gcleaner | a7790393710532223b7a1ec48034e0e50a72d5cae2b93bdd6197f78b96184ea8

General

Target

04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe
Size

325KB
MD5

04d418f79f96f03e882c0a2cad4be1dd
SHA1

ffed69e865a8bcff66a12a4529dce91edb9829f9
SHA256

a7790393710532223b7a1ec48034e0e50a72d5cae2b93bdd6197f78b96184ea8
SHA512

28a106d0607cced19445c480af76cdb7f3143d9459e97f760d786af0ea2d6d178efd948f6475815ce2e02a5d812f16dd39abfe028f33226869ccfe5a6f124e9b
SSDEEP

6144:x4lypJoCP1r+pEsOcWV61F4LKU9wZrNVfs8V:xBP1KpTO1V616CN2

Score

10^/10

gcleaner onlylogger discovery loader

Malware Config

Extracted

Family

gcleaner

C2

gc-prtnrs.top

gcc-prtnrs.top

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3344-2-0x00000000049D0000-0x00000000049FE000-memory.dmp	family_onlylogger
behavioral2/memory/3344-3-0x0000000000400000-0x0000000000431000-memory.dmp	family_onlylogger
behavioral2/memory/3344-6-0x00000000049D0000-0x00000000049FE000-memory.dmp	family_onlylogger
behavioral2/memory/3344-5-0x0000000000400000-0x0000000002C88000-memory.dmp	family_onlylogger
behavioral2/memory/3344-7-0x0000000000400000-0x0000000000431000-memory.dmp	family_onlylogger
behavioral2/memory/3344-9-0x0000000000400000-0x0000000002C88000-memory.dmp	family_onlylogger

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5096	3344	WerFault.exe	04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe
5072	3344	WerFault.exe	04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe
4660	3344	WerFault.exe	04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe
2960	3344	WerFault.exe	04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe
3676	3344	WerFault.exe	04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe
3080	3344	WerFault.exe	04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe
2320	3344	WerFault.exe	04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe
632	3344	WerFault.exe	04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe
4332	3344	WerFault.exe	04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe
2356	3344	WerFault.exe	04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe
2748	3344	WerFault.exe	04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04d418f79f96f03e882c0a2cad4be1dd_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3344
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 460
  2⤵
  - Program crash
  PID:5096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 648
  2⤵
  - Program crash
  PID:5072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 648
  2⤵
  - Program crash
  PID:4660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 840
  2⤵
  - Program crash
  PID:2960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 948
  2⤵
  - Program crash
  PID:3676
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 1004
  2⤵
  - Program crash
  PID:3080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 780
  2⤵
  - Program crash
  PID:2320
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 1212
  2⤵
  - Program crash
  PID:632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 1232
  2⤵
  - Program crash
  PID:4332
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 820
  2⤵
  - Program crash
  PID:2356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 1216
  2⤵
  - Program crash
  PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3344 -ip 3344
1⤵
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3344 -ip 3344
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3344 -ip 3344
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3344 -ip 3344
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3344 -ip 3344
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3344 -ip 3344
1⤵
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4308,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=3964 /prefetch:8
1⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3344 -ip 3344
1⤵
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3344 -ip 3344
1⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3344 -ip 3344
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3344 -ip 3344
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3344 -ip 3344
1⤵
PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3344-1-0x0000000002E30000-0x0000000002F30000-memory.dmp

Filesize
1024KB

Download
memory/3344-2-0x00000000049D0000-0x00000000049FE000-memory.dmp

Filesize
184KB

Download
memory/3344-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3344-4-0x0000000002E30000-0x0000000002F30000-memory.dmp

Filesize
1024KB

Download
memory/3344-6-0x00000000049D0000-0x00000000049FE000-memory.dmp

Filesize
184KB

Download
memory/3344-5-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/3344-7-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3344-9-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download

Analysis

Sharing