Malware Analysis Report

2024-10-23 21:53

Sample ID 240402-a66y5abg5v
Target 7efe9fc7329a78d32cf8c7f98f068566_JaffaCakes118
SHA256 49209c0cd75b58e967570eb5a49e9ab2b1533d166c1009e56c242f8e06143ec9
Tags
raccoon stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

49209c0cd75b58e967570eb5a49e9ab2b1533d166c1009e56c242f8e06143ec9

Threat Level: Known bad

The file 7efe9fc7329a78d32cf8c7f98f068566_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

raccoon stealer

Raccoon

Raccoon Stealer V1 payload

Unsigned PE

Program crash

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-02 00:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 00:50

Reported

2024-04-02 00:53

Platform

win7-20240221-en

Max time kernel

142s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7efe9fc7329a78d32cf8c7f98f068566_JaffaCakes118.exe"

Signatures

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7efe9fc7329a78d32cf8c7f98f068566_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7efe9fc7329a78d32cf8c7f98f068566_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 telegatt.top udp
US 8.8.8.8:53 telegka.top udp
US 8.8.8.8:53 telegin.top udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp

Files

memory/1488-1-0x0000000001830000-0x0000000001930000-memory.dmp

memory/1488-2-0x0000000000360000-0x00000000003EE000-memory.dmp

memory/1488-3-0x0000000000400000-0x00000000016FF000-memory.dmp

memory/1488-4-0x0000000000400000-0x00000000016FF000-memory.dmp

memory/1488-6-0x0000000001830000-0x0000000001930000-memory.dmp

memory/1488-7-0x0000000000360000-0x00000000003EE000-memory.dmp

memory/1488-16-0x0000000000400000-0x00000000016FF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 00:50

Reported

2024-04-02 00:53

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7efe9fc7329a78d32cf8c7f98f068566_JaffaCakes118.exe"

Signatures

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7efe9fc7329a78d32cf8c7f98f068566_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7efe9fc7329a78d32cf8c7f98f068566_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1308 -ip 1308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1228

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 telegatt.top udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 telegatt.top udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 telegatt.top udp
US 8.8.8.8:53 telegka.top udp
US 8.8.8.8:53 152.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 telegka.top udp
US 8.8.8.8:53 telegka.top udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 telegin.top udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 telegin.top udp
US 8.8.8.8:53 telegin.top udp
US 8.8.8.8:53 telegin.top udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1308-1-0x0000000001970000-0x0000000001A70000-memory.dmp

memory/1308-2-0x00000000018A0000-0x000000000192E000-memory.dmp

memory/1308-3-0x0000000000400000-0x00000000016FF000-memory.dmp

memory/1308-6-0x0000000001970000-0x0000000001A70000-memory.dmp

memory/1308-7-0x00000000018A0000-0x000000000192E000-memory.dmp

memory/1308-10-0x0000000000400000-0x00000000016FF000-memory.dmp