Overview

overview

10

Static

static

3

08b0c8a78a...18.exe

windows7-x64

10

08b0c8a78a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2024 03:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08b0c8a78a4e6c9d9bfc0f32bb9c5304_JaffaCakes118.exe

  • Size

    294KB

  • MD5

    08b0c8a78a4e6c9d9bfc0f32bb9c5304

  • SHA1

    ac48d930b7a4474d94aa32ec1866c34849f05335

  • SHA256

    d9b6ded9a373ec4acf4b426c4ad5fd318b6a3f8077429e9fe5b27bd66d6b5be6

  • SHA512

    19da1490419f754fc4afe63b7ad985e5fd9563d4b8dc1982d4a1d61feaa7534482ffcb8e73d9bee24095d1ea7248cfb36ea425653cea2a9cf0d1d87656ec53c2

  • SSDEEP

    3072:rqVRhqlyewShRzCBjpWfB7v+6Hcng2EEBviYSyyEmCL5dWc7YWnLH5SnCNeoBNTz:cbfShRWBjiB7WbdEEBHPWPW75SCIwY8

Score
10/10
gcleaneronlyloggerdiscoveryloader

Malware Config

Extracted

Family

gcleaner

C2

ggc-partners.in

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • OnlyLogger

    A tiny loader that uses IPLogger to get its payload.

    loaderonlylogger
  • OnlyLogger payload 5 IoCs
  • Program crash 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery

Processes

  • C:\Users\Admin\AppData\Local\Temp\08b0c8a78a4e6c9d9bfc0f32bb9c5304_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\08b0c8a78a4e6c9d9bfc0f32bb9c5304_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:932
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 620
      2⤵
      • Program crash
      PID:3732
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 640
      2⤵
      • Program crash
      PID:2652
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 744
      2⤵
      • Program crash
      PID:3020
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 784
      2⤵
      • Program crash
      PID:1844
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 764
      2⤵
      • Program crash
      PID:2232
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 1072
      2⤵
      • Program crash
      PID:3068
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 1092
      2⤵
      • Program crash
      PID:4436
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 2040
      2⤵
      • Program crash
      PID:5068
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 932 -ip 932
    1⤵
      PID:3944
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 932 -ip 932
      1⤵
        PID:1712
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 932 -ip 932
        1⤵
          PID:852
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 932 -ip 932
          1⤵
            PID:3312
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 932 -ip 932
            1⤵
              PID:4236
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 932 -ip 932
              1⤵
                PID:2488
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 932 -ip 932
                1⤵
                  PID:2808
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 932 -ip 932
                  1⤵
                    PID:1440

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/932-1-0x0000000002E80000-0x0000000002F80000-memory.dmp

                    Filesize

                    1024KB

                    Download

                  • memory/932-2-0x0000000002E20000-0x0000000002E50000-memory.dmp

                    Filesize

                    192KB

                    Download

                  • memory/932-3-0x0000000000400000-0x0000000000432000-memory.dmp

                    Filesize

                    200KB

                    Download

                  • memory/932-4-0x0000000002E80000-0x0000000002F80000-memory.dmp

                    Filesize

                    1024KB

                    Download

                  • memory/932-5-0x0000000002E20000-0x0000000002E50000-memory.dmp

                    Filesize

                    192KB

                    Download

                  • memory/932-6-0x0000000000400000-0x0000000002C80000-memory.dmp

                    Filesize

                    40.5MB

                    Download

                  • memory/932-17-0x0000000000400000-0x0000000002C80000-memory.dmp

                    Filesize

                    40.5MB

                    Download