Unit 42 researchers analyzed a Guloader variant with an anti-analysis shellcode payload and provided a Python script to deobfuscate the sample, enabling faster malware analysis. The article details how the malware uses control flow obfuscation, a vectored exception handler, and a workflow to automate deobfuscation, with protections from Palo Alto Networks products like Cortex XDR and WildFire. #Guloader #CloudEye #VectoredExceptionHandler #IDAPro #PythonScript #Obfuscation #CortexXDR #WildFire
Keypoints
- The Guloader variant analyzed uses a control flow obfuscation technique to hinder static and dynamic analysis.
- obfuscation involves 0xCC (INT3) bytes that trigger exceptions and disrupt disassembly tooling.
- The malware registers a vectored exception handler via AddVectoredExceptionHandler to manage exceptions and control flow.
- A dedicated handler function performs anti-debugging checks and XOR-decodes an offset to rejoin execution, bypassing breakpoints.
- Researchers created an IDA Processor module extension to automate the deobfuscation process by replacing 0xCC with JMP short and decoding offsets.
- A Python script enables automatic deobfuscation in IDA Pro, replacing obfuscated instructions and restoring readable code.
- Palo Alto Networks protections (Cortex XDR, WildFire) defend against malware employing similar anti-analysis techniques.
MITRE Techniques
- [T1027] Obfuscated/Compressed Files and Information β The sample uses the control flow obfuscation technique to hide its functionalities and evade detection. βThe Guloader sample in question uses the control flow obfuscation technique to hide its functionalities and evade detection.β
- [T1562.001] Impair Defenses β Anti-debugging measures (terminate on hardware/software breakpoints) to prevent debugging and analysis. βThe handler function begins with anti-debugging checks. It will terminate execution when hardware or software breakpoints are found.β
Indicators of Compromise
- [File] context β SQ21002728.IMG, SQ21002728.vbs
- [Hash] SHA256 β fb8e52ec2e9d21a30d7b4dee8721d890a4fbec48103a021e9c04dfb897b71060, and 56cdfaa44070c2ad164bd1e7f26744a2ffe54487c2d53d3ae318d842c6f56178
Read more: https://unit42.paloaltonetworks.com/guloader-variant-anti-analysis/