GuLoader Malware Analysis
STAGE 1:
0e199bb09bb2df831e4f6601c655d65af17cbed66a79b57d58e9020dd480929d
a zip file of type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive or NSIS Scriptable install.
we can see the contents of the installed files if we open this install as zip.
in there we can find these files…
- DHL 007948860.xlsx.exe
- $PLUGINSDIR
- System.dll (PE32 executable (DLL) (GUI) Intel 80386, for MS Windows)
- $PLUGINSDIR
-
‘aaaa - Wall.jpg’ ( JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, comment: “CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 95”, baseline, precision 8, 1920x1080, frames 3)
-
Bituminous.for (data) go-previous-symbolic-rtl.svg (SVG Scalable Vector Graphics image)
- thunderbolt-acquiring-symbolic.svg (SVG Scalable Vector Graphics image)
here we have System.dll executable dll.
upon execution the main executable does some Anti-debugging checks, like GetTickCount, querying system components to check if it’s inside virtual Machine.
the main executable extracts the contents in C:\\Users\\REM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Slutlinienummer\\rynke\\craftworker directory
0040163D | FF 75 08 | push dword ptr ss:[ebp+8] | [ebp+8]:L"C:\\Users\\REM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Slutlinienummer\\rynke\\craftworker"
00401640 | 68 00 60 43 00 | push dhl 007948860.xlsx.436000 |
00401645 | E8 02 4C 00 00 | call dhl 007948860.xlsx.40624C |
0040164A | FF 75 08 | push dword ptr ss:[ebp+8] | [ebp+8]:L"C:\\Users\\REM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Slutlinienummer\\rynke\\craftworker"
0040164D | FF 15 90 80 40 00 | call dword ptr ds:[<&SetCurrentDirect |
00401653 | 85 C0 | test eax,eax |
00401655 | 0F 85 64 14 00 00 | jne dhl 007948860.xlsx.402ABF |
it also renames itself and puts it in other directory
0040141B | E8 69 FF FF FF | call dhl 007948860.xlsx.401389 |
00401420 | C2 04 00 | ret 4 |
00401423 | 68 A8 AD 40 00 | push dhl 007948860.xlsx.40ADA8 | 40ADA8:L"C:\\Users\\REM\\Haggle\\Skredenes.Skr"
00401428 | FF 74 24 08 | push dword ptr ss:[esp+8] |
0040142C | E8 7F 3E 00 00 | call dhl 007948860.xlsx.4052B0 |
00401431 | C2 04 00 | ret 4 |
Stage 2
System.dll (f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37)
the System.dll does some File System Checks.
The directory Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2 is a Windows registry key that contains information about the mounted volumes and storage devices on a Windows system. The Windows registry is a hierarchical database that stores configuration settings and options for the operating system, hardware, and installed software.
Within the MountPoints2 key, there are subkeys that represent individual mounted volumes or storage devices. These subkeys are named with unique identifiers, typically in the form of alphanumeric strings.
756AA3F4 | 8945 FC | mov dword ptr ss:[ebp-4],eax | [ebp-4]:L"\\\\?\\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD01#5&260e6d66&0&010000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\"
756AA3F7 | 56 | push esi |
756AA3F8 | 8BF1
the System.dll uses these credentials to contact the C2 server. Username:Bortfjernelsen157 & Password:33324 in the wireshark we can see the request being made to hxxp://45.137.117[.]184
0040143D | 53 | push ebx |
0040143E | 56 | push esi | esi:L"Bortfjernelsen157"
0040143F | 8B 75 08 | mov esi,dword ptr ss:[ebp+8] |
00401442 | 57 | push edi | edi:L"33324"
00401443 | A1 08 A2 42 00 | mov eax,dword ptr ds:[42A208] |
00401448 | 6A 07 | push 7
IoC
- hxxp://45.137.117[.]184