gcleaner | 794d2eb60364e0f5ddc9e557cf3e33b67666ed688580c15bd858a27871b184aa

General

Target

590f546423761972e4441b07762457c3_JaffaCakes118.exe
Size

408KB
MD5

590f546423761972e4441b07762457c3
SHA1

190ac7ce94a98fd213b9039db05f1f24fa36dceb
SHA256

794d2eb60364e0f5ddc9e557cf3e33b67666ed688580c15bd858a27871b184aa
SHA512

3a5e16946e79246ba5973757066c392384dbdcd881f4e68aa881d08e1e6cefed4a77dd87a21e910600e6db3e01b4a65e3cf88b3407b4bb859794eef13f356789
SSDEEP

6144:Ka9zHt2qx/TlV+DwMZ0k3cGLdq+cCZ0iRvQMksFiEbXj1/LYQSwfiMcALqTWbg:bHth5iDwMZNccdqwtFfNL8scALqab

Score

10^/10

gcleaner onlylogger discovery loader

Malware Config

Extracted

Family

gcleaner

C2

ggc-partners.in

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/852-2-0x00000000001C0000-0x00000000001F0000-memory.dmp	family_onlylogger
behavioral2/memory/852-3-0x0000000000400000-0x0000000000432000-memory.dmp	family_onlylogger
behavioral2/memory/852-5-0x00000000001C0000-0x00000000001F0000-memory.dmp	family_onlylogger
behavioral2/memory/852-6-0x0000000000400000-0x0000000003303000-memory.dmp	family_onlylogger
behavioral2/memory/852-17-0x0000000000400000-0x0000000003303000-memory.dmp	family_onlylogger
behavioral2/memory/852-18-0x0000000000400000-0x0000000003303000-memory.dmp	family_onlylogger

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
424	852	WerFault.exe	590f546423761972e4441b07762457c3_JaffaCakes118.exe
2112	852	WerFault.exe	590f546423761972e4441b07762457c3_JaffaCakes118.exe
2520	852	WerFault.exe	590f546423761972e4441b07762457c3_JaffaCakes118.exe
2536	852	WerFault.exe	590f546423761972e4441b07762457c3_JaffaCakes118.exe
1828	852	WerFault.exe	590f546423761972e4441b07762457c3_JaffaCakes118.exe
3676	852	WerFault.exe	590f546423761972e4441b07762457c3_JaffaCakes118.exe
2908	852	WerFault.exe	590f546423761972e4441b07762457c3_JaffaCakes118.exe
900	852	WerFault.exe	590f546423761972e4441b07762457c3_JaffaCakes118.exe
1852	852	WerFault.exe	590f546423761972e4441b07762457c3_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

590f546423761972e4441b07762457c3_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 590f546423761972e4441b07762457c3_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	590f546423761972e4441b07762457c3_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\590f546423761972e4441b07762457c3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\590f546423761972e4441b07762457c3_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 620
2⤵
- Program crash
PID:424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 620
2⤵
- Program crash
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 744
2⤵
- Program crash
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 788
2⤵
- Program crash
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 888
2⤵
- Program crash
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 1084
2⤵
- Program crash
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 1132
2⤵
- Program crash
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 1688
2⤵
- Program crash
PID:900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 1896
2⤵
- Program crash
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 852 -ip 852
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 852 -ip 852
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 852 -ip 852
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 852 -ip 852
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 852 -ip 852
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 852 -ip 852
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 852 -ip 852
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 852 -ip 852
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 852 -ip 852
1⤵
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/852-1-0x0000000003460000-0x0000000003560000-memory.dmp

Filesize
1024KB

Download
memory/852-2-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/852-3-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/852-4-0x0000000003460000-0x0000000003560000-memory.dmp

Filesize
1024KB

Download
memory/852-5-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/852-6-0x0000000000400000-0x0000000003303000-memory.dmp

Filesize
47.0MB

Download
memory/852-17-0x0000000000400000-0x0000000003303000-memory.dmp

Filesize
47.0MB

Download
memory/852-18-0x0000000000400000-0x0000000003303000-memory.dmp

Filesize
47.0MB

Download

Analysis

Sharing