gcleaner | 83611467088ec8eb70f5a1194ba7e5de4dc080a14653e4b44ef29b6af0947005

General

Target

1e1dfd75b188edb3e434a7345419732f_JaffaCakes118.exe
Size

283KB
MD5

1e1dfd75b188edb3e434a7345419732f
SHA1

2f3cf82c812532fec99ce9a0938c54622c81aa58
SHA256

83611467088ec8eb70f5a1194ba7e5de4dc080a14653e4b44ef29b6af0947005
SHA512

aad4741a29280204035709caf5c9bd17565ae01d066f4c4dfe1959e773882831a8370b706eae73b3a336eaa7d265a630ff8b6c5b49299fa7b39c047d70d5e021
SSDEEP

3072:SV6A8Ct9eaIt5jDTaRO2MyZdckRcifRRJES6fzwjCRd5K1dFnArywoOLi6pW:puSaItBPaRiyfcklvEyq5AnRwoOL3

Score

10^/10

gcleaner onlylogger discovery loader

Malware Config

Extracted

Family

gcleaner

C2

gc-prtnrs.top

gcc-prtnrs.top

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4056-2-0x0000000002D10000-0x0000000002D3E000-memory.dmp	family_onlylogger
behavioral2/memory/4056-3-0x0000000000400000-0x0000000000431000-memory.dmp	family_onlylogger
behavioral2/memory/4056-5-0x0000000000400000-0x0000000002C7D000-memory.dmp	family_onlylogger
behavioral2/memory/4056-6-0x0000000002D10000-0x0000000002D3E000-memory.dmp	family_onlylogger
behavioral2/memory/4056-7-0x0000000000400000-0x0000000000431000-memory.dmp	family_onlylogger
behavioral2/memory/4056-9-0x0000000000400000-0x0000000002C7D000-memory.dmp	family_onlylogger

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4324	4056	WerFault.exe	1e1dfd75b188edb3e434a7345419732f_JaffaCakes118.exe
4272	4056	WerFault.exe	1e1dfd75b188edb3e434a7345419732f_JaffaCakes118.exe
4816	4056	WerFault.exe	1e1dfd75b188edb3e434a7345419732f_JaffaCakes118.exe
2472	4056	WerFault.exe	1e1dfd75b188edb3e434a7345419732f_JaffaCakes118.exe
1108	4056	WerFault.exe	1e1dfd75b188edb3e434a7345419732f_JaffaCakes118.exe
2000	4056	WerFault.exe	1e1dfd75b188edb3e434a7345419732f_JaffaCakes118.exe
3500	4056	WerFault.exe	1e1dfd75b188edb3e434a7345419732f_JaffaCakes118.exe
1528	4056	WerFault.exe	1e1dfd75b188edb3e434a7345419732f_JaffaCakes118.exe
3340	4056	WerFault.exe	1e1dfd75b188edb3e434a7345419732f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

1e1dfd75b188edb3e434a7345419732f_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1e1dfd75b188edb3e434a7345419732f_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e1dfd75b188edb3e434a7345419732f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\1e1dfd75b188edb3e434a7345419732f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1e1dfd75b188edb3e434a7345419732f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 620
2⤵
- Program crash
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 656
2⤵
- Program crash
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 744
2⤵
- Program crash
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 784
2⤵
- Program crash
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 844
2⤵
- Program crash
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 1088
2⤵
- Program crash
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 1088
2⤵
- Program crash
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 872
2⤵
- Program crash
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 1092
2⤵
- Program crash
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4056 -ip 4056
1⤵
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4056 -ip 4056
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4056 -ip 4056
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4056 -ip 4056
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4056 -ip 4056
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4056 -ip 4056
1⤵
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4056 -ip 4056
1⤵
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4056 -ip 4056
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4056 -ip 4056
1⤵
PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4056-1-0x0000000002D60000-0x0000000002E60000-memory.dmp

Filesize
1024KB

Download
memory/4056-2-0x0000000002D10000-0x0000000002D3E000-memory.dmp

Filesize
184KB

Download
memory/4056-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4056-4-0x0000000002D60000-0x0000000002E60000-memory.dmp

Filesize
1024KB

Download
memory/4056-5-0x0000000000400000-0x0000000002C7D000-memory.dmp

Filesize
40.5MB

Download
memory/4056-6-0x0000000002D10000-0x0000000002D3E000-memory.dmp

Filesize
184KB

Download
memory/4056-7-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4056-9-0x0000000000400000-0x0000000002C7D000-memory.dmp

Filesize
40.5MB

Download

Analysis

Sharing