raccoon | 0a3a36fb5bca270716b5836355d506fbde4dcfeb66c526d7310aa60f99aac49b

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07-04-2024 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4b908985c9010780f9bc972dc34883e_JaffaCakes118.exe
Size

24.1MB
MD5

e4b908985c9010780f9bc972dc34883e
SHA1

a4b802e0e4c9485d4733f2f8e836cccef17cc587
SHA256

0a3a36fb5bca270716b5836355d506fbde4dcfeb66c526d7310aa60f99aac49b
SHA512

69c3533ab9a95f9330001720cf4ccde47eafc203b416b4aadb7352831b7f7a8c02e0543543c0bc443b5f8915fb834f614b3a0c580eefc1f914dbdb3df0fa7b1d
SSDEEP

393216:D8zGfF0zm9Vj2bVl8WvEOcc2FReqN14JkgKTLDF9Ky9LWN1QsTFrdRSqPPF+:8GN0zOVW8WM3DHvJDF9KPN1ntdPPF+

Score

10^/10

raccoon evasion stealer themida trojan

Malware Config

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 8 IoCs

resource	yara_rule
behavioral2/memory/4704-38-0x00000000005F0000-0x0000000000B4E000-memory.dmp	family_raccoon_v1
behavioral2/memory/4704-40-0x00000000005F0000-0x0000000000B4E000-memory.dmp	family_raccoon_v1
behavioral2/memory/4704-44-0x00000000005F0000-0x0000000000B4E000-memory.dmp	family_raccoon_v1
behavioral2/memory/4704-52-0x00000000005F0000-0x0000000000B4E000-memory.dmp	family_raccoon_v1
behavioral2/memory/4704-58-0x00000000005F0000-0x0000000000B4E000-memory.dmp	family_raccoon_v1
behavioral2/memory/4704-67-0x00000000005F0000-0x0000000000B4E000-memory.dmp	family_raccoon_v1
behavioral2/memory/4704-65-0x00000000005F0000-0x0000000000B4E000-memory.dmp	family_raccoon_v1
behavioral2/memory/4704-140-0x00000000005F0000-0x0000000000B4E000-memory.dmp	family_raccoon_v1

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Icecream PDF Editor 2.43.Svc_6Ouq5.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Icecream PDF Editor 2.43.Svc_6Ouq5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Icecream PDF Editor 2.43.Svc_6Ouq5.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	e4b908985c9010780f9bc972dc34883e_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
4704	Icecream PDF Editor 2.43.Svc_6Ouq5.exe
4896	Icecream PDF Editor 2.43_a8A0p.exe
3652	Icecream PDF Editor 2.43_a8A0p.tmp

Loads dropped DLL 4 IoCs

pid	Process
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000f000000023124-4.dat	themida
behavioral2/memory/4704-17-0x00000000005F0000-0x0000000000B4E000-memory.dmp	themida
behavioral2/memory/4704-33-0x00000000005F0000-0x0000000000B4E000-memory.dmp	themida
behavioral2/memory/4704-38-0x00000000005F0000-0x0000000000B4E000-memory.dmp	themida
behavioral2/memory/4704-40-0x00000000005F0000-0x0000000000B4E000-memory.dmp	themida
behavioral2/memory/4704-44-0x00000000005F0000-0x0000000000B4E000-memory.dmp	themida
behavioral2/memory/4704-52-0x00000000005F0000-0x0000000000B4E000-memory.dmp	themida
behavioral2/memory/4704-58-0x00000000005F0000-0x0000000000B4E000-memory.dmp	themida
behavioral2/memory/4704-67-0x00000000005F0000-0x0000000000B4E000-memory.dmp	themida
behavioral2/memory/4704-65-0x00000000005F0000-0x0000000000B4E000-memory.dmp	themida
behavioral2/memory/4704-140-0x00000000005F0000-0x0000000000B4E000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Icecream PDF Editor 2.43.Svc_6Ouq5.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4704	Icecream PDF Editor 2.43.Svc_6Ouq5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
452	e4b908985c9010780f9bc972dc34883e_JaffaCakes118.exe
452	e4b908985c9010780f9bc972dc34883e_JaffaCakes118.exe
452	e4b908985c9010780f9bc972dc34883e_JaffaCakes118.exe
452	e4b908985c9010780f9bc972dc34883e_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
452	e4b908985c9010780f9bc972dc34883e_JaffaCakes118.exe
452	e4b908985c9010780f9bc972dc34883e_JaffaCakes118.exe
452	e4b908985c9010780f9bc972dc34883e_JaffaCakes118.exe
452	e4b908985c9010780f9bc972dc34883e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4896	Icecream PDF Editor 2.43_a8A0p.exe
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp
3652	Icecream PDF Editor 2.43_a8A0p.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 4704	452	e4b908985c9010780f9bc972dc34883e_JaffaCakes118.exe	85
PID 452 wrote to memory of 4704	452	e4b908985c9010780f9bc972dc34883e_JaffaCakes118.exe	85
PID 452 wrote to memory of 4704	452	e4b908985c9010780f9bc972dc34883e_JaffaCakes118.exe	85
PID 452 wrote to memory of 4896	452	e4b908985c9010780f9bc972dc34883e_JaffaCakes118.exe	87
PID 452 wrote to memory of 4896	452	e4b908985c9010780f9bc972dc34883e_JaffaCakes118.exe	87
PID 452 wrote to memory of 4896	452	e4b908985c9010780f9bc972dc34883e_JaffaCakes118.exe	87
PID 4896 wrote to memory of 3652	4896	Icecream PDF Editor 2.43_a8A0p.exe	88
PID 4896 wrote to memory of 3652	4896	Icecream PDF Editor 2.43_a8A0p.exe	88
PID 4896 wrote to memory of 3652	4896	Icecream PDF Editor 2.43_a8A0p.exe	88

