Malware Analysis Report

2025-01-02 06:44

Sample ID 241127-svedvavqgp
Target a880920e6a94db56230f0126320a8f80_JaffaCakes118
SHA256 6656afb1a5661a3ffca441f82e358ef88332a68418373c20be3dc7cdb681976f
Tags
gcleaner onlylogger discovery loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6656afb1a5661a3ffca441f82e358ef88332a68418373c20be3dc7cdb681976f

Threat Level: Known bad

The file a880920e6a94db56230f0126320a8f80_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gcleaner onlylogger discovery loader

GCleaner

Gcleaner family

Onlylogger family

OnlyLogger

OnlyLogger payload

Creates a large amount of network flows

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-27 15:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-27 15:26

Reported

2024-11-27 15:29

Platform

win7-20240903-en

Max time kernel

16s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a880920e6a94db56230f0126320a8f80_JaffaCakes118.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates a large amount of network flows

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a880920e6a94db56230f0126320a8f80_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a880920e6a94db56230f0126320a8f80_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a880920e6a94db56230f0126320a8f80_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ggc-partners.info udp
US 8.8.8.8:53 cleaner-partners.top udp

Files

memory/2476-1-0x00000000009B0000-0x0000000000AB0000-memory.dmp

memory/2476-2-0x00000000002C0000-0x00000000002EF000-memory.dmp

memory/2476-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2476-4-0x00000000009B0000-0x0000000000AB0000-memory.dmp

memory/2476-5-0x00000000002C0000-0x00000000002EF000-memory.dmp

memory/2476-7-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2476-6-0x0000000000400000-0x0000000000912000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-27 15:26

Reported

2024-11-27 15:29

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a880920e6a94db56230f0126320a8f80_JaffaCakes118.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a880920e6a94db56230f0126320a8f80_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a880920e6a94db56230f0126320a8f80_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a880920e6a94db56230f0126320a8f80_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4820 -ip 4820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4820 -ip 4820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4820 -ip 4820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4820 -ip 4820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4820 -ip 4820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4820 -ip 4820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4820 -ip 4820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4820 -ip 4820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4820 -ip 4820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4820 -ip 4820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4820 -ip 4820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1728

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 69.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 ggc-partners.info udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 cleaner-partners.top udp
US 8.8.8.8:53 cleaner-partners.top udp

Files

memory/4820-1-0x0000000000970000-0x0000000000A70000-memory.dmp

memory/4820-2-0x00000000001D0000-0x00000000001FF000-memory.dmp

memory/4820-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4820-4-0x0000000000970000-0x0000000000A70000-memory.dmp

memory/4820-5-0x00000000001D0000-0x00000000001FF000-memory.dmp

memory/4820-6-0x0000000000400000-0x0000000000912000-memory.dmp

memory/4820-7-0x0000000000400000-0x0000000000431000-memory.dmp