raccoon | 90ca9c7f8b656d2104a812ce9ba2625c1ab3b6ae346df7e6f01c838bf8990bda

General

Target

0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe
Size

866KB
MD5

0da43ff2818bd897206bf362ee8aa27f
SHA1

7013151ac5b6e201ebb6f20efff8dd8d269e92e5
SHA256

90ca9c7f8b656d2104a812ce9ba2625c1ab3b6ae346df7e6f01c838bf8990bda
SHA512

e9711f909d5a11bf7431ea2000f3200e4e206dd53cf1a4ffd4a8fbe0ce974be37878e3c3a2738b3fbeb26acd48a3f04b547e0b3c89884a5d1a74c2d496739a5c
SSDEEP

24576:o53uhF1ekWz2q28OV0vn0IGFr6s/5iHkNTAskAuQ:o5+hF1CPhOavGFmsB2kN0szuQ

Score

10^/10

raccoon e2b58b2c24d80fcfd249021c5a21ac97c09e40a1 discovery stealer

Malware Config

Extracted

Family

raccoon

Version

1.7.3

Botnet

e2b58b2c24d80fcfd249021c5a21ac97c09e40a1

Attributes

url4cnc
https://telete.in/mohibrainos

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 4 IoCs

resource	yara_rule
behavioral1/memory/2668-60-0x0000000000400000-0x0000000000496000-memory.dmp	family_raccoon_v1
behavioral1/memory/2668-65-0x0000000000400000-0x0000000000496000-memory.dmp	family_raccoon_v1
behavioral1/memory/2668-71-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1
behavioral1/memory/2668-70-0x0000000000400000-0x0000000000496000-memory.dmp	family_raccoon_v1

Executes dropped EXE 2 IoCs

pid	Process
2688	GuiHelper.exe
2668	GuiHelper.exe

Loads dropped DLL 3 IoCs

pid	Process
2564	0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe
2564	0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe
2688	GuiHelper.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2688 set thread context of 2668	2688	GuiHelper.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GuiHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GuiHelper.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2688	GuiHelper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2688	GuiHelper.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2336	2564	0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe	29
PID 2564 wrote to memory of 2336	2564	0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe	29
PID 2564 wrote to memory of 2336	2564	0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe	29
PID 2564 wrote to memory of 2336	2564	0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe	29
PID 2564 wrote to memory of 2688	2564	0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe	31
PID 2564 wrote to memory of 2688	2564	0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe	31
PID 2564 wrote to memory of 2688	2564	0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe	31
PID 2564 wrote to memory of 2688	2564	0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2668	2688	GuiHelper.exe	32
PID 2688 wrote to memory of 2668	2688	GuiHelper.exe	32
PID 2688 wrote to memory of 2668	2688	GuiHelper.exe	32
PID 2688 wrote to memory of 2668	2688	GuiHelper.exe	32
PID 2688 wrote to memory of 2668	2688	GuiHelper.exe	32

C:\Users\Admin\AppData\Local\Temp\0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Local\Temp\GuiHelper\KillDuplicate.cmd" "C:\Users\Admin\AppData\Local\Temp\GuiHelper" "0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe""
  2⤵
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\GuiHelper\GuiHelper.exe
  "C:\Users\Admin\AppData\Local\Temp\GuiHelper\GuiHelper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\GuiHelper\GuiHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\GuiHelper\GuiHelper.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GuiHelper\GuiHelper.exe

Filesize
1.1MB

MD5
533dd7c6e2d03b192937a23e72679572

SHA1
c3f823ad2660f2c3fe5f0a9f4a98130a3c799be6

SHA256
753c49e96e7d6991dfa47778186e7f8f4eb1dec274a9b43d38731b573c311fe6

SHA512
42ecc05b9b533a7ef2a4b85f71c6198a9fadf1a1a361b3d016bdee72a9777b1896fbb7d61d642724488dc7244c317cb9bd247f4874372527da105f0eface2922

Download Submit
memory/2668-70-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2668-71-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2668-65-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2668-60-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2688-63-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2688-26-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2688-54-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2688-22-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/2688-64-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2688-21-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2688-19-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/2688-69-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2688-68-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2688-20-0x000000007294A000-0x000000007294B000-memory.dmp

Filesize
4KB

Download
memory/2688-14-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing