raccoon | 1002dd3d5f4dd8e8c7d9ccaf9454cf27e6ef264eb408b8e9fdb5d01c9fe66b84

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2024 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be5a2897072048974790ed5be8c5898f_JaffaCakes118.exe
Size

880KB
MD5

be5a2897072048974790ed5be8c5898f
SHA1

5957ea62ae67226a51deea287e6c4c91fc131222
SHA256

1002dd3d5f4dd8e8c7d9ccaf9454cf27e6ef264eb408b8e9fdb5d01c9fe66b84
SHA512

94586cfca9309487dabc16f1c20a55cf1528a5a1a2a6d6f4fc6d2ac47a0890e8d804fd9123aa1678e829ff7d5208190cc8cbfc0f061785251a802fa7fd763401
SSDEEP

24576:EHLmCiIh81qfyn7yG/iUmrmoF3H/dxvBjdrDJ:RMc7D/ixpFH/dxvBjV1

Score

10^/10

raccoon stealer

Malware Config

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000800000002320d-14.dat	family_raccoon_v1

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	be5a2897072048974790ed5be8c5898f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	80464db8182dd3ead92aca6561143a317a84db9c.sfx.exe

Executes dropped EXE 2 IoCs

pid	Process
3472	80464db8182dd3ead92aca6561143a317a84db9c.sfx.exe
2520	80464db8182dd3ead92aca6561143a317a84db9c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 1568	5044	be5a2897072048974790ed5be8c5898f_JaffaCakes118.exe	89
PID 5044 wrote to memory of 1568	5044	be5a2897072048974790ed5be8c5898f_JaffaCakes118.exe	89
PID 5044 wrote to memory of 1568	5044	be5a2897072048974790ed5be8c5898f_JaffaCakes118.exe	89
PID 1568 wrote to memory of 3472	1568	cmd.exe	92
PID 1568 wrote to memory of 3472	1568	cmd.exe	92
PID 1568 wrote to memory of 3472	1568	cmd.exe	92
PID 3472 wrote to memory of 2520	3472	80464db8182dd3ead92aca6561143a317a84db9c.sfx.exe	93
PID 3472 wrote to memory of 2520	3472	80464db8182dd3ead92aca6561143a317a84db9c.sfx.exe	93
PID 3472 wrote to memory of 2520	3472	80464db8182dd3ead92aca6561143a317a84db9c.sfx.exe	93

C:\Users\Admin\AppData\Local\Temp\be5a2897072048974790ed5be8c5898f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\be5a2897072048974790ed5be8c5898f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\en.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Users\Admin\AppData\Local\Temp\80464db8182dd3ead92aca6561143a317a84db9c.sfx.exe
    80464db8182dd3ead92aca6561143a317a84db9c.sfx.exe -p123456 -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Users\Admin\AppData\Local\Temp\80464db8182dd3ead92aca6561143a317a84db9c.exe
      "C:\Users\Admin\AppData\Local\Temp\80464db8182dd3ead92aca6561143a317a84db9c.exe"
      4⤵
      Executes dropped EXE
      PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\80464db8182dd3ead92aca6561143a317a84db9c.exe

Filesize
562KB

MD5
31e88e44ca4b5c2b7248d95f57dcbf86

SHA1
9a0719c4f11bceeca3123408e7d5b7d026feb634

SHA256
e88419656dc2a28f765633ce79f6b9823aa2e54ba7181f466577c7988ee5b83c

SHA512
b29d649674cdce9461f11def701a29834887e8e506d46ba053e00ddde495af84b8230851af401c14eb843b29b4c913158ea5d682a3bd927716759eb8bb6ec0ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\80464db8182dd3ead92aca6561143a317a84db9c.sfx.exe

Filesize
544KB

MD5
ece27fda05ff02e5e4485b97cff41390

SHA1
57d0099f8626f1e570bb2b572aecc8f3766f1dff

SHA256
af2b6aa2394f28cb0b94f97a56527c72e889c8bc19fcf5f596dc3961eea1ea71

SHA512
e3a789c175f77f502052923105e41fd70162632bb5940b91e325b162987e97718f8eb2533844d1686b3b6fbbf793ec65ca92faf210a3eebfd0b9fc61e13b8254

Download Submit
C:\Users\Admin\AppData\Local\Temp\en.bat

Filesize
66B

MD5
9ff746a2e2ca50704ea46b2199148394

SHA1
bd5f7b16f7f62f4c598c772a4d5968ee674937ad

SHA256
f32a6b37c2ce5a222b3f7d4345e63652986852955b15d5ba3992d287c19a932f

SHA512
c4213708394d91fe5b741ddec25082821c1ab2b5d3557c3d4eb540c65c61e7d823158aa37e9b2529e89661085e579bf64121af3d304466ab5a42ebdbdfd5e049

Download Submit