gcleaner | 794d2eb60364e0f5ddc9e557cf3e33b67666ed688580c15bd858a27871b184aa

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

590f546423761972e4441b07762457c3_JaffaCakes118.exe
Size

408KB
MD5

590f546423761972e4441b07762457c3
SHA1

190ac7ce94a98fd213b9039db05f1f24fa36dceb
SHA256

794d2eb60364e0f5ddc9e557cf3e33b67666ed688580c15bd858a27871b184aa
SHA512

3a5e16946e79246ba5973757066c392384dbdcd881f4e68aa881d08e1e6cefed4a77dd87a21e910600e6db3e01b4a65e3cf88b3407b4bb859794eef13f356789
SSDEEP

6144:Ka9zHt2qx/TlV+DwMZ0k3cGLdq+cCZ0iRvQMksFiEbXj1/LYQSwfiMcALqTWbg:bHth5iDwMZNccdqwtFfNL8scALqab

Score

10^/10

gcleaner onlylogger discovery loader

Malware Config

Extracted

Family

gcleaner

ggc-partners.in

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 6 IoCs

resource	yara_rule
behavioral2/memory/852-2-0x00000000001C0000-0x00000000001F0000-memory.dmp	family_onlylogger
behavioral2/memory/852-3-0x0000000000400000-0x0000000000432000-memory.dmp	family_onlylogger
behavioral2/memory/852-5-0x00000000001C0000-0x00000000001F0000-memory.dmp	family_onlylogger
behavioral2/memory/852-6-0x0000000000400000-0x0000000003303000-memory.dmp	family_onlylogger
behavioral2/memory/852-17-0x0000000000400000-0x0000000003303000-memory.dmp	family_onlylogger
behavioral2/memory/852-18-0x0000000000400000-0x0000000003303000-memory.dmp	family_onlylogger

Program crash 9 IoCs

pid	pid_target	Process	procid_target
424	852	WerFault.exe	83
2112	852	WerFault.exe	83
2520	852	WerFault.exe	83
2536	852	WerFault.exe	83
1828	852	WerFault.exe	83
3676	852	WerFault.exe	83
2908	852	WerFault.exe	83
900	852	WerFault.exe	83
1852	852	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	590f546423761972e4441b07762457c3_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\590f546423761972e4441b07762457c3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\590f546423761972e4441b07762457c3_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 620
  2⤵
  - Program crash
  PID:424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 620
  2⤵
  - Program crash
  PID:2112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 744
  2⤵
  - Program crash
  PID:2520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 788
  2⤵
  - Program crash
  PID:2536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 888
  2⤵
  - Program crash
  PID:1828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 1084
  2⤵
  - Program crash
  PID:3676
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 1132
  2⤵
  - Program crash
  PID:2908
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 1688
  2⤵
  - Program crash
  PID:900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 1896
  2⤵
  - Program crash
  PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 852 -ip 852
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 852 -ip 852
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 852 -ip 852
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 852 -ip 852
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 852 -ip 852
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 852 -ip 852
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 852 -ip 852
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 852 -ip 852
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 852 -ip 852
1⤵
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/852-1-0x0000000003460000-0x0000000003560000-memory.dmp

Filesize
1024KB

Download
memory/852-2-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/852-3-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/852-4-0x0000000003460000-0x0000000003560000-memory.dmp

Filesize
1024KB

Download
memory/852-5-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/852-6-0x0000000000400000-0x0000000003303000-memory.dmp

Filesize
47.0MB

Download
memory/852-17-0x0000000000400000-0x0000000003303000-memory.dmp

Filesize
47.0MB

Download
memory/852-18-0x0000000000400000-0x0000000003303000-memory.dmp

Filesize
47.0MB

Download