C:\Users\Admin\AppData\Local\Temp\e4b908985c9010780f9bc972dc34883e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e4b908985c9010780f9bc972dc34883e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:452
- C:\ProgramData\Icecream PDF Editor 2.43.Svc_6Ouq5.exe
  "C:\ProgramData\Icecream PDF Editor 2.43.Svc_6Ouq5.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4704
- C:\ProgramData\Icecream PDF Editor 2.43_a8A0p.exe
  "C:\ProgramData\Icecream PDF Editor 2.43_a8A0p.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Users\Admin\AppData\Local\Temp\is-UG4GL.tmp\Icecream PDF Editor 2.43_a8A0p.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-UG4GL.tmp\Icecream PDF Editor 2.43_a8A0p.tmp" /SL5="$50212,22256985,64512,C:\ProgramData\Icecream PDF Editor 2.43_a8A0p.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Icecream PDF Editor 2.43_a8A0p.exe

Filesize
21.6MB

MD5
b1d576461bf3752242ef21780204f7c9

SHA1
7e96f6e96d256290b35be93269f82494d51088d9

SHA256
4caf64814daf1c68fc3c5150a9e502b457fd0141fcf192fdac024157b443a0db

SHA512
911daad8590f2e34ce91ef48a858270b0caf6421df2f7ea6ce75b4e204515834d33494f5ff0abee86b06c711fe9f51f4515ef0c93c2043745974fe93bc457fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut4A96.tmp

Filesize
1.7MB

MD5
09968e60e27f6e90fd6657656dd238ed

SHA1
1846c404e2cc7dd4642b128ecd986ec549a90968

SHA256
d042509be1a7519ed06950bd76b08656a39c0b8f21712056fc99f910775e74cc

SHA512
30f5343d9296d4652e8cd05b9918b7b1d0b6a78593582736330f6f297ecc55cc7fcb35db31c7c17c5e03f648bc3a66c47d505bfbc08ae1e4a4db5fe2ff696860

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NPKV1.tmp\ISTask.dll

Filesize
66KB

MD5
86a1311d51c00b278cb7f27796ea442e

SHA1
ac08ac9d08f8f5380e2a9a65f4117862aa861a19

SHA256
e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d

SHA512
129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NPKV1.tmp\VclStylesInno.dll

Filesize
3.0MB

MD5
b0ca93ceb050a2feff0b19e65072bbb5

SHA1
7ebbbbe2d2acd8fd516f824338d254a33b69f08d

SHA256
0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246

SHA512
37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UG4GL.tmp\Icecream PDF Editor 2.43_a8A0p.tmp

Filesize
911KB

MD5
e1a29f2b2c7ed8a501e9d8dbfa1a3552

SHA1
05851cfcf872fe88af243ebd2f7adbc6c0c8c94d

SHA256
ba2d79a2abc0f55fe131f0c708241c5822f2dbbbdc5bb72dac94a22bdc8e2160

SHA512
3cf7bc57e3d8df28b5634c4b8e4562ba4206f0f0edb9e1efc19f2f1ac59b510389d90a9c660c5f761396d632639c72ceac81929651b999c71d0f49082bc9d35c

