Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2024 04:43
Static task
static1
Behavioral task
behavioral1
Sample
e4be75c471d13df766c869ef78e63698_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
e4be75c471d13df766c869ef78e63698_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
e4be75c471d13df766c869ef78e63698_JaffaCakes118.exe
-
Size
331KB
-
MD5
e4be75c471d13df766c869ef78e63698
-
SHA1
96510afbe52c4897b53bf6c9a0a71bd6c4961949
-
SHA256
9eef2d09ceecb2014ef5fff7ff2fcacbfb7106bcd18bbc1b717d36e898e469d8
-
SHA512
8280d408e26f282e8686c3199c4b3bb99482abf06e04dc646700e69a2fc3d50f4aeb9dbe7f20239a078eec7749fc920ab12d2b85da50950a97e4405bb2a24491
-
SSDEEP
3072:lmnOYAZEKVkMRvGzdJW+uB9t+0q1765b20AyrhKD1RHT1I9A2rD0vkjyiOykNScS:lmORZEvm+uPsT76v2D2/rDV2Sc6VRn
Malware Config
Extracted
gcleaner
gcl-page.biz
194.145.227.161
Signatures
-
Gcleaner family
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
Onlylogger family
-
OnlyLogger payload 5 IoCs
resource yara_rule behavioral2/memory/2852-2-0x0000000002CF0000-0x0000000002D1F000-memory.dmp family_onlylogger behavioral2/memory/2852-3-0x0000000000400000-0x0000000000431000-memory.dmp family_onlylogger behavioral2/memory/2852-5-0x0000000002CF0000-0x0000000002D1F000-memory.dmp family_onlylogger behavioral2/memory/2852-7-0x0000000000400000-0x0000000000431000-memory.dmp family_onlylogger behavioral2/memory/2852-6-0x0000000000400000-0x0000000002B9C000-memory.dmp family_onlylogger -
Program crash 8 IoCs
pid pid_target Process procid_target 1308 2852 WerFault.exe 81 1424 2852 WerFault.exe 81 720 2852 WerFault.exe 81 4776 2852 WerFault.exe 81 2736 2852 WerFault.exe 81 1456 2852 WerFault.exe 81 3996 2852 WerFault.exe 81 388 2852 WerFault.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e4be75c471d13df766c869ef78e63698_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4be75c471d13df766c869ef78e63698_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e4be75c471d13df766c869ef78e63698_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 6242⤵
- Program crash
PID:1308
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 6402⤵
- Program crash
PID:1424
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 7442⤵
- Program crash
PID:720
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 7842⤵
- Program crash
PID:4776
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 10122⤵
- Program crash
PID:2736
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 10202⤵
- Program crash
PID:1456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 12922⤵
- Program crash
PID:3996
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 10642⤵
- Program crash
PID:388
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2852 -ip 28521⤵PID:1560
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2852 -ip 28521⤵PID:3060
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2852 -ip 28521⤵PID:3528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2852 -ip 28521⤵PID:3168
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2852 -ip 28521⤵PID:2608
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2852 -ip 28521⤵PID:2956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2852 -ip 28521⤵PID:2916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2852 -ip 28521⤵PID:4304