guloader | aa4b6310c2dbd466a089cd9a7a414a50c3124f70c763fc0d1cb7c922e29c3890

Analysis

max time kernel
144s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ac0724cd20d2574580f0bf06b8aea75_JaffaCakes118.exe
Size

60KB
MD5

9ac0724cd20d2574580f0bf06b8aea75
SHA1

5e2088c4bdae79d584f5478782337701a8467cda
SHA256

aa4b6310c2dbd466a089cd9a7a414a50c3124f70c763fc0d1cb7c922e29c3890
SHA512

1e43b5a267c6bcfbe7493ccdf9b5493126bdbeb6bb049e7c020fa51aa829be08d6ab686aa51a47bb239c0b25c088fa38dea9cd9f2d93d65b9e02155d98d62da4
SSDEEP

768:/HV30jqxr5ScACZXpzsXUKY5l02d1zButV2:/13eqxlFAatOwR7

Score

10^/10

guloader downloader guloader persistence

Malware Config

Extracted

Family

guloader

https://drive.google.com/uc?export=download&id=1Q0Ltq2Kw5sxwS2JWRYNfsyrv58mrj4ks

xor.base64

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Guloader payload 2 IoCs

guloader

Processes:

resource	yara_rule
behavioral2/memory/2136-2-0x0000000002270000-0x000000000227A000-memory.dmp	family_guloader
behavioral2/memory/4540-4-0x0000000000D10000-0x0000000000E10000-memory.dmp	family_guloader

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\FESTSALENERET = "C:\\Users\\Admin\\paaklistrede\\MOTORBA.exe"	RegAsm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

19 drive.google.com
20 drive.google.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

9ac0724cd20d2574580f0bf06b8aea75_JaffaCakes118.exeRegAsm.exe

pid process

2136 9ac0724cd20d2574580f0bf06b8aea75_JaffaCakes118.exe
4540 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

9ac0724cd20d2574580f0bf06b8aea75_JaffaCakes118.exe

description pid process target process

PID 2136 set thread context of 4540 2136 9ac0724cd20d2574580f0bf06b8aea75_JaffaCakes118.exe RegAsm.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

9ac0724cd20d2574580f0bf06b8aea75_JaffaCakes118.exe

pid process

2136 9ac0724cd20d2574580f0bf06b8aea75_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

9ac0724cd20d2574580f0bf06b8aea75_JaffaCakes118.exe

pid process

2136 9ac0724cd20d2574580f0bf06b8aea75_JaffaCakes118.exe

flow	ioc
19	drive.google.com
20	drive.google.com

pid	process
2136	9ac0724cd20d2574580f0bf06b8aea75_JaffaCakes118.exe
4540	RegAsm.exe

description	pid	process	target process
PID 2136 set thread context of 4540	2136	9ac0724cd20d2574580f0bf06b8aea75_JaffaCakes118.exe	RegAsm.exe

pid	process
2136	9ac0724cd20d2574580f0bf06b8aea75_JaffaCakes118.exe

pid	process
2136	9ac0724cd20d2574580f0bf06b8aea75_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

9ac0724cd20d2574580f0bf06b8aea75_JaffaCakes118.exe

description	pid	process	target process
PID 2136 wrote to memory of 4540	2136	9ac0724cd20d2574580f0bf06b8aea75_JaffaCakes118.exe	RegAsm.exe
PID 2136 wrote to memory of 4540	2136	9ac0724cd20d2574580f0bf06b8aea75_JaffaCakes118.exe	RegAsm.exe
PID 2136 wrote to memory of 4540	2136	9ac0724cd20d2574580f0bf06b8aea75_JaffaCakes118.exe	RegAsm.exe
PID 2136 wrote to memory of 4540	2136	9ac0724cd20d2574580f0bf06b8aea75_JaffaCakes118.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\9ac0724cd20d2574580f0bf06b8aea75_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9ac0724cd20d2574580f0bf06b8aea75_JaffaCakes118.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\9ac0724cd20d2574580f0bf06b8aea75_JaffaCakes118.exe"
2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:3644

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2136-2-0x0000000002270000-0x000000000227A000-memory.dmp

Filesize
40KB

Download
memory/2136-3-0x0000000077861000-0x0000000077981000-memory.dmp

Filesize
1.1MB

Download
memory/2136-16-0x0000000002270000-0x000000000227A000-memory.dmp

Filesize
40KB

Download
memory/2136-17-0x0000000002270000-0x000000000227A000-memory.dmp

Filesize
40KB

Download
memory/4540-4-0x0000000000D10000-0x0000000000E10000-memory.dmp

Filesize
1024KB

Download
memory/4540-5-0x0000000077861000-0x0000000077981000-memory.dmp

Filesize
1.1MB

Download