gcleaner | 3a90812055ef0af5675ec83402e35ad35e74f8922bd99e01002ba9f8f760d73a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3659d9af87a662dcd23aa95129a8a18a_JaffaCakes118.exe
Size

302KB
MD5

3659d9af87a662dcd23aa95129a8a18a
SHA1

65c09ed0e94bc1c0753c73b43bee3c038805e942
SHA256

3a90812055ef0af5675ec83402e35ad35e74f8922bd99e01002ba9f8f760d73a
SHA512

18136f1f76b6eb8b2d10ebc28b8a13156abaecf7faf972546d939d4b2b2859b2e29036d7d3ced429586212848a8b27c05536e3b8215d5557a1d44cc5edb04382
SSDEEP

6144:5vpfBGU88YNSSpAMwpTBZTJYr/MZ+5Xol60MXK1vsy:5hpL88YFpaFdzZ+hoLIKN5

Score

10^/10

gcleaner onlylogger loader

Malware Config

Extracted

Family

gcleaner

gcl-page.biz

194.145.227.161

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 5 IoCs

resource	yara_rule
behavioral2/memory/2704-2-0x00000000001C0000-0x00000000001EF000-memory.dmp	family_onlylogger
behavioral2/memory/2704-3-0x0000000000400000-0x0000000000431000-memory.dmp	family_onlylogger
behavioral2/memory/2704-4-0x0000000000400000-0x000000000087B000-memory.dmp	family_onlylogger
behavioral2/memory/2704-7-0x00000000001C0000-0x00000000001EF000-memory.dmp	family_onlylogger
behavioral2/memory/2704-9-0x0000000000400000-0x000000000087B000-memory.dmp	family_onlylogger

Program crash 10 IoCs

pid	pid_target	Process	procid_target
3252	2704	WerFault.exe	81
5036	2704	WerFault.exe	81
312	2704	WerFault.exe	81
2804	2704	WerFault.exe	81
3680	2704	WerFault.exe	81
4992	2704	WerFault.exe	81
3668	2704	WerFault.exe	81
2644	2704	WerFault.exe	81
2412	2704	WerFault.exe	81
3980	2704	WerFault.exe	81

C:\Users\Admin\AppData\Local\Temp\3659d9af87a662dcd23aa95129a8a18a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3659d9af87a662dcd23aa95129a8a18a_JaffaCakes118.exe"
1⤵
PID:2704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 468
  2⤵
  - Program crash
  PID:3252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 640
  2⤵
  - Program crash
  PID:5036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 684
  2⤵
  - Program crash
  PID:312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 796
  2⤵
  - Program crash
  PID:2804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 856
  2⤵
  - Program crash
  PID:3680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1060
  2⤵
  - Program crash
  PID:4992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 888
  2⤵
  - Program crash
  PID:3668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1192
  2⤵
  - Program crash
  PID:2644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1216
  2⤵
  - Program crash
  PID:2412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 844
  2⤵
  - Program crash
  PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2704 -ip 2704
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2704 -ip 2704
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2704 -ip 2704
1⤵
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2704 -ip 2704
1⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2704 -ip 2704
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2704 -ip 2704
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2704 -ip 2704
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2704 -ip 2704
1⤵
PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2704 -ip 2704
1⤵
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2704 -ip 2704
1⤵
PID:60

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2704-2-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/2704-1-0x0000000000990000-0x0000000000A90000-memory.dmp

Filesize
1024KB

Download
memory/2704-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2704-4-0x0000000000400000-0x000000000087B000-memory.dmp

Filesize
4.5MB

Download
memory/2704-7-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/2704-6-0x0000000000990000-0x0000000000A90000-memory.dmp

Filesize
1024KB

Download
memory/2704-9-0x0000000000400000-0x000000000087B000-memory.dmp

Filesize
4.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads