gcleaner | c864ec31f34d9628ff59965b1a43eb4ec2fa511a30d36fd45a862ff5efd7ad8e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcb755961054f48694eb13170b93a195_JaffaCakes118.exe
Size

431KB
MD5

fcb755961054f48694eb13170b93a195
SHA1

42c2269f390a22b283ca72158a0481416a139107
SHA256

c864ec31f34d9628ff59965b1a43eb4ec2fa511a30d36fd45a862ff5efd7ad8e
SHA512

c367d4318525ec3cd45b69e55c32c814f48f881368ffaf90be78b830cd74c0eec4859615d201229a50e6d12c4f228361e182b800ade82378c4632282cc873f7c
SSDEEP

12288:6H2Bc9c+G8OVZqkPQItMi4IUbEbmEJyNVlmWweMMM:6HOkQPqkPQIB4IjJyNVNMMM

Score

10^/10

gcleaner onlylogger loader

Malware Config

Extracted

Family

gcleaner

ppp-gl.biz

45.9.20.13

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 5 IoCs

resource	yara_rule
behavioral2/memory/5104-2-0x00000000024E0000-0x0000000002529000-memory.dmp	family_onlylogger
behavioral2/memory/5104-3-0x0000000000400000-0x000000000079D000-memory.dmp	family_onlylogger
behavioral2/memory/5104-4-0x0000000000400000-0x000000000079D000-memory.dmp	family_onlylogger
behavioral2/memory/5104-5-0x0000000000400000-0x000000000079D000-memory.dmp	family_onlylogger
behavioral2/memory/5104-7-0x00000000024E0000-0x0000000002529000-memory.dmp	family_onlylogger

Program crash 10 IoCs

pid	pid_target	Process	procid_target
3776	5104	WerFault.exe	83
4028	5104	WerFault.exe	83
2528	5104	WerFault.exe	83
3004	5104	WerFault.exe	83
2144	5104	WerFault.exe	83
3740	5104	WerFault.exe	83
916	5104	WerFault.exe	83
2796	5104	WerFault.exe	83
624	5104	WerFault.exe	83
2512	5104	WerFault.exe	83

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5104	fcb755961054f48694eb13170b93a195_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fcb755961054f48694eb13170b93a195_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fcb755961054f48694eb13170b93a195_JaffaCakes118.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:5104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 500
  2⤵
  - Program crash
  PID:3776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 648
  2⤵
  - Program crash
  PID:4028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 740
  2⤵
  - Program crash
  PID:2528
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 760
  2⤵
  - Program crash
  PID:3004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 752
  2⤵
  - Program crash
  PID:2144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 536
  2⤵
  - Program crash
  PID:3740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 1100
  2⤵
  - Program crash
  PID:916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 1152
  2⤵
  - Program crash
  PID:2796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 844
  2⤵
  - Program crash
  PID:624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 1104
  2⤵
  - Program crash
  PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5104 -ip 5104
1⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5104 -ip 5104
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5104 -ip 5104
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5104 -ip 5104
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5104 -ip 5104
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5104 -ip 5104
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5104 -ip 5104
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5104 -ip 5104
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5104 -ip 5104
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5104 -ip 5104
1⤵
PID:444

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5104-1-0x0000000000B40000-0x0000000000C40000-memory.dmp

Filesize
1024KB

Download
memory/5104-2-0x00000000024E0000-0x0000000002529000-memory.dmp

Filesize
292KB

Download
memory/5104-3-0x0000000000400000-0x000000000079D000-memory.dmp

Filesize
3.6MB

Download
memory/5104-4-0x0000000000400000-0x000000000079D000-memory.dmp

Filesize
3.6MB

Download
memory/5104-5-0x0000000000400000-0x000000000079D000-memory.dmp

Filesize
3.6MB

Download
memory/5104-6-0x0000000000B40000-0x0000000000C40000-memory.dmp

Filesize
1024KB

Download
memory/5104-7-0x00000000024E0000-0x0000000002529000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads