Deep Malware and Phishing Analysis
By Joe Security LLC
Archived: 2026-04-06 00:37:31 UTC
In Joe Sandbox Cloud Basic, our community version of Joe Sandbox, we often get very interesting and recent
malware samples. On the September 16th, 2020 we came across a new GuLoader variant
(MD5: 01a54f73856cfb74a3bbba47bcec227b). GuLoader is a malware loader well known for its anti-evasion
techniques.
Slow VM Exits
 The initial analysis on a virtual machine showed the following results:
As we can see in the Signature section, there are some RDTSC based evasion checks executed:
https://www.joesecurity.org/blog/3535317197858305930
Page 1 of 6

Among many other anti-evasion checks, GuLoader uses the following code to detect that it is running in a virtual
machine:
The code has two main purposes. First, it measures how long the execution of the CPUID instructions takes. On
real hardware, CPUID is directly executed by the CPU. Inside a virtual machine, the CPUID instruction forces a
VM exit - execution is transferred from the guest VM to the host. The hypervisor handles the instructions and
switches back. This transition is much slower compared to direct CPU execution. The same is true for other
https://www.joesecurity.org/blog/3535317197858305930
Page 2 of 6

instructions like RDTSC. This difference is measured and used to decide if the loader is going to execute the
payload or not.
Instruction Hammering
Secondly, the measurements are not executed once but executed thousands of times. The result is an overall delay
which often exceeds the execution time on a sandboxed analyzer. As a result, the payload execution is never
reached. This method of executing massive amounts of delay instructions to prevent the execution - also known as
Instruction Hammering - is very similar to API hammering, a technique we saw in TrickBot and many other
malware samples. 
Instruction Hammering is extremely powerful since it is hard to detect and challenging to bypass, as it exploits the
architecture of virtualization. The GuLoader creators seem to have noticed that, and in the new version they have
even increased the number of delay instructions being executed:
https://www.joesecurity.org/blog/3535317197858305930
Page 3 of 6

This code executes RDTSC and CPUID 11 million times. In addition, UserSharedData.SystemTime is being used
for time measurements.
On a Windows 10 x64 system running on VirtualBox the delay loop takes several minutes to finish:
https://www.joesecurity.org/blog/3535317197858305930
Page 4 of 6

On real hardware, the loop is executed in under one second!
Bare Metal Analysis to the Rescue
Joe Sandbox is one of a few vendors offering analysis on bare metal. In this setup, the malware sample is run on a
real physical machine. Physical machines are much closer to the real target of the malware. As a result, VM-based
evasions don't work and the sandbox can catch and record the real payload. If we analyze GuLoader on bare metal
the delay loop is passed in under a second and we can see that the LuminosityLink RAT is dropped:
https://www.joesecurity.org/blog/3535317197858305930
Page 5 of 6

The full analysis report of the GuLoader variant is available here.
Source: https://www.joesecurity.org/blog/3535317197858305930
https://www.joesecurity.org/blog/3535317197858305930
Page 6 of 6

  https://www.joesecurity.org/blog/3535317197858305930   
This code executes RDTSC and CPUID 11 million times. In addition, UserSharedData.SystemTime is being used
for time measurements.     
On a Windows 10 x64 system running on VirtualBox the delay loop takes several minutes to finish:
   Page 4 of 6