Overview

overview

10

Static

static

1

Stateent6_...df.exe

windows7-x64

6

Stateent6_...df.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5d1d04f6981be3d22f4db4c14831ad6e_JaffaCakes118

  • Size

    66KB

  • Sample

    240520-erjmhabf8x

  • MD5

    5d1d04f6981be3d22f4db4c14831ad6e

  • SHA1

    8e9d5a00781b438395a9f491c202df7327709aef

  • SHA256

    b4f06ccc40afc1ae89f9c30b744780b8278f74518ef3e77c97aa0ddba65532dd

  • SHA512

    7356b9adc812b42b2b5dda9f79ab2aa600017dfa74ddbe79394122d368f18c0dcf781009c251e627417af9b18a5b3f65002f1bfb69b2316f6c3a65ddb1b081b1

  • SSDEEP

    1536:sZH5c6NkLZh4qrsp7alamqgpVIsvHNLk1eQ5RJ9JAopO0F+U:srWZh4qrm7alaepVIsRk1eGRZMq+U

Score
10/10
guloaderdownloaderguloaderpersistence

Malware Config

Extracted

Family

guloader

C2

https://onedrive.live.com/download?cid=886791A338196A5D&resid=886791A338196A5D%211899&authkey=AOIrPjbXhW_WZVo

xor.base64

Targets

    • Target

      Stateent6_from_emerat_group.pdf.exe

    • Size

      263KB

    • MD5

      5da57fce93a85e91d68c9d9fe5fa71c8

    • SHA1

      e2dcbfd47f2e6f33bb5a594c789b67a7f0585f3a

    • SHA256

      4f9cda81a57f8eb019f94a2983c56f5f8a50813d332dd3207f33f97fdc55346e

    • SHA512

      f7042e72bc5856b285ffbefc7139665762d313af155b4419ee3b8d7840cca089ad14ad94f5ddc97d0860a7c6f8c5af5e8493b49533c77bc372281b97008020a0

    • SSDEEP

      6144:ip0TLAkzL7r9r/EDppppppppppppppppppppppppppppp0G7:iuTNP7r9r/+pppppppppppppppppppph

    Score
    10/10
    persistenceguloaderdownloaderguloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Guloader payload

      guloader

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks