Overview

overview

10

Static

static

5

4f9a9b1b7d...18.exe

windows7-x64

10

4f9a9b1b7d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    31-03-2024 06:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f9a9b1b7da87ecd06db9996d7d4acfe_JaffaCakes118.exe

  • Size

    24.2MB

  • MD5

    4f9a9b1b7da87ecd06db9996d7d4acfe

  • SHA1

    f813c4b15688d02a467155148c95b75e85aa449f

  • SHA256

    79e74116d9b6641a89f62b78d9b51450612c33cb346d1c86521ce5a8313d24c6

  • SHA512

    94e83197964e4a26c2320423c5d587c29f13d955ffaa69dc9ea50b6be5e91bf397bb29f1ff76b24329ad859e8f3c20d81dbf73f8cd39f72efaba4046553034cd

  • SSDEEP

    393216:3spvgNx6jckByvGeTE0xwtL32JZSlkjWRtuK9JlLir2DrdGPpViRzieLbrK:gvSxBxamXSlll9JZ+0rdyiRzdL

Score
10/10
raccoonevasionstealerthemidatrojan

Malware Config

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Raccoon Stealer V1 payload 9 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Themida packer 12 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f9a9b1b7da87ecd06db9996d7d4acfe_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4f9a9b1b7da87ecd06db9996d7d4acfe_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\ProgramData\AdGuard.v7.7.3715.0.Svc_fXPKH.exe
      "C:\ProgramData\AdGuard.v7.7.3715.0.Svc_fXPKH.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2004
    • C:\ProgramData\AdGuard.v7.7.3715.0_vZ1t4.exe
      "C:\ProgramData\AdGuard.v7.7.3715.0_vZ1t4.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\System32\msiexec.exe" /i "C:\ProgramData\Package Cache\{685F6AB3-7C61-42D1-AE5B-3864E48D1035}v7.7.3715.0\setup.msi" TRANSFORMS=tr.mst
        3⤵
        • Enumerates connected drives
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:944
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1120

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AdGuard.v7.7.3715.0.Svc_fXPKH.exe
    Filesize

    2.0MB

    MD5

    b053fb4457f829f8a2cefdd6d4f46d20

    SHA1

    d67bd1595c6ebcdbbaa28a7bd35054cecf3daa5f

    SHA256

    c290cebb313e2413bcf84cd70135def846647cf2eca27e9a61ecb71e60cc2e0e

    SHA512

    27371a7fe25431949e20e77330d5b20cef3524bca6652934513a264efcc4379c4277c1386dee6bb8331fb57bd636e87bf7dcb85c6ae9c852cd4c8b92ff6b0636

    Download Submit

  • C:\ProgramData\AdGuard.v7.7.3715.0_vZ1t4.exe
    Filesize

    21.3MB

    MD5

    35b0f868fe979536190b3d4336b18d25

    SHA1

    3a337dc2cea9e10ce86b6dd04b907edd509d4318

    SHA256

    7cdb377bedd16763cea656b92392490d1762c3804214fd80dc734387e9c518f6

    SHA512

    3c6cb441b72ab50bfca9e03a933abf95979db95c0a0505648fb7bd2a89987477f95ae2611d18613a7ef12b29b991e0b4ce9961afc1f39db63fc9cc03e8828b17

    Download Submit

  • C:\ProgramData\Package Cache\{685F6AB3-7C61-42D1-AE5B-3864E48D1035}v7.7.3715.0\setup.msi
    Filesize

    3.7MB

    MD5

    ed6084ab9f2cb4dddcdd796ac353523b

    SHA1

    95ace7a94b4ae8efc6f84be9da0ab05c4360f3d7

    SHA256

    197b90e9201c1c7ba2eec1ed41725f280b2ec341014f45b3e40756f9cff0330e

    SHA512

    0e7fb938b76a98afd683caeee3119fd5bb8a8179e3bdb6ed2e16bf4545f46689833df3150ac1df30e0f45c17d091bcded806eaba41aa77ae67b3b97b9f7f6e4d

    Download Submit

  • C:\ProgramData\Package Cache\{685F6AB3-7C61-42D1-AE5B-3864E48D1035}v7.7.3715.0\tr.mst
    Filesize

    300KB

    MD5

    63f3811710ffa84f0fbb7752459177d3

    SHA1

    6e6f7d5c8077be9e62e8686846f639dea61da364

    SHA256

    68225c4c5d6c29323403db04f8f87f099b055dc1ea40d14c06c9d9be340d6c60

    SHA512

    3e41ebff35a83f40e7181862db46ab645c5fde5494e5a68ac06ac8c708016f0bbb3a2221c28c7888bb3ac7df54f214d1a0c2c1172c1803cc7a97eb5f041072d2

    Download Submit

  • memory/2004-30-0x0000000000AF0000-0x0000000001061000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/2004-38-0x0000000000AF0000-0x0000000001061000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/2004-29-0x0000000000AF0000-0x0000000001061000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/2004-27-0x0000000000AF0000-0x0000000001061000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/2004-26-0x0000000000AF0000-0x0000000001061000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/2004-36-0x0000000000AF0000-0x0000000001061000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/2004-37-0x0000000000AF0000-0x0000000001061000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/2004-28-0x0000000077CF0000-0x0000000077CF2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2004-39-0x0000000000AF0000-0x0000000001061000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/2004-25-0x0000000000AF0000-0x0000000001061000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/2004-263-0x0000000000AF0000-0x0000000001061000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/2004-253-0x0000000000AF0000-0x0000000001061000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/2628-22-0x0000000005B20000-0x0000000006091000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/2628-23-0x0000000005B20000-0x0000000006091000-memory.dmp

    Filesize

    5.4MB

    Download