guloader | 0191694f67cd2a399086c7681c270ac3bd72f67180f42e278c36e33612ea789c | Triage

Submit
Reports

Overview

overview

Static

static

3

99dd3cc7c8...18.exe

windows7-x64

6

99dd3cc7c8...18.exe

windows10-2004-x64

Sharing

General

Target

99dd3cc7c892b5f9ab08f1f32d24ceb1_JaffaCakes118
Size

364KB
Sample

240606-dtpqvsgd26
MD5

99dd3cc7c892b5f9ab08f1f32d24ceb1
SHA1

617dbe7a9ca971ab12bc47617b620439c2c4bb8a
SHA256

0191694f67cd2a399086c7681c270ac3bd72f67180f42e278c36e33612ea789c
SHA512

ec66eb1d8082328ce6661aa7f837ca3da9362f0882c5499641c5f72d772161645afe4b5bf7a3b344ccd1f30777dad3b85d81b54d9b487e624102a7cf0abd1ab3
SSDEEP

3072:5SBlIbRbYAR5PyVbjs2pymtaZt3zkKMAD/EfXg0mqS3Fdc7NK1JFNeRFFtJssA:5SBwRbYA/n2pj8Z7FjAw0258Hnss

Score

10^/10

guloader downloader guloader persistence

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

99dd3cc7c892b5f9ab08f1f32d24ceb1_JaffaCakes118.exe

Resource

win7-20240221-en

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

99dd3cc7c892b5f9ab08f1f32d24ceb1_JaffaCakes118.exe

Resource

win10v2004-20240508-en

guloader downloader guloader persistence

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1UnM5e0QivRQySIMs6YSxkUO014pasY9Y

xor.base64

Targets

- Target
  
  99dd3cc7c892b5f9ab08f1f32d24ceb1_JaffaCakes118
- Size
  
  364KB
- MD5
  
  99dd3cc7c892b5f9ab08f1f32d24ceb1
- SHA1
  
  617dbe7a9ca971ab12bc47617b620439c2c4bb8a
- SHA256
  
  0191694f67cd2a399086c7681c270ac3bd72f67180f42e278c36e33612ea789c
- SHA512
  
  ec66eb1d8082328ce6661aa7f837ca3da9362f0882c5499641c5f72d772161645afe4b5bf7a3b344ccd1f30777dad3b85d81b54d9b487e624102a7cf0abd1ab3
- SSDEEP
  
  3072:5SBlIbRbYAR5PyVbjs2pymtaZt3zkKMAD/EfXg0mqS3Fdc7NK1JFNeRFFtJssA:5SBwRbYA/n2pj8Z7FjAw0258Hnss
Score

10^/10

persistence guloader downloader guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Guloader payload
  guloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

guloaderdownloaderguloaderpersistence

© 2018-2024

Terms | Privacy