gcleaner | 99427242576075c6bfc1038c07587b07f69b0d85149fbf0091b9a582e68a9cf1

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60194970d3fca26d6d62ad4263a3ad62_JaffaCakes118.exe
Size

334KB
MD5

60194970d3fca26d6d62ad4263a3ad62
SHA1

561eddc46818941773b0ec6fd1694da5031eb467
SHA256

99427242576075c6bfc1038c07587b07f69b0d85149fbf0091b9a582e68a9cf1
SHA512

b7982f2f128e381cefffc9aef07c8974e303789988f11d71d4a329e20fbfcca958ffc3c1eccaf68f7f8ba720fae3ad6d900cddb597bf42a5718ffeea8e501f09
SSDEEP

6144:xTgQjN1N+dwK8kYud6mHFAJQXZYG0FjPbb52qX7tNfVXVHQLIiu8cfo0/pW:2QjNr0wK9FyJkYpjR2wZGEX8cA0/M

Score

10^/10

gcleaner onlylogger loader

Malware Config

Extracted

Family

gcleaner

ppp-gl.biz

45.9.20.13

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 4 IoCs

resource	yara_rule
behavioral2/memory/876-2-0x0000000004B20000-0x0000000004B4F000-memory.dmp	family_onlylogger
behavioral2/memory/876-3-0x0000000000400000-0x0000000002F1D000-memory.dmp	family_onlylogger
behavioral2/memory/876-5-0x0000000000400000-0x0000000002F1D000-memory.dmp	family_onlylogger
behavioral2/memory/876-6-0x0000000004B20000-0x0000000004B4F000-memory.dmp	family_onlylogger

Program crash 11 IoCs

pid	pid_target	Process	procid_target
4008	876	WerFault.exe	85
4760	876	WerFault.exe	85
772	876	WerFault.exe	85
532	876	WerFault.exe	85
1756	876	WerFault.exe	85
4736	876	WerFault.exe	85
1592	876	WerFault.exe	85
3588	876	WerFault.exe	85
4856	876	WerFault.exe	85
2020	876	WerFault.exe	85
756	876	WerFault.exe	85

C:\Users\Admin\AppData\Local\Temp\60194970d3fca26d6d62ad4263a3ad62_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\60194970d3fca26d6d62ad4263a3ad62_JaffaCakes118.exe"
1⤵
PID:876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 468
  2⤵
  - Program crash
  PID:4008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 660
  2⤵
  - Program crash
  PID:4760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 772
  2⤵
  - Program crash
  PID:772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 820
  2⤵
  - Program crash
  PID:532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 948
  2⤵
  - Program crash
  PID:1756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 844
  2⤵
  - Program crash
  PID:4736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 1076
  2⤵
  - Program crash
  PID:1592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 1196
  2⤵
  - Program crash
  PID:3588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 1244
  2⤵
  - Program crash
  PID:4856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 808
  2⤵
  - Program crash
  PID:2020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 1200
  2⤵
  - Program crash
  PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 876 -ip 876
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 876 -ip 876
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 876 -ip 876
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 876 -ip 876
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 876 -ip 876
1⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 876 -ip 876
1⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 876 -ip 876
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 876 -ip 876
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 876 -ip 876
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 876 -ip 876
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 876 -ip 876
1⤵
PID:1016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/876-1-0x0000000002FF0000-0x00000000030F0000-memory.dmp

Filesize
1024KB

Download
memory/876-2-0x0000000004B20000-0x0000000004B4F000-memory.dmp

Filesize
188KB

Download
memory/876-3-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/876-5-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/876-6-0x0000000004B20000-0x0000000004B4F000-memory.dmp

Filesize
188KB

Download
memory/876-7-0x0000000002FF0000-0x00000000030F0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads