gcleaner | 58982d2ca066eaf3ea0ab2e7c0dde87c35b50038e69fbf80e59b67bd9fcb0255

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_58982d2ca066eaf3ea0ab2e7c0dde87c35b50038e69fbf80e59b67bd9fcb0255.exe
Size

329KB
MD5

ae7211b71b8e9a5be9a27c0b166b1997
SHA1

d6018715f26818f5a9b6e9ea2dca555adf3f84e6
SHA256

58982d2ca066eaf3ea0ab2e7c0dde87c35b50038e69fbf80e59b67bd9fcb0255
SHA512

e13ea8acc2701f31917ea3374e1704ca41c757691973ad6a2bf96aa157834e332b97d7bf1b8a92b6aeda19c7c5741ed11f789e50075fb69d15c2975ea450b4b5
SSDEEP

6144:zFBHFLl2R5P4rNscbCRUuku5rWPwdf6Ix4PU6iHjnhN9p:zFBHF5k5Qpkf5rpB6ThO7p

Score

10^/10

gcleaner discovery loader

Malware Config

Extracted

Family

gcleaner

45.139.105.171

85.31.46.167

107.182.129.235

171.22.30.106

Attributes

url_path
....!..../software.php

....!..../software.php

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner

Program crash 8 IoCs

pid	pid_target	Process	procid_target
860	3084	WerFault.exe	81
3648	3084	WerFault.exe	81
4404	3084	WerFault.exe	81
1704	3084	WerFault.exe	81
4992	3084	WerFault.exe	81
868	3084	WerFault.exe	81
1484	3084	WerFault.exe	81
3548	3084	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_58982d2ca066eaf3ea0ab2e7c0dde87c35b50038e69fbf80e59b67bd9fcb0255.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3084	JaffaCakes118_58982d2ca066eaf3ea0ab2e7c0dde87c35b50038e69fbf80e59b67bd9fcb0255.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58982d2ca066eaf3ea0ab2e7c0dde87c35b50038e69fbf80e59b67bd9fcb0255.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58982d2ca066eaf3ea0ab2e7c0dde87c35b50038e69fbf80e59b67bd9fcb0255.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:3084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 452
  2⤵
  - Program crash
  PID:860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 764
  2⤵
  - Program crash
  PID:3648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 784
  2⤵
  - Program crash
  PID:4404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 816
  2⤵
  - Program crash
  PID:1704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 808
  2⤵
  - Program crash
  PID:4992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 932
  2⤵
  - Program crash
  PID:868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 936
  2⤵
  - Program crash
  PID:1484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 768
  2⤵
  - Program crash
  PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3084 -ip 3084
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3084 -ip 3084
1⤵
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3084 -ip 3084
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3084 -ip 3084
1⤵
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3084 -ip 3084
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3084 -ip 3084
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3084 -ip 3084
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 3084 -ip 3084
1⤵
PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3084-2-0x00000000030F0000-0x0000000003130000-memory.dmp

Filesize
256KB

Download
memory/3084-1-0x0000000002D20000-0x0000000002E20000-memory.dmp

Filesize
1024KB

Download
memory/3084-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3084-4-0x0000000002D20000-0x0000000002E20000-memory.dmp

Filesize
1024KB

Download
memory/3084-6-0x00000000030F0000-0x0000000003130000-memory.dmp

Filesize
256KB

Download
memory/3084-5-0x0000000000400000-0x0000000002C3F000-memory.dmp

Filesize
40.2MB

Download
memory/3084-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download