Overview

overview

10

Static

static

3

04d418f79f...18.exe

windows7-x64

10

04d418f79f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-10-2024 07:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe

  • Size

    325KB

  • MD5

    04d418f79f96f03e882c0a2cad4be1dd

  • SHA1

    ffed69e865a8bcff66a12a4529dce91edb9829f9

  • SHA256

    a7790393710532223b7a1ec48034e0e50a72d5cae2b93bdd6197f78b96184ea8

  • SHA512

    28a106d0607cced19445c480af76cdb7f3143d9459e97f760d786af0ea2d6d178efd948f6475815ce2e02a5d812f16dd39abfe028f33226869ccfe5a6f124e9b

  • SSDEEP

    6144:x4lypJoCP1r+pEsOcWV61F4LKU9wZrNVfs8V:xBP1KpTO1V616CN2

Score
10/10
gcleaneronlyloggerdiscoveryloader

Malware Config

Extracted

Family

gcleaner

C2

gc-prtnrs.top

gcc-prtnrs.top

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • OnlyLogger

    A tiny loader that uses IPLogger to get its payload.

    loaderonlylogger
  • OnlyLogger payload 6 IoCs
  • Program crash 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery

Processes

  • C:\Users\Admin\AppData\Local\Temp\04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:3344
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 460
      2⤵
      • Program crash
      PID:5096
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 648
      2⤵
      • Program crash
      PID:5072
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 648
      2⤵
      • Program crash
      PID:4660
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 840
      2⤵
      • Program crash
      PID:2960
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 948
      2⤵
      • Program crash
      PID:3676
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 1004
      2⤵
      • Program crash
      PID:3080
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 780
      2⤵
      • Program crash
      PID:2320
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 1212
      2⤵
      • Program crash
      PID:632
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 1232
      2⤵
      • Program crash
      PID:4332
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 820
      2⤵
      • Program crash
      PID:2356
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 1216
      2⤵
      • Program crash
      PID:2748
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3344 -ip 3344
    1⤵
      PID:2412
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3344 -ip 3344
      1⤵
        PID:3740
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3344 -ip 3344
        1⤵
          PID:220
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3344 -ip 3344
          1⤵
            PID:216
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3344 -ip 3344
            1⤵
              PID:4644
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3344 -ip 3344
              1⤵
                PID:4620
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4308,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=3964 /prefetch:8
                1⤵
                  PID:552
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3344 -ip 3344
                  1⤵
                    PID:1096
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3344 -ip 3344
                    1⤵
                      PID:1264
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3344 -ip 3344
                      1⤵
                        PID:4828
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3344 -ip 3344
                        1⤵
                          PID:2764
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3344 -ip 3344
                          1⤵
                            PID:632

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • memory/3344-1-0x0000000002E30000-0x0000000002F30000-memory.dmp

                            Filesize

                            1024KB

                            Download

                          • memory/3344-2-0x00000000049D0000-0x00000000049FE000-memory.dmp

                            Filesize

                            184KB

                            Download

                          • memory/3344-3-0x0000000000400000-0x0000000000431000-memory.dmp

                            Filesize

                            196KB

                            Download

                          • memory/3344-4-0x0000000002E30000-0x0000000002F30000-memory.dmp

                            Filesize

                            1024KB

                            Download

                          • memory/3344-6-0x00000000049D0000-0x00000000049FE000-memory.dmp

                            Filesize

                            184KB

                            Download

                          • memory/3344-5-0x0000000000400000-0x0000000002C88000-memory.dmp

                            Filesize

                            40.5MB

                            Download

                          • memory/3344-7-0x0000000000400000-0x0000000000431000-memory.dmp

                            Filesize

                            196KB

                            Download

                          • memory/3344-9-0x0000000000400000-0x0000000002C88000-memory.dmp

                            Filesize

                            40.5MB

                            Download