gcleaner | a7790393710532223b7a1ec48034e0e50a72d5cae2b93bdd6197f78b96184ea8

Analysis

max time kernel
141s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe
Size

325KB
MD5

04d418f79f96f03e882c0a2cad4be1dd
SHA1

ffed69e865a8bcff66a12a4529dce91edb9829f9
SHA256

a7790393710532223b7a1ec48034e0e50a72d5cae2b93bdd6197f78b96184ea8
SHA512

28a106d0607cced19445c480af76cdb7f3143d9459e97f760d786af0ea2d6d178efd948f6475815ce2e02a5d812f16dd39abfe028f33226869ccfe5a6f124e9b
SSDEEP

6144:x4lypJoCP1r+pEsOcWV61F4LKU9wZrNVfs8V:xBP1KpTO1V616CN2

Score

10^/10

gcleaner onlylogger discovery loader

Malware Config

Extracted

Family

gcleaner

gc-prtnrs.top

gcc-prtnrs.top

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1992-2-0x0000000000400000-0x0000000000431000-memory.dmp	family_onlylogger
behavioral1/memory/1992-3-0x0000000000400000-0x0000000002C88000-memory.dmp	family_onlylogger
behavioral1/memory/1992-5-0x0000000000400000-0x0000000000431000-memory.dmp	family_onlylogger
behavioral1/memory/1992-6-0x0000000000400000-0x0000000002C88000-memory.dmp	family_onlylogger
behavioral1/memory/1992-8-0x0000000000400000-0x0000000002C88000-memory.dmp	family_onlylogger

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1992-1-0x0000000002E10000-0x0000000002F10000-memory.dmp

Filesize
1024KB

Download
memory/1992-2-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1992-3-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1992-4-0x0000000002E10000-0x0000000002F10000-memory.dmp

Filesize
1024KB

Download
memory/1992-5-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1992-6-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1992-8-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download