gcleaner | a6e7a65ad515a67a06dcbe2591faaef1b4629632c17fadc999ac1c45a87caa18

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4b6825221e1fa2c7e9f3d46917fa11d_JaffaCakes118.exe
Size

363KB
MD5

f4b6825221e1fa2c7e9f3d46917fa11d
SHA1

1c0d77931ec4f940c40f70ff0ad94d0562f996de
SHA256

a6e7a65ad515a67a06dcbe2591faaef1b4629632c17fadc999ac1c45a87caa18
SHA512

3faca8a337148c3f7cfc15eaad85e50bf36baf3ecaa715af04392aa555559be0826c9e9dc97f9436a2b846b60a7e4a9fcc0e5ab5eb69a55894e4924926ab8169
SSDEEP

6144:4royc25Q/6MZd+MZZ+07Xg2VM+I5dzmd3u8Ot/Q5xm552yy1tzH:Xb2eSMZVZ+Ac+ILaxuD96s2yot

Score

10^/10

gcleaner onlylogger vidar loader stealer

Malware Config

Extracted

Family

gcleaner

194.145.227.161

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

OnlyLogger payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2232-2-0x0000000000220000-0x0000000000269000-memory.dmp	family_onlylogger
behavioral1/memory/2232-3-0x0000000000400000-0x00000000023C4000-memory.dmp	family_onlylogger
behavioral1/memory/2232-4-0x0000000000400000-0x00000000023C4000-memory.dmp	family_onlylogger

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1844 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2388 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2388 taskkill.exe

pid	process
1844	cmd.exe

pid	process
2388	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2388	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f4b6825221e1fa2c7e9f3d46917fa11d_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 2232 wrote to memory of 1844	2232	f4b6825221e1fa2c7e9f3d46917fa11d_JaffaCakes118.exe	cmd.exe
PID 2232 wrote to memory of 1844	2232	f4b6825221e1fa2c7e9f3d46917fa11d_JaffaCakes118.exe	cmd.exe
PID 2232 wrote to memory of 1844	2232	f4b6825221e1fa2c7e9f3d46917fa11d_JaffaCakes118.exe	cmd.exe
PID 2232 wrote to memory of 1844	2232	f4b6825221e1fa2c7e9f3d46917fa11d_JaffaCakes118.exe	cmd.exe
PID 1844 wrote to memory of 2388	1844	cmd.exe	taskkill.exe
PID 1844 wrote to memory of 2388	1844	cmd.exe	taskkill.exe
PID 1844 wrote to memory of 2388	1844	cmd.exe	taskkill.exe
PID 1844 wrote to memory of 2388	1844	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\f4b6825221e1fa2c7e9f3d46917fa11d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4b6825221e1fa2c7e9f3d46917fa11d_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "f4b6825221e1fa2c7e9f3d46917fa11d_JaffaCakes118.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\f4b6825221e1fa2c7e9f3d46917fa11d_JaffaCakes118.exe" & exit
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "f4b6825221e1fa2c7e9f3d46917fa11d_JaffaCakes118.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2388

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2232-1-0x00000000024B0000-0x00000000025B0000-memory.dmp

Filesize
1024KB

Download
memory/2232-2-0x0000000000220000-0x0000000000269000-memory.dmp

Filesize
292KB

Download
memory/2232-3-0x0000000000400000-0x00000000023C4000-memory.dmp

Filesize
31.8MB

Download
memory/2232-4-0x0000000000400000-0x00000000023C4000-memory.dmp

Filesize
31.8MB

Download