gcleaner | 4eab6e8b3e7bf91ab9d323935715298a04def2f07bc0209d0b2b95fef220fb21

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffceaff232f2e205e1dbba7197a28a9a_JaffaCakes118.exe
Size

279KB
MD5

ffceaff232f2e205e1dbba7197a28a9a
SHA1

f803f4e45d7762b5b383792eeb8f0246ba136a6a
SHA256

4eab6e8b3e7bf91ab9d323935715298a04def2f07bc0209d0b2b95fef220fb21
SHA512

35bad1e25e4dabb8d062330ed7ffb649eff15f9244e1f0044c81369f79c318d34ad24ea25b18b97f118b2782acf97d2f491ef5587458855a4990ceea43ff584c
SSDEEP

6144:WCIaFPby7cvOOK9qGGxhFCJiS+4TKfBECyVMzcc0g:75by7cv89qGGbM4x4TKfBECoB

Score

10^/10

gcleaner onlylogger loader

Malware Config

Extracted

Family

gcleaner

194.145.227.161

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 4 IoCs

resource	yara_rule
behavioral2/memory/4484-2-0x00000000048A0000-0x00000000048CF000-memory.dmp	family_onlylogger
behavioral2/memory/4484-3-0x0000000000400000-0x0000000002B51000-memory.dmp	family_onlylogger
behavioral2/memory/4484-5-0x0000000000400000-0x0000000002B51000-memory.dmp	family_onlylogger
behavioral2/memory/4484-7-0x00000000048A0000-0x00000000048CF000-memory.dmp	family_onlylogger

Program crash 9 IoCs

pid	pid_target	Process	procid_target
5104	4484	WerFault.exe	90
696	4484	WerFault.exe	90
3132	4484	WerFault.exe	90
4964	4484	WerFault.exe	90
1592	4484	WerFault.exe	90
2900	4484	WerFault.exe	90
3464	4484	WerFault.exe	90
1468	4484	WerFault.exe	90
1580	4484	WerFault.exe	90

C:\Users\Admin\AppData\Local\Temp\ffceaff232f2e205e1dbba7197a28a9a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffceaff232f2e205e1dbba7197a28a9a_JaffaCakes118.exe"
1⤵
PID:4484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 624
  2⤵
  - Program crash
  PID:5104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 656
  2⤵
  - Program crash
  PID:696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 656
  2⤵
  - Program crash
  PID:3132
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 724
  2⤵
  - Program crash
  PID:4964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 640
  2⤵
  - Program crash
  PID:1592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 1016
  2⤵
  - Program crash
  PID:2900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 1044
  2⤵
  - Program crash
  PID:3464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 820
  2⤵
  - Program crash
  PID:1468
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 716
  2⤵
  - Program crash
  PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4484 -ip 4484
1⤵
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4484 -ip 4484
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4484 -ip 4484
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4484 -ip 4484
1⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4484 -ip 4484
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4484 -ip 4484
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4484 -ip 4484
1⤵
PID:2292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4484 -ip 4484
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4484 -ip 4484
1⤵
PID:1868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4484-1-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

Filesize
1024KB

Download
memory/4484-2-0x00000000048A0000-0x00000000048CF000-memory.dmp

Filesize
188KB

Download
memory/4484-3-0x0000000000400000-0x0000000002B51000-memory.dmp

Filesize
39.3MB

Download
memory/4484-5-0x0000000000400000-0x0000000002B51000-memory.dmp

Filesize
39.3MB

Download
memory/4484-6-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

Filesize
1024KB

Download
memory/4484-7-0x00000000048A0000-0x00000000048CF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads