Analysis Overview
SHA256
22600bf939213458b0c557700031593aaf9fe0c2cd90fc330e29748ec66adb03
Threat Level: Known bad
The file JaffaCakes118_0177c423d33507eb5acfbf6180035561 was found to be: Known bad.
Malicious Activity Summary
Guloader family
Guloader,Cloudeye
Checks QEMU agent file
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-05 23:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-05 23:30
Reported
2025-01-05 23:33
Platform
win7-20240903-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Checks QEMU agent file
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe | N/A |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1992 set thread context of 1496 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.gsmcommerce.net | udp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
Files
memory/1992-2-0x00000000003E0000-0x00000000003F6000-memory.dmp
memory/1992-3-0x0000000076EA1000-0x0000000076FA2000-memory.dmp
memory/1992-4-0x0000000076EA0000-0x0000000077049000-memory.dmp
memory/1992-5-0x00000000003E0000-0x00000000003F6000-memory.dmp
memory/1496-6-0x0000000000400000-0x0000000000553000-memory.dmp
memory/1496-9-0x0000000076EA0000-0x0000000077049000-memory.dmp
memory/1992-8-0x00000000003E0000-0x00000000003F6000-memory.dmp
memory/1496-10-0x0000000000400000-0x0000000000553000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-05 23:30
Reported
2025-01-05 23:33
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Checks QEMU agent file
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe | N/A |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1876 set thread context of 4932 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1876 wrote to memory of 4932 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe |
| PID 1876 wrote to memory of 4932 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe |
| PID 1876 wrote to memory of 4932 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe |
| PID 1876 wrote to memory of 4932 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0177c423d33507eb5acfbf6180035561.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.gsmcommerce.net | udp |
| TR | 94.102.1.96:443 | www.gsmcommerce.net | tcp |
| US | 8.8.8.8:53 | 148.101.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.1.102.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.ruchihospitalities.com | udp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 88.221.134.89:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 38.85.241.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.134.221.88.in-addr.arpa | udp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 88.221.134.137:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 137.134.221.88.in-addr.arpa | udp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
| US | 162.241.85.38:443 | www.ruchihospitalities.com | tcp |
Files
memory/1876-2-0x00000000021F0000-0x0000000002206000-memory.dmp
memory/1876-3-0x0000000077501000-0x0000000077621000-memory.dmp
memory/1876-4-0x00000000021F0000-0x0000000002206000-memory.dmp
memory/1876-5-0x0000000077501000-0x0000000077621000-memory.dmp
memory/1876-8-0x00000000021F0000-0x0000000002206000-memory.dmp
memory/4932-9-0x0000000000560000-0x0000000000660000-memory.dmp
memory/4932-6-0x0000000000400000-0x000000000055D000-memory.dmp
memory/4932-10-0x0000000000560000-0x0000000000660000-memory.dmp
memory/4932-11-0x0000000000400000-0x000000000055D000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\39154BC098F8D099CA8351CC7D4C5A31
| MD5 | 5bfa51f3a417b98e7443eca90fc94703 |
| SHA1 | 8c015d80b8a23f780bdd215dc842b0f5551f63bd |
| SHA256 | bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128 |
| SHA512 | 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\39154BC098F8D099CA8351CC7D4C5A31
| MD5 | e629a80364df86654dca53c49a4f98ae |
| SHA1 | 7926e76f28e2cd1e6bfe6f41ad659da5bed5e4a3 |
| SHA256 | 198a077d54d11b9d79a8361f9334c1195ffb5250bdcaf8cd940f1384bff8f417 |
| SHA512 | 37156029004d091906984df8ff1562f14db00014c1b3437c0ffbc3c7482ec69844facc8ca1905138afa6a24c5b5d981d03981eca866b9d037dcb65e1d803a9c2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\39154BC098F8D099CA8351CC7D4C5A31
| MD5 | c336f7c924aa788bbe67a9439a94d0d4 |
| SHA1 | cb8887e521e967012b5cce91075b245f654cce26 |
| SHA256 | cf4d191e48ac1c59e8bd2f22c9c577110c86de8faeffb197dab3bb44a33f2946 |
| SHA512 | 95ebfaf53e0e96c823f70a26b5ea465c5ed7d151efd770b1b0777a14732692c6a888a896365fcf74437baccf5b1041daff2a0693b70b7127c1255b4014321ce9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\39154BC098F8D099CA8351CC7D4C5A31
| MD5 | be03a882f6128efad98a06e0adbd34bd |
| SHA1 | dda795e9e096ceefa09277c069ebda3bd160a721 |
| SHA256 | 960097c45c628d5f2cdf560c3ec57910ad6ac4519f7cb567cac40521f7f4189c |
| SHA512 | e4e6afadcccc09691a38b109e233ac34970a349f53683d7a7b94b055e2808ad54a93577afef7145c2c1eb6167a3a2f582f9f66d13dbd584a7150e4cbb39856f9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\39154BC098F8D099CA8351CC7D4C5A31
| MD5 | 8f2965b4492e6634d63bc5c17fcfd8e0 |
| SHA1 | cf095d72af02f3441d583b4e7dd9759f579b8fd3 |
| SHA256 | 8c6ffd9af00e505de278bafe8017cd01553cc0d40984ccac25f4e6f09f16977a |
| SHA512 | 6c2135e8a0e99b7e1c5dd8ff88f1710592c44f064314fdda3896fbee677d554fea28b25fde8287b0214d11a6ca585d9415bfc538ae4e147612fccd276cecdb78 |