gcleaner | 4eab6e8b3e7bf91ab9d323935715298a04def2f07bc0209d0b2b95fef220fb21

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffceaff232f2e205e1dbba7197a28a9a_JaffaCakes118.exe
Size

279KB
MD5

ffceaff232f2e205e1dbba7197a28a9a
SHA1

f803f4e45d7762b5b383792eeb8f0246ba136a6a
SHA256

4eab6e8b3e7bf91ab9d323935715298a04def2f07bc0209d0b2b95fef220fb21
SHA512

35bad1e25e4dabb8d062330ed7ffb649eff15f9244e1f0044c81369f79c318d34ad24ea25b18b97f118b2782acf97d2f491ef5587458855a4990ceea43ff584c
SSDEEP

6144:WCIaFPby7cvOOK9qGGxhFCJiS+4TKfBECyVMzcc0g:75by7cv89qGGbM4x4TKfBECoB

Score

10^/10

gcleaner onlylogger loader

Malware Config

Extracted

Family

gcleaner

194.145.227.161

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4484-2-0x00000000048A0000-0x00000000048CF000-memory.dmp	family_onlylogger
behavioral2/memory/4484-3-0x0000000000400000-0x0000000002B51000-memory.dmp	family_onlylogger
behavioral2/memory/4484-5-0x0000000000400000-0x0000000002B51000-memory.dmp	family_onlylogger
behavioral2/memory/4484-7-0x00000000048A0000-0x00000000048CF000-memory.dmp	family_onlylogger

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5104	4484	WerFault.exe	ffceaff232f2e205e1dbba7197a28a9a_JaffaCakes118.exe
696	4484	WerFault.exe	ffceaff232f2e205e1dbba7197a28a9a_JaffaCakes118.exe
3132	4484	WerFault.exe	ffceaff232f2e205e1dbba7197a28a9a_JaffaCakes118.exe
4964	4484	WerFault.exe	ffceaff232f2e205e1dbba7197a28a9a_JaffaCakes118.exe
1592	4484	WerFault.exe	ffceaff232f2e205e1dbba7197a28a9a_JaffaCakes118.exe
2900	4484	WerFault.exe	ffceaff232f2e205e1dbba7197a28a9a_JaffaCakes118.exe
3464	4484	WerFault.exe	ffceaff232f2e205e1dbba7197a28a9a_JaffaCakes118.exe
1468	4484	WerFault.exe	ffceaff232f2e205e1dbba7197a28a9a_JaffaCakes118.exe
1580	4484	WerFault.exe	ffceaff232f2e205e1dbba7197a28a9a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ffceaff232f2e205e1dbba7197a28a9a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffceaff232f2e205e1dbba7197a28a9a_JaffaCakes118.exe"
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 624
2⤵
- Program crash
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 656
2⤵
- Program crash
PID:696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 656
2⤵
- Program crash
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 724
2⤵
- Program crash
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 640
2⤵
- Program crash
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 1016
2⤵
- Program crash
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 1044
2⤵
- Program crash
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 820
2⤵
- Program crash
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 716
2⤵
- Program crash
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4484 -ip 4484
1⤵
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4484 -ip 4484
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4484 -ip 4484
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4484 -ip 4484
1⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4484 -ip 4484
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4484 -ip 4484
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4484 -ip 4484
1⤵
PID:2292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4484 -ip 4484
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4484 -ip 4484
1⤵
PID:1868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4484-1-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

Filesize
1024KB

Download
memory/4484-2-0x00000000048A0000-0x00000000048CF000-memory.dmp

Filesize
188KB

Download
memory/4484-3-0x0000000000400000-0x0000000002B51000-memory.dmp

Filesize
39.3MB

Download
memory/4484-5-0x0000000000400000-0x0000000002B51000-memory.dmp

Filesize
39.3MB

Download
memory/4484-6-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

Filesize
1024KB

Download
memory/4484-7-0x00000000048A0000-0x00000000048CF000-memory.dmp

Filesize
188KB

Download