gcleaner | 5cb7dc8f48821f9e1f48c9d2d52f0f8e435c1286e5e0df3551f614deccdc47dc

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe
Size

4.4MB
MD5

2ab67006fad0b7b4e8fb6496e221a529
SHA1

47f849e72bd7d203755775eebef19e1efa71ee19
SHA256

5cb7dc8f48821f9e1f48c9d2d52f0f8e435c1286e5e0df3551f614deccdc47dc
SHA512

a6ed4b8ae46d5bfdc802054c8ca428500473d29a736e1277c9654c6dfa2ae481a9e5fe0c505e0be0beddc86f880d0212483014968f41e5d93c15190877b16452
SSDEEP

98304:HnGhGTPqSqfA0kWqa+5RmaH9ieepOs6435I58hsNcA5Pa:mBI02a+5gageepOs6435I58hS

Score

10^/10

gcleaner onlylogger socelars discovery loader spyware stealer

Malware Config

Extracted

Family

gcleaner

ggc-partners.in

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2.exe	family_socelars

OnlyLogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1148-288-0x0000000000400000-0x0000000000910000-memory.dmp	family_onlylogger

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	5.exe

Executes dropped EXE 11 IoCs

Processes:

Chrome 5.exe1.exe2.exe3.exe4.exe5.exe6.exeBearVpn 3.exe7.exe5.exe8.exe

pid process

1704 Chrome 5.exe
1776 1.exe
4916 2.exe
5052 3.exe
1148 4.exe
3400 5.exe
1996 6.exe
4080 BearVpn 3.exe
4136 7.exe
2808 5.exe
2916 8.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1704	Chrome 5.exe
1776	1.exe
4916	2.exe
5052	3.exe
1148	4.exe
3400	5.exe
1996	6.exe
4080	BearVpn 3.exe
4136	7.exe
2808	5.exe
2916	8.exe

Drops Chrome extension 1 IoCs

Processes:

2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\manifest.json	2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

6 iplogger.org
7 iplogger.org
9 iplogger.org
11 iplogger.org
23 iplogger.org
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in Program Files directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Program Files\Google\Chrome\Application\debug.log chrome.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
6	iplogger.org
7	iplogger.org
9	iplogger.org
11	iplogger.org
23	iplogger.org

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	chrome.exe

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2800	4080	WerFault.exe	BearVpn 3.exe
844	1148	WerFault.exe	4.exe
4240	1148	WerFault.exe	4.exe
2908	1148	WerFault.exe	4.exe
2272	1148	WerFault.exe	4.exe
2324	1148	WerFault.exe	4.exe
4936	1148	WerFault.exe	4.exe
2008	1148	WerFault.exe	4.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

5.exeBearVpn 3.execmd.exe2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe2.exe4.exe5.exetaskkill.exexcopy.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BearVpn 3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dwm.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exedwm.exexcopy.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3444 taskkill.exe

pid	process
3444	taskkill.exe

Modifies data under HKEY_USERS 36 IoCs

Processes:

dwm.exedwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
4972
2908
2228
4496
2652
4080
1912
4676
100
380
1896
1612
5100
4900
3428
3680
3044
3440
1132
328
1564
640
1476
3788
4084
2316
2636
4576
2568
2880
4232
1248
4412
1288
2096
4236
1088
4652
4980
1856
2368
3408
4112
716
4812
1084
3400
2376
3504
4092
3868
1732
3236
1220
3296
2964
3676
2204
2524
3144
3808
2844
3716
3404

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

2.exe3.exe1.exeBearVpn 3.exe8.exe7.exetaskkill.exedwm.exedwm.exedwm.exedwm.exe

description	pid	process
Token: SeCreateTokenPrivilege	4916	2.exe
Token: SeAssignPrimaryTokenPrivilege	4916	2.exe
Token: SeLockMemoryPrivilege	4916	2.exe
Token: SeIncreaseQuotaPrivilege	4916	2.exe
Token: SeMachineAccountPrivilege	4916	2.exe
Token: SeTcbPrivilege	4916	2.exe
Token: SeSecurityPrivilege	4916	2.exe
Token: SeTakeOwnershipPrivilege	4916	2.exe
Token: SeLoadDriverPrivilege	4916	2.exe
Token: SeSystemProfilePrivilege	4916	2.exe
Token: SeSystemtimePrivilege	4916	2.exe
Token: SeProfSingleProcessPrivilege	4916	2.exe
Token: SeIncBasePriorityPrivilege	4916	2.exe
Token: SeCreatePagefilePrivilege	4916	2.exe
Token: SeCreatePermanentPrivilege	4916	2.exe
Token: SeBackupPrivilege	4916	2.exe
Token: SeRestorePrivilege	4916	2.exe
Token: SeShutdownPrivilege	4916	2.exe
Token: SeDebugPrivilege	4916	2.exe
Token: SeAuditPrivilege	4916	2.exe
Token: SeSystemEnvironmentPrivilege	4916	2.exe
Token: SeChangeNotifyPrivilege	4916	2.exe
Token: SeRemoteShutdownPrivilege	4916	2.exe
Token: SeUndockPrivilege	4916	2.exe
Token: SeSyncAgentPrivilege	4916	2.exe
Token: SeEnableDelegationPrivilege	4916	2.exe
Token: SeManageVolumePrivilege	4916	2.exe
Token: SeImpersonatePrivilege	4916	2.exe
Token: SeCreateGlobalPrivilege	4916	2.exe
Token: 31	4916	2.exe
Token: 32	4916	2.exe
Token: 33	4916	2.exe
Token: 34	4916	2.exe
Token: 35	4916	2.exe
Token: SeDebugPrivilege	5052	3.exe
Token: SeDebugPrivilege	1776	1.exe
Token: SeDebugPrivilege	4080	BearVpn 3.exe
Token: SeDebugPrivilege	2916	8.exe
Token: SeDebugPrivilege	4136	7.exe
Token: SeDebugPrivilege	3444	taskkill.exe
Token: SeCreateGlobalPrivilege	5088	dwm.exe
Token: SeChangeNotifyPrivilege	5088	dwm.exe
Token: 33	5088	dwm.exe
Token: SeIncBasePriorityPrivilege	5088	dwm.exe
Token: SeCreateGlobalPrivilege	2068	dwm.exe
Token: SeChangeNotifyPrivilege	2068	dwm.exe
Token: 33	2068	dwm.exe
Token: SeIncBasePriorityPrivilege	2068	dwm.exe
Token: SeCreateGlobalPrivilege	3444	dwm.exe
Token: SeChangeNotifyPrivilege	3444	dwm.exe
Token: 33	3444	dwm.exe
Token: SeIncBasePriorityPrivilege	3444	dwm.exe
Token: SeCreateGlobalPrivilege	1008	dwm.exe
Token: SeChangeNotifyPrivilege	1008	dwm.exe
Token: 33	1008	dwm.exe
Token: SeIncBasePriorityPrivilege	1008	dwm.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe5.exe2.execmd.exechrome.exe

description	pid	process	target process
PID 1968 wrote to memory of 1704	1968	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe	Chrome 5.exe
PID 1968 wrote to memory of 1704	1968	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe	Chrome 5.exe
PID 1968 wrote to memory of 1776	1968	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe	1.exe
PID 1968 wrote to memory of 1776	1968	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe	1.exe
PID 1968 wrote to memory of 4916	1968	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe	2.exe
PID 1968 wrote to memory of 4916	1968	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe	2.exe
PID 1968 wrote to memory of 4916	1968	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe	2.exe
PID 1968 wrote to memory of 5052	1968	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe	3.exe
PID 1968 wrote to memory of 5052	1968	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe	3.exe
PID 1968 wrote to memory of 1148	1968	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe	4.exe
PID 1968 wrote to memory of 1148	1968	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe	4.exe
PID 1968 wrote to memory of 1148	1968	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe	4.exe
PID 1968 wrote to memory of 3400	1968	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe	5.exe
PID 1968 wrote to memory of 3400	1968	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe	5.exe
PID 1968 wrote to memory of 3400	1968	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe	5.exe
PID 1968 wrote to memory of 1996	1968	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe	6.exe
PID 1968 wrote to memory of 1996	1968	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe	6.exe
PID 1968 wrote to memory of 4080	1968	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe	BearVpn 3.exe
PID 1968 wrote to memory of 4080	1968	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe	BearVpn 3.exe
PID 1968 wrote to memory of 4080	1968	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe	BearVpn 3.exe
PID 1968 wrote to memory of 4136	1968	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe	7.exe
PID 1968 wrote to memory of 4136	1968	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe	7.exe
PID 3400 wrote to memory of 2808	3400	5.exe	5.exe
PID 3400 wrote to memory of 2808	3400	5.exe	5.exe
PID 3400 wrote to memory of 2808	3400	5.exe	5.exe
PID 1968 wrote to memory of 2916	1968	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe	8.exe
PID 1968 wrote to memory of 2916	1968	2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe	8.exe
PID 4916 wrote to memory of 1628	4916	2.exe	cmd.exe
PID 4916 wrote to memory of 1628	4916	2.exe	cmd.exe
PID 4916 wrote to memory of 1628	4916	2.exe	cmd.exe
PID 1628 wrote to memory of 3444	1628	cmd.exe	dwm.exe
PID 1628 wrote to memory of 3444	1628	cmd.exe	dwm.exe
PID 1628 wrote to memory of 3444	1628	cmd.exe	dwm.exe
PID 4916 wrote to memory of 4384	4916	2.exe	xcopy.exe
PID 4916 wrote to memory of 4384	4916	2.exe	xcopy.exe
PID 4916 wrote to memory of 4384	4916	2.exe	xcopy.exe
PID 4916 wrote to memory of 3236	4916	2.exe	chrome.exe
PID 4916 wrote to memory of 3236	4916	2.exe	chrome.exe
PID 3236 wrote to memory of 2196	3236	chrome.exe	chrome.exe
PID 3236 wrote to memory of 2196	3236	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
2⤵
- Executes dropped EXE
PID:1704

