raccoon | 1002dd3d5f4dd8e8c7d9ccaf9454cf27e6ef264eb408b8e9fdb5d01c9fe66b84

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-04-2024 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be5a2897072048974790ed5be8c5898f_JaffaCakes118.exe
Size

880KB
MD5

be5a2897072048974790ed5be8c5898f
SHA1

5957ea62ae67226a51deea287e6c4c91fc131222
SHA256

1002dd3d5f4dd8e8c7d9ccaf9454cf27e6ef264eb408b8e9fdb5d01c9fe66b84
SHA512

94586cfca9309487dabc16f1c20a55cf1528a5a1a2a6d6f4fc6d2ac47a0890e8d804fd9123aa1678e829ff7d5208190cc8cbfc0f061785251a802fa7fd763401
SSDEEP

24576:EHLmCiIh81qfyn7yG/iUmrmoF3H/dxvBjdrDJ:RMc7D/ixpFH/dxvBjV1

Score

10^/10

raccoon stealer

Malware Config

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 1 IoCs

resource	yara_rule
behavioral1/files/0x002e0000000134ad-27.dat	family_raccoon_v1

Executes dropped EXE 2 IoCs

pid	Process
2768	80464db8182dd3ead92aca6561143a317a84db9c.sfx.exe
2256	80464db8182dd3ead92aca6561143a317a84db9c.exe

Loads dropped DLL 5 IoCs

pid	Process
2556	cmd.exe
2768	80464db8182dd3ead92aca6561143a317a84db9c.sfx.exe
2768	80464db8182dd3ead92aca6561143a317a84db9c.sfx.exe
2768	80464db8182dd3ead92aca6561143a317a84db9c.sfx.exe
2768	80464db8182dd3ead92aca6561143a317a84db9c.sfx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 2556	1524	be5a2897072048974790ed5be8c5898f_JaffaCakes118.exe	28
PID 1524 wrote to memory of 2556	1524	be5a2897072048974790ed5be8c5898f_JaffaCakes118.exe	28
PID 1524 wrote to memory of 2556	1524	be5a2897072048974790ed5be8c5898f_JaffaCakes118.exe	28
PID 1524 wrote to memory of 2556	1524	be5a2897072048974790ed5be8c5898f_JaffaCakes118.exe	28
PID 2556 wrote to memory of 2768	2556	cmd.exe	30
PID 2556 wrote to memory of 2768	2556	cmd.exe	30
PID 2556 wrote to memory of 2768	2556	cmd.exe	30
PID 2556 wrote to memory of 2768	2556	cmd.exe	30
PID 2768 wrote to memory of 2256	2768	80464db8182dd3ead92aca6561143a317a84db9c.sfx.exe	31
PID 2768 wrote to memory of 2256	2768	80464db8182dd3ead92aca6561143a317a84db9c.sfx.exe	31
PID 2768 wrote to memory of 2256	2768	80464db8182dd3ead92aca6561143a317a84db9c.sfx.exe	31
PID 2768 wrote to memory of 2256	2768	80464db8182dd3ead92aca6561143a317a84db9c.sfx.exe	31

C:\Users\Admin\AppData\Local\Temp\be5a2897072048974790ed5be8c5898f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\be5a2897072048974790ed5be8c5898f_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\en.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Users\Admin\AppData\Local\Temp\80464db8182dd3ead92aca6561143a317a84db9c.sfx.exe
    80464db8182dd3ead92aca6561143a317a84db9c.sfx.exe -p123456 -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\80464db8182dd3ead92aca6561143a317a84db9c.exe
      "C:\Users\Admin\AppData\Local\Temp\80464db8182dd3ead92aca6561143a317a84db9c.exe"
      4⤵
      Executes dropped EXE
      PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\80464db8182dd3ead92aca6561143a317a84db9c.exe

Filesize
562KB

MD5
31e88e44ca4b5c2b7248d95f57dcbf86

SHA1
9a0719c4f11bceeca3123408e7d5b7d026feb634

SHA256
e88419656dc2a28f765633ce79f6b9823aa2e54ba7181f466577c7988ee5b83c

SHA512
b29d649674cdce9461f11def701a29834887e8e506d46ba053e00ddde495af84b8230851af401c14eb843b29b4c913158ea5d682a3bd927716759eb8bb6ec0ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\en.bat

Filesize
66B

MD5
9ff746a2e2ca50704ea46b2199148394

SHA1
bd5f7b16f7f62f4c598c772a4d5968ee674937ad

SHA256
f32a6b37c2ce5a222b3f7d4345e63652986852955b15d5ba3992d287c19a932f

SHA512
c4213708394d91fe5b741ddec25082821c1ab2b5d3557c3d4eb540c65c61e7d823158aa37e9b2529e89661085e579bf64121af3d304466ab5a42ebdbdfd5e049

Download Submit
\Users\Admin\AppData\Local\Temp\80464db8182dd3ead92aca6561143a317a84db9c.sfx.exe

Filesize
544KB

MD5
ece27fda05ff02e5e4485b97cff41390

SHA1
57d0099f8626f1e570bb2b572aecc8f3766f1dff

SHA256
af2b6aa2394f28cb0b94f97a56527c72e889c8bc19fcf5f596dc3961eea1ea71

SHA512
e3a789c175f77f502052923105e41fd70162632bb5940b91e325b162987e97718f8eb2533844d1686b3b6fbbf793ec65ca92faf210a3eebfd0b9fc61e13b8254

Download Submit