Overview

overview

10

Static

static

3

41c38b28a9...18.exe

windows7-x64

10

41c38b28a9...18.exe

windows10-2004-x64

10

$1/Outbrea...39.exe

windows7-x64

9

$1/Outbrea...39.exe

windows10-2004-x64

9

$1/Softwar...95.exe

windows7-x64

10

$1/Softwar...95.exe

windows10-2004-x64

10

$1/Softwar...84.exe

windows7-x64

9

$1/Softwar...84.exe

windows10-2004-x64

9

$1/Softwar...re.exe

windows7-x64

$1/Softwar...re.exe

windows10-2004-x64

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    41c38b28a965f10261a320ec88c7adc0_JaffaCakes118

  • Size

    15.8MB

  • Sample

    240514-rdywgsad72

  • MD5

    41c38b28a965f10261a320ec88c7adc0

  • SHA1

    f633611416eacf26ca20291e672a954a186220cd

  • SHA256

    42ca73a2f64b86c9e59cc795eaf28450bdfd1149a35b052e2a8baf1b47e82204

  • SHA512

    5b8b7fb27e3f5e904399f8a9a063cfadb5085db0e2f68b0d58a8cd9050896651c4627d393039259b09cfd4fb3cfb1ceef4728e317e18d2ba19bc771399804687

  • SSDEEP

    393216:i6eS1UH9VJcP/hDcSWodYkg7S1e1uBFBecboH86C:i6eS1cVJcXcBMiuFBemoH8L

Score
10/10
raccoonevasionstealer

Malware Config

Targets

    • Target

      41c38b28a965f10261a320ec88c7adc0_JaffaCakes118

    • Size

      15.8MB

    • MD5

      41c38b28a965f10261a320ec88c7adc0

    • SHA1

      f633611416eacf26ca20291e672a954a186220cd

    • SHA256

      42ca73a2f64b86c9e59cc795eaf28450bdfd1149a35b052e2a8baf1b47e82204

    • SHA512

      5b8b7fb27e3f5e904399f8a9a063cfadb5085db0e2f68b0d58a8cd9050896651c4627d393039259b09cfd4fb3cfb1ceef4728e317e18d2ba19bc771399804687

    • SSDEEP

      393216:i6eS1UH9VJcP/hDcSWodYkg7S1e1uBFBecboH86C:i6eS1cVJcXcBMiuFBemoH8L

    Score
    10/10
    raccoonevasionstealer

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Raccoon Stealer V1 payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $1/Outbreak/Pigeon_39.exe

    • Size

      6.8MB

    • MD5

      f7958823d5a3c0a2df7974adde4028d0

    • SHA1

      bb4e28ce33d1d1346c9916593d2760596eec0cc2

    • SHA256

      72a310904f5c29c586eceff7a2442dc50e82c5a0673ac62e07c793333803f0e5

    • SHA512

      5d65bf146d76f0d24599e95d6b222125d717bf6a94c58034cb09a96380b92b6a672a54987acebca83ba1f9dc78ab1947fa3c9cc5856f08a0042673b78fcf9171

    • SSDEEP

      196608:g/xq66y1wQplnbnZVztYtArKIF20GsbYr9vyKHRo:wx1i29bnZYtAWmeyqo

    Score
    9/10
    evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

    • Target

      $1/Software/Crew_95.exe

    • Size

      4.3MB

    • MD5

      ef9aa9009c8df44bb806f66b8e367bf7

    • SHA1

      9fdcbf944c3f6bdabe66d1d8caa058e167baa14b

    • SHA256

      459d0ea5dc8c44e62020aff6016cf0a4495e217e1892bda8aaf8f2a9187d4612

    • SHA512

      99e744363ac69343a394a13c1c219e9167dbf892150abd0d840f78a0d9566ecb340827d8a67a0d32365eca209c723e3d370a715151be74641dbea2a09e35eac2

    • SSDEEP

      98304:6P5W8HQ0cSTNeJ8+tT8QKkUMZBEdz/uUxh9/Hexr3vxcz:6BnQINeJ8A+kUFJ/u2hhHehvG

    Score
    10/10
    raccoonevasionstealer

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Raccoon Stealer V1 payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral5behavioral6

    • Target

      $1/Software/Glad_84.exe

    • Size

      4.5MB

    • MD5

      0881095412775a91dcaab9b0ff5325e4

    • SHA1

      6b8001b963c6120ebfbc303f9d9e42eb7b935dba

    • SHA256

      a801f1c92530887b30c21fcd5fbfe284446a918441a9ba62bb98ff23772e470d

    • SHA512

      0111e64ef2b1b133f0da60e2e9885a4bc65f4c5f43cc01abe664cc4ff9202f94fc581943b27fd967076ae9d3ebe965a0a0c06842d725649bc8536f7c4d8ff521

    • SSDEEP

      98304:ViaFZ3PhLv71Y0e76VOqPJonYVvXCo2MahOY/FYkloKVUcNW9nTBqTTbm6EHo:ViaFZfdv60dVOpna/GFbKrcNWNBqTTb1

    Score
    9/10
    evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral7behavioral8

    • Target

      $1/Software/software.exe

    • Size

      287KB

    • MD5

      86503b51f7591c77378f67f4555c3f6f

    • SHA1

      1805c4ce6c71db2d35df1a635cdeacf47f8f3797

    • SHA256

      22beccc542b0d6fa989a6d2b7196ef6c7830c4172d019f21725e34f4cfea7a00

    • SHA512

      dd9729b9fbc78e3e3fdd9b7369ac92b42432e65b3b6ce62c757690964aa08f091e728c5780e839cecb12bbd619a0a74c50990fc9608210cacfa6eefabad648b2

    • SSDEEP

      6144:/pMBB8B/zowpTip56/UNhCFmk4Y/4ijrPctMD+:B8B4/95ip56/UE74YRjkp

    Score
    1/10
    behavioral10behavioral9

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      0063d48afe5a0cdc02833145667b6641

    • SHA1

      e7eb614805d183ecb1127c62decb1a6be1b4f7a8

    • SHA256

      ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

    • SHA512

      71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

    • SSDEEP

      192:qPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4U:F7VpNo8gmOyRsVc4

    Score
    3/10
    behavioral11behavioral12

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

8
T1497

Subvert Trust Controls

2
T1553

Install Root Certificate

2
T1553.004

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

14
T1012

Virtualization/Sandbox Evasion

8
T1497

System Information Discovery

9
T1082

Remote System Discovery

2
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks