gcleaner | 3fba70cac321a434f3eb509f38e80919a6e43c86e964737f91ad416bec297933

General

Target

2c2b18b625f46b2c92b1df8c7a0634e5_JaffaCakes118.exe
Size

325KB
MD5

2c2b18b625f46b2c92b1df8c7a0634e5
SHA1

d1a9f577d7808a399e1226fd88984ef4e107ae50
SHA256

3fba70cac321a434f3eb509f38e80919a6e43c86e964737f91ad416bec297933
SHA512

ecc5815b3c3c3d2443f44c55010ccd52a344448188113943e632def78fe40c342a1dac2a897f795131904c04d773fa2e9513336906df645c82668a26b113e27b
SSDEEP

6144:w63+o2J9uflgvvBASV0F3jPZpW+3Ttu+/LKUZrNVfs8V:1+o2PuflYASKFztuIN2

Score

10^/10

gcleaner onlylogger discovery loader

Malware Config

Extracted

Family

gcleaner

C2

gc-prtnrs.top

gcc-prtnrs.top

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4784-2-0x00000000016D0000-0x00000000016FE000-memory.dmp	family_onlylogger
behavioral2/memory/4784-3-0x0000000000400000-0x0000000000431000-memory.dmp	family_onlylogger
behavioral2/memory/4784-6-0x00000000016D0000-0x00000000016FE000-memory.dmp	family_onlylogger
behavioral2/memory/4784-5-0x0000000000400000-0x0000000001423000-memory.dmp	family_onlylogger
behavioral2/memory/4784-7-0x0000000000400000-0x0000000000431000-memory.dmp	family_onlylogger
behavioral2/memory/4784-9-0x0000000000400000-0x0000000001423000-memory.dmp	family_onlylogger

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2924	4784	WerFault.exe	2c2b18b625f46b2c92b1df8c7a0634e5_JaffaCakes118.exe
4852	4784	WerFault.exe	2c2b18b625f46b2c92b1df8c7a0634e5_JaffaCakes118.exe
5080	4784	WerFault.exe	2c2b18b625f46b2c92b1df8c7a0634e5_JaffaCakes118.exe
1900	4784	WerFault.exe	2c2b18b625f46b2c92b1df8c7a0634e5_JaffaCakes118.exe
2236	4784	WerFault.exe	2c2b18b625f46b2c92b1df8c7a0634e5_JaffaCakes118.exe
3132	4784	WerFault.exe	2c2b18b625f46b2c92b1df8c7a0634e5_JaffaCakes118.exe
3380	4784	WerFault.exe	2c2b18b625f46b2c92b1df8c7a0634e5_JaffaCakes118.exe
1432	4784	WerFault.exe	2c2b18b625f46b2c92b1df8c7a0634e5_JaffaCakes118.exe
2192	4784	WerFault.exe	2c2b18b625f46b2c92b1df8c7a0634e5_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

2c2b18b625f46b2c92b1df8c7a0634e5_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2c2b18b625f46b2c92b1df8c7a0634e5_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c2b18b625f46b2c92b1df8c7a0634e5_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2c2b18b625f46b2c92b1df8c7a0634e5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2c2b18b625f46b2c92b1df8c7a0634e5_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 620
  2⤵
  - Program crash
  PID:2924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 656
  2⤵
  - Program crash
  PID:4852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 784
  2⤵
  - Program crash
  PID:5080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 784
  2⤵
  - Program crash
  PID:1900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 768
  2⤵
  - Program crash
  PID:2236
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 1088
  2⤵
  - Program crash
  PID:3132
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 1140
  2⤵
  - Program crash
  PID:3380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 656
  2⤵
  - Program crash
  PID:1432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 1092
  2⤵
  - Program crash
  PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4784 -ip 4784
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4784 -ip 4784
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4784 -ip 4784
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4784 -ip 4784
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4784 -ip 4784
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4784 -ip 4784
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4784 -ip 4784
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4784 -ip 4784
1⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4784 -ip 4784
1⤵
PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4784-1-0x0000000001710000-0x0000000001810000-memory.dmp

Filesize
1024KB

Download
memory/4784-2-0x00000000016D0000-0x00000000016FE000-memory.dmp

Filesize
184KB

Download
memory/4784-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4784-4-0x0000000001710000-0x0000000001810000-memory.dmp

Filesize
1024KB

Download
memory/4784-6-0x00000000016D0000-0x00000000016FE000-memory.dmp

Filesize
184KB

Download
memory/4784-5-0x0000000000400000-0x0000000001423000-memory.dmp

Filesize
16.1MB

Download
memory/4784-7-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4784-9-0x0000000000400000-0x0000000001423000-memory.dmp

Filesize
16.1MB

Download

Analysis

Sharing