gcleaner | 61d7be6bb79af781ef912f5750f88a76ebf6ab0debd57213860b76508fbc8226 | Triage

Submit
Reports

Overview

overview

Static

static

3

32d712e49d...18.exe

windows7-x64

32d712e49d...18.exe

windows10-2004-x64

Sharing

General

Target

32d712e49d20b4a084ce8a0ece18b495_JaffaCakes118
Size

454KB
Sample

241011-clarasvfqq
MD5

32d712e49d20b4a084ce8a0ece18b495
SHA1

1edd625d0cf072a38d0b21a4a73c8e00e2d1c2bb
SHA256

61d7be6bb79af781ef912f5750f88a76ebf6ab0debd57213860b76508fbc8226
SHA512

77820b59b0b2361e823ce74735ac442f9ea3af60347e1a8436c8365054a199954e4293eebcfcf2b16622576b673d6d48bce0bec85804f0c6b945e530c0bb486d
SSDEEP

6144:gxiiALtsCxdenfDpdXCeoA+MXIryHUZBOl3TqyKrB9gHQlOPpzt0nPF:AALtnbQdXC9Lry0YFE9v

Score

10^/10

gcleaner discovery loader

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

32d712e49d20b4a084ce8a0ece18b495_JaffaCakes118.exe

Resource

win7-20240903-en

gcleaner discovery loader

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

32d712e49d20b4a084ce8a0ece18b495_JaffaCakes118.exe

Resource

win10v2004-20241007-en

gcleaner discovery loader

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  32d712e49d20b4a084ce8a0ece18b495_JaffaCakes118
- Size
  
  454KB
- MD5
  
  32d712e49d20b4a084ce8a0ece18b495
- SHA1
  
  1edd625d0cf072a38d0b21a4a73c8e00e2d1c2bb
- SHA256
  
  61d7be6bb79af781ef912f5750f88a76ebf6ab0debd57213860b76508fbc8226
- SHA512
  
  77820b59b0b2361e823ce74735ac442f9ea3af60347e1a8436c8365054a199954e4293eebcfcf2b16622576b673d6d48bce0bec85804f0c6b945e530c0bb486d
- SSDEEP
  
  6144:gxiiALtsCxdenfDpdXCeoA+MXIryHUZBOl3TqyKrB9gHQlOPpzt0nPF:AALtnbQdXC9Lry0YFE9v
Score

10^/10

gcleaner discovery loader
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

gcleanerdiscoveryloader

behavioral2

gcleanerdiscoveryloader

© 2018-2025

Terms | Privacy