gcleaner | dec442f99b9cbc46799b4b1a416ec15cd90632a465c46470588552722481bdf0

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 00:33

Target

5c485539c2f24f1f8e54102a43c2df53_JaffaCakes118.exe
Size

423KB
MD5

5c485539c2f24f1f8e54102a43c2df53
SHA1

3aa9d1d789ff10811f21ba1110a00b8f8fccefbd
SHA256

dec442f99b9cbc46799b4b1a416ec15cd90632a465c46470588552722481bdf0
SHA512

b5ea9bd4213ca4504aa215dc6b34fe001e435c86ac84f8c6b46c247970a3084811b3a321d789ddd922dc539020aa773ab96017faabc5579a9c6d9e4daa03addc
SSDEEP

6144:KvMpHU5es68BZ/Fcba3tBIj0wKXapiFSK3VB3udzk46CGjpeC4tOOU1XuuB:lHD+LTdwZKS4+dWs3tODVB

Score

10^/10

gcleaner loader

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1916	5000	WerFault.exe	5c485539c2f24f1f8e54102a43c2df53_JaffaCakes118.exe
3760	5000	WerFault.exe	5c485539c2f24f1f8e54102a43c2df53_JaffaCakes118.exe
4744	5000	WerFault.exe	5c485539c2f24f1f8e54102a43c2df53_JaffaCakes118.exe
436	5000	WerFault.exe	5c485539c2f24f1f8e54102a43c2df53_JaffaCakes118.exe
4932	5000	WerFault.exe	5c485539c2f24f1f8e54102a43c2df53_JaffaCakes118.exe
3752	5000	WerFault.exe	5c485539c2f24f1f8e54102a43c2df53_JaffaCakes118.exe
3036	5000	WerFault.exe	5c485539c2f24f1f8e54102a43c2df53_JaffaCakes118.exe
4928	5000	WerFault.exe	5c485539c2f24f1f8e54102a43c2df53_JaffaCakes118.exe
4848	5000	WerFault.exe	5c485539c2f24f1f8e54102a43c2df53_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

5c485539c2f24f1f8e54102a43c2df53_JaffaCakes118.exe

pid process

5000 5c485539c2f24f1f8e54102a43c2df53_JaffaCakes118.exe

pid	process
5000	5c485539c2f24f1f8e54102a43c2df53_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\5c485539c2f24f1f8e54102a43c2df53_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5c485539c2f24f1f8e54102a43c2df53_JaffaCakes118.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 464
2⤵
- Program crash
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 768
2⤵
- Program crash
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 808
2⤵
- Program crash
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 808
2⤵
- Program crash
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 896
2⤵
- Program crash
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 928
2⤵
- Program crash
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 1028
2⤵
- Program crash
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 1328
2⤵
- Program crash
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 772
2⤵
- Program crash
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5000 -ip 5000
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5000 -ip 5000
1⤵
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5000 -ip 5000
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5000 -ip 5000
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5000 -ip 5000
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5000 -ip 5000
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5000 -ip 5000
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5000 -ip 5000
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5000 -ip 5000
1⤵
PID:4912

memory/5000-1-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download