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
2⤵
- Executes dropped EXE
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
3⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:4384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
3⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd860fcc40,0x7ffd860fcc4c,0x7ffd860fcc58
4⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Users\Admin\AppData\Local\Temp\4.exe
"C:\Users\Admin\AppData\Local\Temp\4.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 624
3⤵
- Program crash
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 632
3⤵
- Program crash
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 756
3⤵
- Program crash
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 780
3⤵
- Program crash
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 832
3⤵
- Program crash
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 908
3⤵
- Program crash
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 1256
3⤵
- Program crash
PID:2008

C:\Users\Admin\AppData\Local\Temp\5.exe
"C:\Users\Admin\AppData\Local\Temp\5.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3400

C:\Users\Admin\AppData\Local\Temp\5.exe
"C:\Users\Admin\AppData\Local\Temp\5.exe" -a
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2808

C:\Users\Admin\AppData\Local\Temp\6.exe
"C:\Users\Admin\AppData\Local\Temp\6.exe"
2⤵
- Executes dropped EXE
PID:1996

C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1684
3⤵
- Program crash
PID:2800

C:\Users\Admin\AppData\Local\Temp\7.exe
"C:\Users\Admin\AppData\Local\Temp\7.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Users\Admin\AppData\Local\Temp\8.exe
"C:\Users\Admin\AppData\Local\Temp\8.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4080 -ip 4080
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1148 -ip 1148
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1148 -ip 1148
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1148 -ip 1148
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1148 -ip 1148
1⤵
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1148 -ip 1148
1⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1148 -ip 1148
1⤵
PID:4048

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1148 -ip 1148
1⤵
PID:4788

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3384

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3312

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3464

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1628

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1808

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
ba6b120e1ef1f622818f117ce8f543e4

SHA1
2cdb0dde23dc940b71e2bd73093e9c3f96d18b35

SHA256
f68bd747359e60f8c3dcd236aaba0cd48fda4b6d4dd369835e874eb6f346f609

SHA512
c30a39bfec22cd22709466c43256a03e43cd6fcb0c1995cfb25ccc1ba4192f2e4019ccf448c787e07db180df39d9e0ee94c3da0b0bfeda69054992e653a65689

Download Submit
C:\Users\Admin\AppData\Local\Module_Art\7.exe_Url_thzg1wxz05m0mfarelentuphoh3agof2\1.2.1.0\jse31v4t.newcfg

Filesize
1KB

MD5
d71a12b7aa02592b03878877eb133425

SHA1
899c5404464c3efed66534207d0245e0cf050488

SHA256
b44c3fa39198be28e0e723fd458eae31a5f05041926917fe11e2b265aa0cbee4

SHA512
ae0733fe01b479f4ad291ac1180ae9f9b5833fa072001c40728d9f26d4aa9e94ec0239432df16cad35c2675b41d58c6e599fbd0dbc1354d297ab8bca30cd4441

