gcleaner | a5d14ef9c1b689c9b7a9c5130eb7c148be1266411c2d0fa837073b445ff30737

General

Target

e520d01e184e7af449548149e8f41548_JaffaCakes118.exe
Size

358KB
MD5

e520d01e184e7af449548149e8f41548
SHA1

1450af3099391ae76e78e2546b1a5e01058c28bd
SHA256

a5d14ef9c1b689c9b7a9c5130eb7c148be1266411c2d0fa837073b445ff30737
SHA512

1c1b241ec93f1f923e92b7747cf518b66c81bc7473acb9d46dcbe08a952d9374485a1aa38df0a303be7540ba88f13202954f805b490b88b074f4089f0894f0cc
SSDEEP

6144:SR+KxfBgGjFJ5t/qxVSmWKr8H/qZ7GG0hNT1U/cl98wugh:SRLJJpJK9Ai8GITTfzh

Score

10^/10

gcleaner discovery loader

Malware Config

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	e520d01e184e7af449548149e8f41548_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	iplogger.org
17	iplogger.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
4560	716	WerFault.exe	81
32	716	WerFault.exe	81
4436	716	WerFault.exe	81
3416	716	WerFault.exe	81
4260	716	WerFault.exe	81
2324	716	WerFault.exe	81
3896	716	WerFault.exe	81
4812	716	WerFault.exe	81
3080	716	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e520d01e184e7af449548149e8f41548_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3780	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3780	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 716 wrote to memory of 3532	716	e520d01e184e7af449548149e8f41548_JaffaCakes118.exe	105
PID 716 wrote to memory of 3532	716	e520d01e184e7af449548149e8f41548_JaffaCakes118.exe	105
PID 716 wrote to memory of 3532	716	e520d01e184e7af449548149e8f41548_JaffaCakes118.exe	105
PID 3532 wrote to memory of 3780	3532	cmd.exe	107
PID 3532 wrote to memory of 3780	3532	cmd.exe	107
PID 3532 wrote to memory of 3780	3532	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\e520d01e184e7af449548149e8f41548_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e520d01e184e7af449548149e8f41548_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:716
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 744
  2⤵
  - Program crash
  PID:4560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 764
  2⤵
  - Program crash
  PID:32
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 744
  2⤵
  - Program crash
  PID:4436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 784
  2⤵
  - Program crash
  PID:3416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 904
  2⤵
  - Program crash
  PID:4260
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 1012
  2⤵
  - Program crash
  PID:2324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 1068
  2⤵
  - Program crash
  PID:3896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 1620
  2⤵
  - Program crash
  PID:4812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 1764
  2⤵
  - Program crash
  PID:3080
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "e520d01e184e7af449548149e8f41548_JaffaCakes118.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\e520d01e184e7af449548149e8f41548_JaffaCakes118.exe" & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3532
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "e520d01e184e7af449548149e8f41548_JaffaCakes118.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 716 -ip 716
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 716 -ip 716
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 716 -ip 716
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 716 -ip 716
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 716 -ip 716
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 716 -ip 716
1⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 716 -ip 716
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 716 -ip 716
1⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 716 -ip 716
1⤵
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/716-1-0x00000000033D0000-0x00000000034D0000-memory.dmp

Filesize
1024KB

Download
memory/716-2-0x00000000037F0000-0x0000000003824000-memory.dmp

Filesize
208KB

Download
memory/716-3-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/716-6-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/716-5-0x00000000037F0000-0x0000000003824000-memory.dmp

Filesize
208KB

Download
memory/716-4-0x0000000000400000-0x00000000033AC000-memory.dmp

Filesize
47.7MB

Download

Analysis

Sharing