Download Submit
memory/3652-99-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-111-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-148-0x00000000073D0000-0x00000000073D1000-memory.dmp

Filesize
4KB

Download
memory/3652-98-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-147-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/3652-103-0x0000000007A00000-0x0000000007A01000-memory.dmp

Filesize
4KB

Download
memory/3652-77-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-78-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-71-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-72-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-66-0x00000000074E0000-0x00000000077FA000-memory.dmp

Filesize
3.1MB

Download
memory/3652-73-0x0000000007960000-0x0000000007961000-memory.dmp

Filesize
4KB

Download
memory/3652-75-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-74-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-79-0x0000000007980000-0x0000000007981000-memory.dmp

Filesize
4KB

Download
memory/3652-80-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-82-0x0000000007990000-0x0000000007991000-memory.dmp

Filesize
4KB

Download
memory/3652-57-0x00000000072B0000-0x00000000072C6000-memory.dmp

Filesize
88KB

Download
memory/3652-70-0x0000000007950000-0x0000000007951000-memory.dmp

Filesize
4KB

Download
memory/3652-76-0x0000000007970000-0x0000000007971000-memory.dmp

Filesize
4KB

Download
memory/3652-81-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-84-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-88-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/3652-90-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-94-0x00000000079D0000-0x00000000079D1000-memory.dmp

Filesize
4KB

Download
memory/3652-95-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-96-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-97-0x00000000079E0000-0x00000000079E1000-memory.dmp

Filesize
4KB

Download
memory/3652-92-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-93-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-91-0x00000000079C0000-0x00000000079C1000-memory.dmp

Filesize
4KB

Download
memory/3652-89-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-87-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-50-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/3652-132-0x00000000073D0000-0x00000000073D1000-memory.dmp

Filesize
4KB

Download
memory/3652-83-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-85-0x00000000079A0000-0x00000000079A1000-memory.dmp

Filesize
4KB

Download
memory/3652-109-0x0000000007A20000-0x0000000007A21000-memory.dmp

Filesize
4KB

Download
memory/3652-108-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-107-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-106-0x0000000007A10000-0x0000000007A11000-memory.dmp

Filesize
4KB

Download
memory/3652-105-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-115-0x0000000007A40000-0x0000000007A41000-memory.dmp

Filesize
4KB

Download
memory/3652-120-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-121-0x0000000007A60000-0x0000000007A61000-memory.dmp

Filesize
4KB

Download
memory/3652-119-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-118-0x0000000007A50000-0x0000000007A51000-memory.dmp

Filesize
4KB

Download
memory/3652-116-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-117-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-114-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-113-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-112-0x0000000007A30000-0x0000000007A31000-memory.dmp

Filesize
4KB

Download
memory/3652-104-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-110-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-102-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-101-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/3652-100-0x00000000079F0000-0x00000000079F1000-memory.dmp

Filesize
4KB

Download
memory/3652-86-0x0000000007800000-0x0000000007940000-memory.dmp

Filesize
1.2MB

Download
memory/4704-67-0x00000000005F0000-0x0000000000B4E000-memory.dmp

Filesize
5.4MB

Download
memory/4704-44-0x00000000005F0000-0x0000000000B4E000-memory.dmp

Filesize
5.4MB

Download
memory/4704-38-0x00000000005F0000-0x0000000000B4E000-memory.dmp

Filesize
5.4MB

Download
memory/4704-17-0x00000000005F0000-0x0000000000B4E000-memory.dmp

Filesize
5.4MB

Download
memory/4704-65-0x00000000005F0000-0x0000000000B4E000-memory.dmp

Filesize
5.4MB

Download
memory/4704-18-0x00000000776F4000-0x00000000776F6000-memory.dmp

Filesize
8KB

Download
memory/4704-58-0x00000000005F0000-0x0000000000B4E000-memory.dmp

Filesize
5.4MB

Download
memory/4704-140-0x00000000005F0000-0x0000000000B4E000-memory.dmp

Filesize
5.4MB

Download
memory/4704-52-0x00000000005F0000-0x0000000000B4E000-memory.dmp

Filesize
5.4MB

Download
memory/4704-40-0x00000000005F0000-0x0000000000B4E000-memory.dmp

Filesize
5.4MB

Download
memory/4704-33-0x00000000005F0000-0x0000000000B4E000-memory.dmp

Filesize
5.4MB

Download
memory/4896-36-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4896-143-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download