Overview

overview

10

Static

static

3

9d3512c163...18.exe

windows7-x64

10

9d3512c163...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-08-2024 06:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9d3512c1635a67cfc4dd87c7a12e361f_JaffaCakes118.exe

  • Size

    284KB

  • MD5

    9d3512c1635a67cfc4dd87c7a12e361f

  • SHA1

    932277e69ee648aafdacadf9bdca4f1246f9ca46

  • SHA256

    6c3a498158b5c884210afb416d669bf6cdec59363d36fbef4ef9dec891dba8de

  • SHA512

    d996928a601a079a1d0dd1f4586b4ed87f6ba14af56f3d7cc06346bea4f62600dc13d17f8807d2b1c6e15a28ac84ef21c563075dd3de41bdee0b02d4b59e0f1d

  • SSDEEP

    6144:ANH6qwy0iixyYE/92YR3zB80j7eWrpRx27/U:AYdXZxy6YR3zKSx27

Score
10/10
gcleaneronlyloggerdiscoveryloader

Malware Config

Extracted

Family

gcleaner

C2

gcl-page.biz

194.145.227.161

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • OnlyLogger

    A tiny loader that uses IPLogger to get its payload.

    loaderonlylogger
  • OnlyLogger payload 5 IoCs
  • Program crash 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d3512c1635a67cfc4dd87c7a12e361f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9d3512c1635a67cfc4dd87c7a12e361f_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4780
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 624
      2⤵
      • Program crash
      PID:4324
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 628
      2⤵
      • Program crash
      PID:3348
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 744
      2⤵
      • Program crash
      PID:1508
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 764
      2⤵
      • Program crash
      PID:3160
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 916
      2⤵
      • Program crash
      PID:4832
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 1072
      2⤵
      • Program crash
      PID:4388
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 1120
      2⤵
      • Program crash
      PID:772
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 1076
      2⤵
      • Program crash
      PID:4828
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4780 -ip 4780
    1⤵
      PID:2896
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4780 -ip 4780
      1⤵
        PID:1252
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4780 -ip 4780
        1⤵
          PID:2480
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4780 -ip 4780
          1⤵
            PID:3988
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4780 -ip 4780
            1⤵
              PID:3096
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4780 -ip 4780
              1⤵
                PID:4616
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4780 -ip 4780
                1⤵
                  PID:4844
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4780 -ip 4780
                  1⤵
                    PID:4384

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/4780-1-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

                    Filesize

                    1024KB

                    Download

                  • memory/4780-2-0x00000000001C0000-0x00000000001EF000-memory.dmp

                    Filesize

                    188KB

                    Download

                  • memory/4780-3-0x0000000000400000-0x0000000000431000-memory.dmp

                    Filesize

                    196KB

                    Download

                  • memory/4780-4-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

                    Filesize

                    1024KB

                    Download

                  • memory/4780-5-0x00000000001C0000-0x00000000001EF000-memory.dmp

                    Filesize

                    188KB

                    Download

                  • memory/4780-7-0x0000000000400000-0x0000000000431000-memory.dmp

                    Filesize

                    196KB

                    Download

                  • memory/4780-6-0x0000000000400000-0x0000000000876000-memory.dmp

                    Filesize

                    4.5MB

                    Download