Download Submit
C:\Users\Admin\AppData\Local\Module_Art\7.exe_Url_thzg1wxz05m0mfarelentuphoh3agof2\1.2.1.0\user.config

Filesize
842B

MD5
1b02b89ab3872d00c6a46cb4a7048dc9

SHA1
0840aefbbe40a00d7290d32ce8243de3cf98339e

SHA256
ac8517efbed88850a40943fbd667d9a06f6a156f0031109f59b4ca821aa22fd4

SHA512
0eeee6c2cf1eaa11d561ba17ed65caf97e069b5ccbf7420c3ae4bf88859f1273034a600da91620411b12cd3241dcfabdc8d4ddd58218f2781254ac6ccf1fa419

Download Submit
C:\Users\Admin\AppData\Local\Module_Art\7.exe_Url_thzg1wxz05m0mfarelentuphoh3agof2\1.2.1.0\user.config

Filesize
964B

MD5
8e18625cd36f0075da4bf0ce8fac8204

SHA1
0df80ad1c5ea9bddcb5cfcf2c60c6fb3db903216

SHA256
35799f5570b76aa51478e74ea9d1c42b39be157c3953a2b44047dd3ed2e629b1

SHA512
74d8be6cddfc1c13acb30c18752d93ef8d57348b8b29220914ecb126ae8459318dd150b2f51299870119bdb6483f35417baa988c688f0f621512c5a47e227c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
178KB

MD5
41991f83e362a3deb76ac8113f057012

SHA1
19f26c609bd9ea85e6f51284857c0be3601fb847

SHA256
e71969fd2ce59cd4dae96e6e844803629fae4fa749c48824cd560d2606e28899

SHA512
c94f529ab1164a08816d72ed4131488307eaa181b8be9290866c2dd899b49a404779e43909862e5d4774f85041b629d8642eeedb69ca594e812eb556714e463e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
1.4MB

MD5
fb5ee4c6d208ccf26bb93b4f868475b9

SHA1
9f1eff363fbe71c895c76502ecaa33fe8e078383

SHA256
614f6b18d9a64fba2adad94f376716845ae96ea6507952ea94027093184ae376

SHA512
8bcdde4614dee6be3c76d77cc598e654c6993d7e6ec1990ff8c8c6c0a91ee9d5c50f0be21c35570d746408be50d33ebef766318bfcd14e86e941662180c41f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
8KB

MD5
9323e70f1f2169ed31a1b3f130804833

SHA1
d9a5fea3bdd54d4509f6228fa32c7164e864df66

SHA256
6fe7d70e9a5c92dac044cf54d080b64ec4fcbc08ea405e84533f74ced0e0400e

SHA512
fe9a4868f32a447fc757fef9753c049d2fc2af7fa47eee398b12813ece7d8414f493cba8c0f05454030e4b434aa7d06886be8e079cda460b05d925f03dbc6807

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.exe

Filesize
357KB

MD5
4cb45ecf88e52581f5f3c686bcd1a636

SHA1
4140f1d875473701b15aa37193783384db264ea7

SHA256
944816173e25c3a57db52f1f19ce79b0ccb323a2e4129f3e96bfc3c537034360

SHA512
3b10318e57c04ef89f8c578891dc5a67ae648bcc1cf39b00b70822bc29d8c050191184a03ae070c98e5c01554945a1766307299b3d9b3a1258e8ef82336b7676

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.exe

Filesize
56KB

MD5
e511bb4cf31a2307b6f3445a869bcf31

SHA1
76f5c6e8df733ac13d205d426831ed7672a05349

SHA256
56002017746f61eee8d8e9b5ad2f3cbb119dc99300c5b6d32c1be184d3e25137

SHA512
9c81de34bf3b0eb75405c726d641ef6090054e9be8e0c0ab1bb2ed095e6477ce2fa8996868bf8a77a720b210a76b5f4e1b3b086d7f40449d79498681b367199c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.exe

Filesize
900KB

MD5
a3e75b6fda5826af709b5e488e7cd9e7

SHA1
2fce3251b18ff02a06083aa8a037def64a604a78

SHA256
8fa23d5fe37e7e0aed12a8917dfb43c186d26771a70c3afcc2f8a540df7b1b46

SHA512
6d1f37799f510a0e7fc6bf19a13425aa1225754d654dbc20c84a147161c03d63d5acf9cb7603c22c7533d5ab060ddc12c4c45d4e238f4368e8504514416efc41

