{ "id": "879a8b98-c769-4cee-8915-450eb04a9cdc", "created_at": "2026-04-06T01:28:57.27611Z", "updated_at": "2026-04-10T03:21:49.436735Z", "deleted_at": null, "sha1_hash": "d5829b43122caa4bf86c66535e58066e8fe7c50a", "title": "Deep Malware and Phishing Analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 669030, "plain_text": "Deep Malware and Phishing Analysis\r\nBy Joe Security LLC\r\nArchived: 2026-04-06 00:37:31 UTC\r\nIn Joe Sandbox Cloud Basic, our community version of Joe Sandbox, we often get very interesting and recent\r\nmalware samples. On the September 16th, 2020 we came across a new GuLoader variant\r\n(MD5: 01a54f73856cfb74a3bbba47bcec227b). GuLoader is a malware loader well known for its anti-evasion\r\ntechniques.\r\nSlow VM Exits\r\n The initial analysis on a virtual machine showed the following results:\r\nAs we can see in the Signature section, there are some RDTSC based evasion checks executed:\r\nhttps://www.joesecurity.org/blog/3535317197858305930\r\nPage 1 of 6\n\nAmong many other anti-evasion checks, GuLoader uses the following code to detect that it is running in a virtual\r\nmachine:\r\nThe code has two main purposes. First, it measures how long the execution of the CPUID instructions takes. On\r\nreal hardware, CPUID is directly executed by the CPU. Inside a virtual machine, the CPUID instruction forces a\r\nVM exit - execution is transferred from the guest VM to the host. The hypervisor handles the instructions and\r\nswitches back. This transition is much slower compared to direct CPU execution. The same is true for other\r\nhttps://www.joesecurity.org/blog/3535317197858305930\r\nPage 2 of 6\n\ninstructions like RDTSC. This difference is measured and used to decide if the loader is going to execute the\r\npayload or not.\r\nInstruction Hammering\r\nSecondly, the measurements are not executed once but executed thousands of times. The result is an overall delay\r\nwhich often exceeds the execution time on a sandboxed analyzer. As a result, the payload execution is never\r\nreached. This method of executing massive amounts of delay instructions to prevent the execution - also known as\r\nInstruction Hammering - is very similar to API hammering, a technique we saw in TrickBot and many other\r\nmalware samples. \r\nInstruction Hammering is extremely powerful since it is hard to detect and challenging to bypass, as it exploits the\r\narchitecture of virtualization. The GuLoader creators seem to have noticed that, and in the new version they have\r\neven increased the number of delay instructions being executed:\r\nhttps://www.joesecurity.org/blog/3535317197858305930\r\nPage 3 of 6\n\nThis code executes RDTSC and CPUID 11 million times. In addition, UserSharedData.SystemTime is being used\r\nfor time measurements.\r\nOn a Windows 10 x64 system running on VirtualBox the delay loop takes several minutes to finish:\r\nhttps://www.joesecurity.org/blog/3535317197858305930\r\nPage 4 of 6\n\nOn real hardware, the loop is executed in under one second!\r\nBare Metal Analysis to the Rescue\r\nJoe Sandbox is one of a few vendors offering analysis on bare metal. In this setup, the malware sample is run on a\r\nreal physical machine. Physical machines are much closer to the real target of the malware. As a result, VM-based\r\nevasions don't work and the sandbox can catch and record the real payload. If we analyze GuLoader on bare metal\r\nthe delay loop is passed in under a second and we can see that the LuminosityLink RAT is dropped:\r\nhttps://www.joesecurity.org/blog/3535317197858305930\r\nPage 5 of 6\n\nThe full analysis report of the GuLoader variant is available here.\r\nSource: https://www.joesecurity.org/blog/3535317197858305930\r\nhttps://www.joesecurity.org/blog/3535317197858305930\r\nPage 6 of 6\n\n https://www.joesecurity.org/blog/3535317197858305930 \nThis code executes RDTSC and CPUID 11 million times. In addition, UserSharedData.SystemTime is being used\nfor time measurements. \nOn a Windows 10 x64 system running on VirtualBox the delay loop takes several minutes to finish:\n Page 4 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.joesecurity.org/blog/3535317197858305930" ], "report_names": [ "3535317197858305930" ], "threat_actors": [], "ts_created_at": 1775438937, "ts_updated_at": 1775791309, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d5829b43122caa4bf86c66535e58066e8fe7c50a.pdf", "text": "https://archive.orkl.eu/d5829b43122caa4bf86c66535e58066e8fe7c50a.txt", "img": "https://archive.orkl.eu/d5829b43122caa4bf86c66535e58066e8fe7c50a.jpg" } }