Guloader is a sophisticated downloader malware known for delivering various malicious payloads, including remote access Trojans (RATs), info-stealers, and other types of malware. First identified in 2019, Guloader has been involved in numerous cyberattacks, often spreading through phishing emails with malicious attachments or links.
Upon execution, Guloader uses advanced evasion techniques, such as injecting shellcode into legitimate processes and encrypting its payloads to bypass antivirus software. Its ability to evade detection and distribute a wide range of malware makes Guloader a significant threat in the cybersecurity landscape.
File Details:
Infection Chain:
What are JAR Files?
JAR (Java ARchive) files are a package file format used to bundle Java applications and libraries into a single, compressed file. They contain multiple Java class files, along with associated metadata and resources like images and text. This format simplifies the distribution and deployment of Java programs by including all necessary components in one archive. Additionally, JAR files can be made executable if they include a manifest file that specifies the main class to run, allowing users to launch applications directly.
Why Malware Authors Exploit JAR Files for Malicious Purposes?
Firstly, the platform-independent nature of Java allows JAR files to run on any system with a Java Runtime Environment (JRE), broadening their reach. Secondly, JAR files can contain obfuscated code, making it difficult for security software and analysts to detect and analyze the malicious content. Lastly, because JAR files are commonly used in legitimate software distribution, they often bypass security measures and trick users into executing them. These characteristics make JAR files an effective tool for delivering malware across various systems while evading detection.
Let's start with analyzing the JAR file.
We have obtained the .jar file, and based on the magic bytes "PK," it appears to be a zipped file. Therefore, we can extract the JAR file to determine if a payload file is present within.
Extraction of JAR File:
Our prediction has been confirmed, as it indeed contains one executable application file. Now, let's extract the strings from the application file and identify any suspicious strings or files.
The first table displays the common APIs used by the payload file, while the second table presents the metadata of the sample, revealing that it is a NSIS compiler file.
Dynamic View of the Sample:
After execution of the file, it opens a pop-up box which stating that “Deanies setup is installing”. Let's examine the background process to observe the behavior of the sample.
Environmental Changes:
The sample is targeting the “C:\ProgramData”. The ProgramData folder on the C drive is a hidden system folder in Windows that stores application data not specific to any single user. Applications use this folder to store shared data that is accessible to all users on the computer. This can include configuration files, settings, databases, and other data that needs to be available to multiple users or shared among different applications.
Sample Strings:
CPU Usage Graph:
Here, we can view the Private Bytes and CPU performance of the sample.
Private Bytes is the current amount of memory, in bytes, that this process has allocated and cannot be shared with other processes.
If a malware application is using 757 MB of private bytes, it means that the application has allocated 757 MB of memory that cannot be shared with other processes. This represents significant memory usage, which could reduce the available memory for other applications and impact system performance.
Additionally, if the same malware application is using 100% of the CPU, it means that it is fully utilizing the CPU, leaving no processing power for other tasks. This can severely impact system performance, causing it to become slow or unresponsive. It indicates that the malware is performing intensive operations that are consuming all available CPU resources.
Happy Hunting !!