gcleaner | 4e01866db5ec52866e21eac49c4135d62fe712d8b64cee07bd755a2accf0340b

General

Target

6402e1483733ff33c0e0b7e8856d3d50_JaffaCakes118.exe
Size

406KB
MD5

6402e1483733ff33c0e0b7e8856d3d50
SHA1

06eb7e31bae25f0247f0c3b9d4e3cd8fbc529d9b
SHA256

4e01866db5ec52866e21eac49c4135d62fe712d8b64cee07bd755a2accf0340b
SHA512

9de738391757853346d0b709ab7670b2bccaaef59ee91135bc5430145ac79bbae6ad657a01e915c4ddca65c718fc1dd214afc7346290f2f8478ff3bf2d3d444a
SSDEEP

6144:Qgb8zQt6txzTlV+/6I79o5kXlAnRxMSCZ0s6VqEs5NJUwxC8YaDl2HUFli3kLmb:yQtyViSI72El+Rx5DsVhxfuui3kLmb

Score

10^/10

gcleaner onlylogger discovery loader

Malware Config

Extracted

Family

gcleaner

C2

ggc-partners.in

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 5 IoCs

resource	yara_rule
behavioral2/memory/1384-2-0x00000000001C0000-0x00000000001EE000-memory.dmp	family_onlylogger
behavioral2/memory/1384-3-0x0000000000400000-0x0000000000431000-memory.dmp	family_onlylogger
behavioral2/memory/1384-5-0x00000000001C0000-0x00000000001EE000-memory.dmp	family_onlylogger
behavioral2/memory/1384-7-0x0000000000400000-0x0000000000431000-memory.dmp	family_onlylogger
behavioral2/memory/1384-6-0x0000000000400000-0x0000000003302000-memory.dmp	family_onlylogger

Program crash 11 IoCs

pid	pid_target	Process	procid_target
3256	1384	WerFault.exe	85
3576	1384	WerFault.exe	85
3276	1384	WerFault.exe	85
4136	1384	WerFault.exe	85
4648	1384	WerFault.exe	85
3844	1384	WerFault.exe	85
1472	1384	WerFault.exe	85
4672	1384	WerFault.exe	85
32	1384	WerFault.exe	85
4880	1384	WerFault.exe	85
4296	1384	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6402e1483733ff33c0e0b7e8856d3d50_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\6402e1483733ff33c0e0b7e8856d3d50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6402e1483733ff33c0e0b7e8856d3d50_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 484
  2⤵
  - Program crash
  PID:3256
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 652
  2⤵
  - Program crash
  PID:3576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 676
  2⤵
  - Program crash
  PID:3276
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 832
  2⤵
  - Program crash
  PID:4136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 948
  2⤵
  - Program crash
  PID:4648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1064
  2⤵
  - Program crash
  PID:3844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1216
  2⤵
  - Program crash
  PID:1472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1256
  2⤵
  - Program crash
  PID:4672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1772
  2⤵
  - Program crash
  PID:32
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1452
  2⤵
  - Program crash
  PID:4880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1936
  2⤵
  - Program crash
  PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1384 -ip 1384
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1384 -ip 1384
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1384 -ip 1384
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1384 -ip 1384
1⤵
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1384 -ip 1384
1⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1384 -ip 1384
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1384 -ip 1384
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1384 -ip 1384
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1384 -ip 1384
1⤵
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1384 -ip 1384
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1384 -ip 1384
1⤵
PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1384-1-0x00000000033B0000-0x00000000034B0000-memory.dmp

Filesize
1024KB

Download
memory/1384-2-0x00000000001C0000-0x00000000001EE000-memory.dmp

Filesize
184KB

Download
memory/1384-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1384-4-0x00000000033B0000-0x00000000034B0000-memory.dmp

Filesize
1024KB

Download
memory/1384-5-0x00000000001C0000-0x00000000001EE000-memory.dmp

Filesize
184KB

Download
memory/1384-7-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1384-6-0x0000000000400000-0x0000000003302000-memory.dmp

Filesize
47.0MB

Download

Analysis

Sharing