gcleaner | 4272379ced0fed89dfc74a080cd17269b34bef293cbfe4bd424abd500bf367fa

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8db76628f58ae7d66a95d134c04895f_JaffaCakes118.exe
Size

379KB
MD5

f8db76628f58ae7d66a95d134c04895f
SHA1

484b08726669838820e166d7621559e1bec8c3a1
SHA256

4272379ced0fed89dfc74a080cd17269b34bef293cbfe4bd424abd500bf367fa
SHA512

77cca8a8565d7e84a2dbc88814eec3f52b2fcce88fcd56f791c25b2fe7bd0e213b7ce0f8cf987fb69306924831b02aa87076656b1845870dfb53c89f2254ffca
SSDEEP

6144:MmgDbiuBekKbKkNas2pevng1KuizqZhaNyG0Sbz:CauBekVkNas2Pgui+hu

Score

10^/10

gcleaner onlylogger loader

Malware Config

Extracted

Family

gcleaner

gc-prtnrs.top

gcc-prtnrs.top

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 4 IoCs

resource	yara_rule
behavioral2/memory/5048-2-0x0000000004E60000-0x0000000004E8E000-memory.dmp	family_onlylogger
behavioral2/memory/5048-3-0x0000000000400000-0x000000000325A000-memory.dmp	family_onlylogger
behavioral2/memory/5048-4-0x0000000000400000-0x000000000325A000-memory.dmp	family_onlylogger
behavioral2/memory/5048-7-0x0000000004E60000-0x0000000004E8E000-memory.dmp	family_onlylogger

Program crash 9 IoCs

pid	pid_target	Process	procid_target
4100	5048	WerFault.exe	84
1992	5048	WerFault.exe	84
2260	5048	WerFault.exe	84
4880	5048	WerFault.exe	84
4192	5048	WerFault.exe	84
3888	5048	WerFault.exe	84
3956	5048	WerFault.exe	84
5000	5048	WerFault.exe	84
4384	5048	WerFault.exe	84

C:\Users\Admin\AppData\Local\Temp\f8db76628f58ae7d66a95d134c04895f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8db76628f58ae7d66a95d134c04895f_JaffaCakes118.exe"
1⤵
PID:5048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 556
  2⤵
  - Program crash
  PID:4100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 656
  2⤵
  - Program crash
  PID:1992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 744
  2⤵
  - Program crash
  PID:2260
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 776
  2⤵
  - Program crash
  PID:4880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 732
  2⤵
  - Program crash
  PID:4192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1016
  2⤵
  - Program crash
  PID:3888
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1028
  2⤵
  - Program crash
  PID:3956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1368
  2⤵
  - Program crash
  PID:5000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1072
  2⤵
  - Program crash
  PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5048 -ip 5048
1⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5048 -ip 5048
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5048 -ip 5048
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5048 -ip 5048
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5048 -ip 5048
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5048 -ip 5048
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5048 -ip 5048
1⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5048 -ip 5048
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5048 -ip 5048
1⤵
PID:4964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5048-1-0x0000000003450000-0x0000000003550000-memory.dmp

Filesize
1024KB

Download
memory/5048-2-0x0000000004E60000-0x0000000004E8E000-memory.dmp

Filesize
184KB

Download
memory/5048-3-0x0000000000400000-0x000000000325A000-memory.dmp

Filesize
46.4MB

Download
memory/5048-4-0x0000000000400000-0x000000000325A000-memory.dmp

Filesize
46.4MB

Download
memory/5048-6-0x0000000003450000-0x0000000003550000-memory.dmp

Filesize
1024KB

Download
memory/5048-7-0x0000000004E60000-0x0000000004E8E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads