Quick analysis note about GuLoader (or CloudEyE)

Recently, I’ve supported a foreign friend on Twitter during the analysis one of GuLoader (or CloudEyE) variant sample. Although, he have read these articles (1, 2) but still stuck and I know that feeling.

The discussion between us was quite long, finally I sent him my quick analysis so that he can read and follow. Now, I put the analysis that we discussed on this blog hoping it will help others like him.

1. Get the GuLoader’s shellcode

GuLoader uses VirtualAlloc api for allocating a new memory section and drop shellcode to the allocated memory.

• Call to VirtualAlloc:

• Fill shellcode to the allocated buffer:

• Continue trace, will jump to the shellcode. This shellcode may vary with each sample:

2. Debug shellcode for finding the next payload URL

This shellcode uses Heaven’s Gate technique to execute on x64 environment. You can read more about this technique that I wrote here. Preferably, you should debug GuLoader on 32bit Windows VM.

• Patch to bypass anti-VM:

• Break on call to EnumWindows (patch if need to bypass call to TerminateProcess):

• Break on call to ZwProtectVirtualMemory (need to patch to bypass anti-attach):

• Break on call to ZwSetInformationThread for hidding thread (need to patch 0xC3 when trace into this call or nop this call):

• Directly, below will usually be the sub function that call to the CPUID command, nop this call:

• Call to get process command line:

• Call to shellcode main proc, need to trace into this func:

• This shellcode main proc will do:

_ Get RegAsm’s path (ex: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe)

_ Call to kernel32.CreateProcessInternalW to create RegAsm.exe in suspended state:

_ Get msvbvm60.dll‘s path (ex: C:\Windows\system32\msvbvm60.dll) and then replace to \??\C:\Windows\system32\msvbvm60.dll

_ Call to ntdll.ZwOpenFile

_ Call to ntdll.ZwCreateSection with FileHandle of msvbvm60.dll (ex: File, C:\Windows\System32\msvbvm60.dll, 0x190)

_ Call to ntdll.ZwMapViewOfSection with SectionHandle of msvbvm60.dll and ProcessHandle of RegAsm.exe suspended process. For mapping msvbvm60.dll:

_ Allocate RWX memory section on RegAsm.exe suspended process:

_ Then call ZwWriteVirtualMemory for writing the 2^nd shellcode to the allocated buffer at RegAsm process. The 2^nd shellcode same as the 1^st shellcode, but its main task is to decode the URL and download the final payload.

_ After that it calls ZwGetContextThread, ZwSetContextThread and then ZwResumeThread. So RegAsm process will return to the normal state and execute the 2^nd shellcode to download the final payload.

• For debugging the 2^nd shellcode, use ProcessHacker to change bytes of 2^nd shellcode to 0xEB 0xFE (must restore to orginal bytes later. The original bytes is 0xFC 0x81):

• Let’s trace over ZwResumeThread:

• Open new debugger and attach RegAsm. F9 then F12, stop at the EB FE. Change back to the original bytes:

• Debug the 2^nd shellcode will locate the code decode the URL. For example: Stack ss:[0056F848]=008D1A2C, (ASCII “hxxps://www.mediafire.com/file/kgwo4t43b5831fj/origin_geyiApZvCe4.bin/file”)

• Sometimes, the mediafire / google drive link was blocked by CloudFlare, so need to manually download and save it. Then let’s the shellcode resolve the wininet_api funcs, use these apis for downloading the CloudFlare’s content. It will check the size of downloaded content is equal to 0x4B600 (in this case). Must patch to let’s it think you have downloaded the right binary. Then you trace into the func that will decrypt payload. My trick is replace the CloudFlare content with the content of encrypted payload. Here is the loop it try to find 2 bytes that decrypt 2 bytes of payload to MZ signature

• Then build the xor_key_buffer, buffer length is 0x270 bytes:

• After decrypt loop, get the final payload. It can be a Trojans (RAT) or malware that steals information such as Agent Tesla, FormBook, NanoCore RAT, Netwire RAT, Remcos RAT, …

End!

m4n0w4r

Hopefully, in the future, if I have the opportunity to go to Singapore, I will meet him !!