CC7D4C5A31

Filesize
420B

MD5
e629a80364df86654dca53c49a4f98ae

SHA1
7926e76f28e2cd1e6bfe6f41ad659da5bed5e4a3

SHA256
198a077d54d11b9d79a8361f9334c1195ffb5250bdcaf8cd940f1384bff8f417

SHA512
37156029004d091906984df8ff1562f14db00014c1b3437c0ffbc3c7482ec69844facc8ca1905138afa6a24c5b5d981d03981eca866b9d037dcb65e1d803a9c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\39154BC098F8D099CA8351CC7D4C5A31

Filesize
420B

MD5
8f2965b4492e6634d63bc5c17fcfd8e0

SHA1
cf095d72af02f3441d583b4e7dd9759f579b8fd3

SHA256
8c6ffd9af00e505de278bafe8017cd01553cc0d40984ccac25f4e6f09f16977a

SHA512
6c2135e8a0e99b7e1c5dd8ff88f1710592c44f064314fdda3896fbee677d554fea28b25fde8287b0214d11a6ca585d9415bfc538ae4e147612fccd276cecdb78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\39154BC098F8D099CA8351CC7D4C5A31

Filesize
420B

MD5
c336f7c924aa788bbe67a9439a94d0d4

SHA1
cb8887e521e967012b5cce91075b245f654cce26

SHA256
cf4d191e48ac1c59e8bd2f22c9c577110c86de8faeffb197dab3bb44a33f2946

SHA512
95ebfaf53e0e96c823f70a26b5ea465c5ed7d151efd770b1b0777a14732692c6a888a896365fcf74437baccf5b1041daff2a0693b70b7127c1255b4014321ce9

Download Submit
memory/1876-5-0x0000000077501000-0x0000000077621000-memory.dmp

Filesize
1.1MB

Download
memory/1876-8-0x00000000021F0000-0x0000000002206000-memory.dmp

Filesize
88KB

Download
memory/1876-2-0x00000000021F0000-0x0000000002206000-memory.dmp

Filesize
88KB

Download
memory/1876-4-0x00000000021F0000-0x0000000002206000-memory.dmp

Filesize
88KB

Download
memory/1876-3-0x0000000077501000-0x0000000077621000-memory.dmp

Filesize
1.1MB

Download
memory/4932-6-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/4932-10-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/4932-11-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/4932-9-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing