gcleaner | 43a87fd0bd1c72b0b0ee5460e688c65344677bcb451f90c74bc34b0492ce6159

Analysis

max time kernel
94s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

829904d7b9a2352fcb43eb58a986eba3_JaffaCakes118.exe
Size

387KB
MD5

829904d7b9a2352fcb43eb58a986eba3
SHA1

5bd57bdac68fa0d740518e9efe40c983685f462e
SHA256

43a87fd0bd1c72b0b0ee5460e688c65344677bcb451f90c74bc34b0492ce6159
SHA512

b3c87fa4c8d57ae8e6ea1601c8a7beef39e302e51cdfe2d2f5297ef47149ee4ebf248701e34538d1530a655526d9ec93f1851f1abb8145be1bdd52b1a75c1cdf
SSDEEP

12288:ogfusyU6qxYr231b4NZYZoOCPdD6AxJWv4:vfF5YYEOOD6Sf

Score

10^/10

gcleaner onlylogger discovery loader

Malware Config

Extracted

Family

gcleaner

gcleaner.pro

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 5 IoCs

resource	yara_rule
behavioral2/memory/4892-2-0x0000000002CB0000-0x0000000002CFC000-memory.dmp	family_onlylogger
behavioral2/memory/4892-3-0x0000000000400000-0x000000000044F000-memory.dmp	family_onlylogger
behavioral2/memory/4892-6-0x0000000000400000-0x000000000044F000-memory.dmp	family_onlylogger
behavioral2/memory/4892-5-0x0000000002CB0000-0x0000000002CFC000-memory.dmp	family_onlylogger
behavioral2/memory/4892-4-0x0000000000400000-0x0000000002BD7000-memory.dmp	family_onlylogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation	829904d7b9a2352fcb43eb58a986eba3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3068	4892	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	829904d7b9a2352fcb43eb58a986eba3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1556	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1556	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 3640	4892	829904d7b9a2352fcb43eb58a986eba3_JaffaCakes118.exe	86
PID 4892 wrote to memory of 3640	4892	829904d7b9a2352fcb43eb58a986eba3_JaffaCakes118.exe	86
PID 4892 wrote to memory of 3640	4892	829904d7b9a2352fcb43eb58a986eba3_JaffaCakes118.exe	86
PID 3640 wrote to memory of 1556	3640	cmd.exe	90
PID 3640 wrote to memory of 1556	3640	cmd.exe	90
PID 3640 wrote to memory of 1556	3640	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\829904d7b9a2352fcb43eb58a986eba3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\829904d7b9a2352fcb43eb58a986eba3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "829904d7b9a2352fcb43eb58a986eba3_JaffaCakes118.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\829904d7b9a2352fcb43eb58a986eba3_JaffaCakes118.exe" & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "829904d7b9a2352fcb43eb58a986eba3_JaffaCakes118.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1280
  2⤵
  - Program crash
  PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4892 -ip 4892
1⤵
PID:3276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4892-1-0x0000000002F20000-0x0000000003020000-memory.dmp

Filesize
1024KB

Download
memory/4892-2-0x0000000002CB0000-0x0000000002CFC000-memory.dmp

Filesize
304KB

Download
memory/4892-3-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4892-6-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4892-5-0x0000000002CB0000-0x0000000002CFC000-memory.dmp

Filesize
304KB

Download
memory/4892-4-0x0000000000400000-0x0000000002BD7000-memory.dmp

Filesize
39.8MB

Download