gcleaner | 0b93596a5112d24596d6ee0b833f327c5f889290b2cfb1f17102f4bd6fb88020

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.exe
Size

590KB
MD5

6a2ef567582a9f9608e4d07a6d0676ae
SHA1

a9eb76a0f75413913259f0bf8b1e72830887a123
SHA256

0b93596a5112d24596d6ee0b833f327c5f889290b2cfb1f17102f4bd6fb88020
SHA512

560308a26d123eb59b1a465821fc7b4a278c6e91db73db9aae6e41643d8d20093efab5a88a17b9e583f5c0b28c331025b864b799e0059b5b2efa1e5f96be936b
SSDEEP

12288:thZva7SM72W1Va8a3i0HzTMynlpDM08OUrsTC9iNf:fZva7SM7Wi0TTxlS3GC9If

Score

10^/10

gcleaner loader

Malware Config

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

31 iplogger.org
33 iplogger.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

38 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4888 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 4888 taskkill.exe

flow	ioc
31	iplogger.org
33	iplogger.org

flow	ioc
38	freegeoip.app

pid	process
4888	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	4888	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 804 wrote to memory of 4212	804	6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.exe	cmd.exe
PID 804 wrote to memory of 4212	804	6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.exe	cmd.exe
PID 804 wrote to memory of 4212	804	6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.exe	cmd.exe
PID 4212 wrote to memory of 4888	4212	cmd.exe	taskkill.exe
PID 4212 wrote to memory of 4888	4212	cmd.exe	taskkill.exe
PID 4212 wrote to memory of 4888	4212	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/804-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/804-1-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/804-3-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/804-5-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download