Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2024 17:18
Static task
static1
Behavioral task
behavioral1
Sample
ec8fa1c70521e73b51c8316dcfa8b0be_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ec8fa1c70521e73b51c8316dcfa8b0be_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
ec8fa1c70521e73b51c8316dcfa8b0be_JaffaCakes118.exe
-
Size
250KB
-
MD5
ec8fa1c70521e73b51c8316dcfa8b0be
-
SHA1
744280e7416ac94703cadd46a19e06d99e2c7a01
-
SHA256
d30ebd026461f980294598a71714ca6f67f56952c88ff6e4b44d460b427301e0
-
SHA512
db74d19dc150c15f2afc22db65d3c746e12d34025140384ba9fb27ccded07571088ad34fa9c4414c6006268147730f9b4867035c42307af3494cd061d4a9479c
-
SSDEEP
3072:+EZn8hpiHLI2Eb/BUtMFOM7Sfu+llnIkfPWkz4XNxhZKtZFxwl+i55XkazK:rn87ALI2EDatAOez+lOk3w0tql+elO
Malware Config
Extracted
gcleaner
gc-prtnrs.top
gcc-prtnrs.top
Signatures
-
Gcleaner family
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
Onlylogger family
-
OnlyLogger payload 5 IoCs
resource yara_rule behavioral2/memory/4456-2-0x00000000049E0000-0x0000000004A10000-memory.dmp family_onlylogger behavioral2/memory/4456-3-0x0000000000400000-0x0000000000432000-memory.dmp family_onlylogger behavioral2/memory/4456-6-0x00000000049E0000-0x0000000004A10000-memory.dmp family_onlylogger behavioral2/memory/4456-5-0x0000000000400000-0x0000000002C76000-memory.dmp family_onlylogger behavioral2/memory/4456-18-0x0000000000400000-0x0000000002C76000-memory.dmp family_onlylogger -
Program crash 8 IoCs
pid pid_target Process procid_target 4808 4456 WerFault.exe 81 4792 4456 WerFault.exe 81 4540 4456 WerFault.exe 81 4600 4456 WerFault.exe 81 4396 4456 WerFault.exe 81 4752 4456 WerFault.exe 81 3852 4456 WerFault.exe 81 624 4456 WerFault.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ec8fa1c70521e73b51c8316dcfa8b0be_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec8fa1c70521e73b51c8316dcfa8b0be_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ec8fa1c70521e73b51c8316dcfa8b0be_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
PID:4456 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 6202⤵
- Program crash
PID:4808
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 6402⤵
- Program crash
PID:4792
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 7482⤵
- Program crash
PID:4540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 7842⤵
- Program crash
PID:4600
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 8322⤵
- Program crash
PID:4396
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 10282⤵
- Program crash
PID:4752
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 10522⤵
- Program crash
PID:3852
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 16762⤵
- Program crash
PID:624
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4456 -ip 44561⤵PID:708
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4456 -ip 44561⤵PID:1012
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4456 -ip 44561⤵PID:4404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4456 -ip 44561⤵PID:2952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4456 -ip 44561⤵PID:4536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4456 -ip 44561⤵PID:220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4456 -ip 44561⤵PID:4324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4456 -ip 44561⤵PID:4844