Malware Analysis Report

2025-01-02 06:43

Sample ID 241125-v9pt8sykex
Target 9cf5b9e7082aeb36e7961916eae05c28_JaffaCakes118
SHA256 a90bc226fcaf18a89bad9b0a1a57085ecd055b726b67e3a3964d7da03d244007
Tags
gcleaner onlylogger discovery loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a90bc226fcaf18a89bad9b0a1a57085ecd055b726b67e3a3964d7da03d244007

Threat Level: Known bad

The file 9cf5b9e7082aeb36e7961916eae05c28_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gcleaner onlylogger discovery loader

GCleaner

Gcleaner family

OnlyLogger

Onlylogger family

OnlyLogger payload

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 17:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-25 17:41

Reported

2024-11-25 17:44

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9cf5b9e7082aeb36e7961916eae05c28_JaffaCakes118.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9cf5b9e7082aeb36e7961916eae05c28_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9cf5b9e7082aeb36e7961916eae05c28_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9cf5b9e7082aeb36e7961916eae05c28_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2424 -ip 2424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2424 -ip 2424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2424 -ip 2424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2424 -ip 2424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2424 -ip 2424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2424 -ip 2424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 1088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2424 -ip 2424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 1140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2424 -ip 2424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2424 -ip 2424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 1092

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 gc-prtnrs.top udp
US 8.8.8.8:53 gcc-prtnrs.top udp
CN 121.41.94.177:80 gcc-prtnrs.top tcp
CN 121.41.94.177:80 gcc-prtnrs.top tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
CN 121.41.94.177:80 gcc-prtnrs.top tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
CN 121.41.94.177:80 gcc-prtnrs.top tcp
CN 121.41.94.177:80 gcc-prtnrs.top tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
CN 121.41.94.177:80 gcc-prtnrs.top tcp
CN 121.41.94.177:80 gcc-prtnrs.top tcp

Files

memory/2424-1-0x0000000000590000-0x0000000000690000-memory.dmp

memory/2424-2-0x0000000002200000-0x000000000222E000-memory.dmp

memory/2424-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2424-4-0x0000000000590000-0x0000000000690000-memory.dmp

memory/2424-5-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/2424-6-0x0000000002200000-0x000000000222E000-memory.dmp

memory/2424-7-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2424-9-0x0000000000400000-0x00000000004D0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 17:41

Reported

2024-11-25 17:44

Platform

win7-20241010-en

Max time kernel

140s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9cf5b9e7082aeb36e7961916eae05c28_JaffaCakes118.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9cf5b9e7082aeb36e7961916eae05c28_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9cf5b9e7082aeb36e7961916eae05c28_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9cf5b9e7082aeb36e7961916eae05c28_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gc-prtnrs.top udp
US 8.8.8.8:53 gcc-prtnrs.top udp
CN 121.41.94.177:80 gcc-prtnrs.top tcp
CN 121.41.94.177:80 gcc-prtnrs.top tcp
CN 121.41.94.177:80 gcc-prtnrs.top tcp
CN 121.41.94.177:80 gcc-prtnrs.top tcp
CN 121.41.94.177:80 gcc-prtnrs.top tcp
CN 121.41.94.177:80 gcc-prtnrs.top tcp
CN 121.41.94.177:80 gcc-prtnrs.top tcp

Files

memory/1820-1-0x0000000000550000-0x0000000000650000-memory.dmp

memory/1820-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1820-2-0x00000000002B0000-0x00000000002DE000-memory.dmp

memory/1820-4-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/1820-5-0x0000000000550000-0x0000000000650000-memory.dmp

memory/1820-6-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1820-8-0x0000000000400000-0x00000000004D0000-memory.dmp