Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    16/08/2024, 06:00 UTC

General

  • Target

    9d3512c1635a67cfc4dd87c7a12e361f_JaffaCakes118.exe

  • Size

    284KB

  • MD5

    9d3512c1635a67cfc4dd87c7a12e361f

  • SHA1

    932277e69ee648aafdacadf9bdca4f1246f9ca46

  • SHA256

    6c3a498158b5c884210afb416d669bf6cdec59363d36fbef4ef9dec891dba8de

  • SHA512

    d996928a601a079a1d0dd1f4586b4ed87f6ba14af56f3d7cc06346bea4f62600dc13d17f8807d2b1c6e15a28ac84ef21c563075dd3de41bdee0b02d4b59e0f1d

  • SSDEEP

    6144:ANH6qwy0iixyYE/92YR3zB80j7eWrpRx27/U:AYdXZxy6YR3zKSx27

Malware Config

Extracted

Family

gcleaner

C2

gcl-page.biz

194.145.227.161

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

  • OnlyLogger

    A tiny loader that uses IPLogger to get its payload.

  • OnlyLogger payload 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d3512c1635a67cfc4dd87c7a12e361f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9d3512c1635a67cfc4dd87c7a12e361f_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1712

Network

  • flag-us
    DNS
    gcl-page.biz
    9d3512c1635a67cfc4dd87c7a12e361f_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    gcl-page.biz
    IN A
    Response
    gcl-page.biz
    IN A
    15.197.192.55
  • flag-us
    GET
    http://gcl-page.biz/check.php?pub=mixazed
    9d3512c1635a67cfc4dd87c7a12e361f_JaffaCakes118.exe
    Remote address:
    15.197.192.55:80
    Request
    GET /check.php?pub=mixazed HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: 8C-KF-sG-sQ-H-A
    Host: gcl-page.biz
    Response
    HTTP/1.1 200 OK
    Server: openresty
    Date: Fri, 16 Aug 2024 06:00:16 GMT
    Content-Type: text/html
    Content-Length: 126
    Connection: keep-alive
  • flag-us
    GET
    http://gcl-page.biz/stats/save.php?pub=mixazed&reason=0
    9d3512c1635a67cfc4dd87c7a12e361f_JaffaCakes118.exe
    Remote address:
    15.197.192.55:80
    Request
    GET /stats/save.php?pub=mixazed&reason=0 HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: 8C-KF-sG-sQ-H-A
    Host: gcl-page.biz
    Response
    HTTP/1.1 200 OK
    Server: openresty
    Date: Fri, 16 Aug 2024 06:00:17 GMT
    Content-Type: text/html
    Content-Length: 135
    Connection: keep-alive
  • 15.197.192.55:80
    http://gcl-page.biz/stats/save.php?pub=mixazed&reason=0
    http
    9d3512c1635a67cfc4dd87c7a12e361f_JaffaCakes118.exe
    612 B
    1.1kB
    6
    6

    HTTP Request

    GET http://gcl-page.biz/check.php?pub=mixazed

    HTTP Response

    200

    HTTP Request

    GET http://gcl-page.biz/stats/save.php?pub=mixazed&reason=0

    HTTP Response

    200
  • 194.145.227.161:80
    9d3512c1635a67cfc4dd87c7a12e361f_JaffaCakes118.exe
    152 B
    3
  • 194.145.227.161:80
    9d3512c1635a67cfc4dd87c7a12e361f_JaffaCakes118.exe
    152 B
    3
  • 194.145.227.161:80
    9d3512c1635a67cfc4dd87c7a12e361f_JaffaCakes118.exe
    152 B
    3
  • 194.145.227.161:80
    9d3512c1635a67cfc4dd87c7a12e361f_JaffaCakes118.exe
    152 B
    3
  • 194.145.227.161:80
    9d3512c1635a67cfc4dd87c7a12e361f_JaffaCakes118.exe
    152 B
    3
  • 194.145.227.161:80
    9d3512c1635a67cfc4dd87c7a12e361f_JaffaCakes118.exe
    152 B
    3
  • 194.145.227.161:80
    9d3512c1635a67cfc4dd87c7a12e361f_JaffaCakes118.exe
    152 B
    3
  • 8.8.8.8:53
    gcl-page.biz
    dns
    9d3512c1635a67cfc4dd87c7a12e361f_JaffaCakes118.exe
    58 B
    74 B
    1
    1

    DNS Request

    gcl-page.biz

    DNS Response

    15.197.192.55

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1712-1-0x0000000000970000-0x0000000000A70000-memory.dmp

    Filesize

    1024KB

  • memory/1712-2-0x0000000000220000-0x000000000024F000-memory.dmp

    Filesize

    188KB

  • memory/1712-3-0x0000000000400000-0x0000000000431000-memory.dmp

    Filesize

    196KB

  • memory/1712-4-0x0000000000970000-0x0000000000A70000-memory.dmp

    Filesize

    1024KB

  • memory/1712-5-0x0000000000220000-0x000000000024F000-memory.dmp

    Filesize

    188KB

  • memory/1712-7-0x0000000000400000-0x0000000000431000-memory.dmp

    Filesize

    196KB

  • memory/1712-6-0x0000000000400000-0x0000000000876000-memory.dmp

    Filesize

    4.5MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.