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.exe

Filesize
1.5MB

MD5
bb1f95fe5f242faf116e1444edd0ae91

SHA1
42eeab7de61671335a556b665210fcf7128dbae2

SHA256
d4396c5a2cf719e160a8da15d3988bcce30642b018ae5a90b4e21575f9961694

SHA512
22a0d3b8bc24144a5bdc6f83310b9143388f5d2603a7642a081364317f88485cc84f83098fa07280e2d6dcc54e5f7a81a4f6ed5dee1465bd48c8bb3ffcbbf107

Download Submit
C:\Users\Admin\AppData\Local\Temp\8.exe

Filesize
8KB

MD5
a4e4e2aa12867c6d5998641794aed8d5

SHA1
40af2de01ee3f820f29281c61c570e349fe81d35

SHA256
b2ab671fa85e9be643f4154be4cfb363998b10c0e74a160c09fb24eff49d0368

SHA512
8c629b0aceb3ad4db789a5945cf092b157878d2eeb87652e3e30adc019a357986bcbc9b23294205803da8a7212c0baa0316b0f38eae78cee77fe66f5da8a8391

Download Submit
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe

Filesize
6KB

MD5
e4ff121d36dff8e94df4e718ecd84aff

SHA1
b84af5dae944bbf34d289d7616d2fef09dab26b7

SHA256
2a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc

SHA512
141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

Filesize
43KB

MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
9a31b075da019ddc9903f13f81390688

SHA1
d5ed5d518c8aad84762b03f240d90a2d5d9d99d3

SHA256
95cf4025babcd46069b425449c98ed15d97d364b2461417caa9aa0c13cb372e1

SHA512
a04726a429ae727d685f0836327c625d2f18d6327253216a9a31265a324b68b06bec4e7f1b744d261a0e67fa0a90c43719aeda9d2998f42525b0ff5640c7bf1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Login Data For Account

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
memory/1148-288-0x0000000000400000-0x0000000000910000-memory.dmp

Filesize
5.1MB

Download
memory/1704-17-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/1704-16-0x00007FFD6EC43000-0x00007FFD6EC45000-memory.dmp

Filesize
8KB

Download
memory/1776-128-0x00007FFD6EC40000-0x00007FFD6F701000-memory.dmp

Filesize
10.8MB

Download
memory/1776-39-0x0000000001170000-0x0000000001176000-memory.dmp

Filesize
24KB

Download
memory/1776-51-0x0000000001430000-0x0000000001452000-memory.dmp

Filesize
136KB

Download
memory/1776-71-0x00007FFD6EC40000-0x00007FFD6F701000-memory.dmp

Filesize
10.8MB

Download
memory/1776-27-0x0000000000AA0000-0x0000000000AD2000-memory.dmp

Filesize
200KB

Download
memory/1776-47-0x00007FFD6EC40000-0x00007FFD6F701000-memory.dmp

Filesize
10.8MB

Download
memory/1776-60-0x0000000001180000-0x0000000001186000-memory.dmp

Filesize
24KB

Download
memory/1968-0-0x0000000074D6E000-0x0000000074D6F000-memory.dmp

Filesize
4KB

Download
memory/1968-1-0x0000000000F50000-0x00000000013C0000-memory.dmp

Filesize
4.4MB

Download
memory/1996-287-0x00007FFD8BA10000-0x00007FFD8BAB9000-memory.dmp

Filesize
676KB

Download
memory/2916-124-0x0000000000970000-0x0000000000978000-memory.dmp

Filesize
32KB

Download
memory/4080-97-0x0000000000DD0000-0x0000000000DD8000-memory.dmp

Filesize
32KB

Download
memory/4136-132-0x00000191F1D70000-0x00000191F1DF4000-memory.dmp

Filesize
528KB

Download
memory/4136-119-0x00000191EF160000-0x00000191EF170000-memory.dmp

Filesize
64KB

Download
memory/4136-117-0x00000191EEBC0000-0x00000191EED48000-memory.dmp

Filesize
1.5MB

Download
memory/4136-289-0x00000191F14E0000-0x00000191F1689000-memory.dmp

Filesize
1.7MB

Download
memory/4136-291-0x00000191F14E0000-0x00000191F1689000-memory.dmp

Filesize
1.7MB

Download
memory/5052-53-0x0000000000B40000-0x0000000000B48000-memory.dmp

Filesize
32KB

Download