gcleaner | 0b93596a5112d24596d6ee0b833f327c5f889290b2cfb1f17102f4bd6fb88020 | Triage

Sharing

General

Target

6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118
Size

590KB
Sample

240523-h8exeshd7w
MD5

6a2ef567582a9f9608e4d07a6d0676ae
SHA1

a9eb76a0f75413913259f0bf8b1e72830887a123
SHA256

0b93596a5112d24596d6ee0b833f327c5f889290b2cfb1f17102f4bd6fb88020
SHA512

560308a26d123eb59b1a465821fc7b4a278c6e91db73db9aae6e41643d8d20093efab5a88a17b9e583f5c0b28c331025b864b799e0059b5b2efa1e5f96be936b
SSDEEP

12288:thZva7SM72W1Va8a3i0HzTMynlpDM08OUrsTC9iNf:fZva7SM7Wi0TTxlS3GC9If

Score

10^/10

gcleaner loader

Malware Config

Targets

- Target
  
  6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118
- Size
  
  590KB
- MD5
  
  6a2ef567582a9f9608e4d07a6d0676ae
- SHA1
  
  a9eb76a0f75413913259f0bf8b1e72830887a123
- SHA256
  
  0b93596a5112d24596d6ee0b833f327c5f889290b2cfb1f17102f4bd6fb88020
- SHA512
  
  560308a26d123eb59b1a465821fc7b4a278c6e91db73db9aae6e41643d8d20093efab5a88a17b9e583f5c0b28c331025b864b799e0059b5b2efa1e5f96be936b
- SSDEEP
  
  12288:thZva7SM72W1Va8a3i0HzTMynlpDM08OUrsTC9iNf:fZva7SM7Wi0TTxlS3GC9If
Score

10^/10

gcleaner loader
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2