gcleaner | 9f7f3598fd33ea327ce6b442272ad990e14d355acaf7ee16853e1ea53b54410c

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb027d233cd923c4c4344b5b9c794da3_JaffaCakes118.exe
Size

275KB
MD5

eb027d233cd923c4c4344b5b9c794da3
SHA1

9204b04a0c6d8453558b2f572e8bce1523e81fa0
SHA256

9f7f3598fd33ea327ce6b442272ad990e14d355acaf7ee16853e1ea53b54410c
SHA512

5e4e29aa95a86bb9be61e2901b5f44ae0eccc91a12833a4eca16bd5767077ccd77a36ffc37e4c53084746857a7de918dd3fd15d0e912883285c3d65f07ae2fd8
SSDEEP

3072:uCeb43AEbuvFBr434xdZoPuvRoNG4e4XEXDhWmox+vMt5xjQ/pzT3WkJB0HBj/1E:R5IF23EyuviA4UXD9Rwj6pzj9eBx

Score

10^/10

gcleaner onlylogger loader

Malware Config

Extracted

Family

gcleaner

194.145.227.161

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 5 IoCs

resource	yara_rule
behavioral2/memory/4208-2-0x00000000001C0000-0x00000000001EF000-memory.dmp	family_onlylogger
behavioral2/memory/4208-3-0x0000000000400000-0x0000000002162000-memory.dmp	family_onlylogger
behavioral2/memory/4208-4-0x0000000000400000-0x0000000002162000-memory.dmp	family_onlylogger
behavioral2/memory/4208-5-0x0000000000400000-0x0000000002162000-memory.dmp	family_onlylogger
behavioral2/memory/4208-7-0x00000000001C0000-0x00000000001EF000-memory.dmp	family_onlylogger

Program crash 8 IoCs

pid	pid_target	Process	procid_target
4104	4208	WerFault.exe	90
1844	4208	WerFault.exe	90
3556	4208	WerFault.exe	90
1256	4208	WerFault.exe	90
372	4208	WerFault.exe	90
4864	4208	WerFault.exe	90
1600	4208	WerFault.exe	90
5020	4208	WerFault.exe	90

C:\Users\Admin\AppData\Local\Temp\eb027d233cd923c4c4344b5b9c794da3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb027d233cd923c4c4344b5b9c794da3_JaffaCakes118.exe"
1⤵
PID:4208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 620
  2⤵
  - Program crash
  PID:4104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 664
  2⤵
  - Program crash
  PID:1844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 652
  2⤵
  - Program crash
  PID:3556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 824
  2⤵
  - Program crash
  PID:1256
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 848
  2⤵
  - Program crash
  PID:372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1036
  2⤵
  - Program crash
  PID:4864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1044
  2⤵
  - Program crash
  PID:1600
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1092
  2⤵
  - Program crash
  PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4208 -ip 4208
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4208 -ip 4208
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4208 -ip 4208
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4208 -ip 4208
1⤵
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4208 -ip 4208
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4208 -ip 4208
1⤵
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4208 -ip 4208
1⤵
PID:2404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3720 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4208 -ip 4208
1⤵
PID:2860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4208-1-0x0000000002510000-0x0000000002610000-memory.dmp

Filesize
1024KB

Download
memory/4208-2-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/4208-3-0x0000000000400000-0x0000000002162000-memory.dmp

Filesize
29.4MB

Download
memory/4208-4-0x0000000000400000-0x0000000002162000-memory.dmp

Filesize
29.4MB

Download
memory/4208-5-0x0000000000400000-0x0000000002162000-memory.dmp

Filesize
29.4MB

Download
memory/4208-6-0x0000000002510000-0x0000000002610000-memory.dmp

Filesize
1024KB

Download
memory/4208-7-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads