raccoon | 90ca9c7f8b656d2104a812ce9ba2625c1ab3b6ae346df7e6f01c838bf8990bda

General

Target

0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe
Size

866KB
MD5

0da43ff2818bd897206bf362ee8aa27f
SHA1

7013151ac5b6e201ebb6f20efff8dd8d269e92e5
SHA256

90ca9c7f8b656d2104a812ce9ba2625c1ab3b6ae346df7e6f01c838bf8990bda
SHA512

e9711f909d5a11bf7431ea2000f3200e4e206dd53cf1a4ffd4a8fbe0ce974be37878e3c3a2738b3fbeb26acd48a3f04b547e0b3c89884a5d1a74c2d496739a5c
SSDEEP

24576:o53uhF1ekWz2q28OV0vn0IGFr6s/5iHkNTAskAuQ:o5+hF1CPhOavGFmsB2kN0szuQ

Score

10^/10

raccoon e2b58b2c24d80fcfd249021c5a21ac97c09e40a1 discovery stealer

Malware Config

Extracted

Family

raccoon

Version

1.7.3

Botnet

e2b58b2c24d80fcfd249021c5a21ac97c09e40a1

Attributes

url4cnc
https://telete.in/mohibrainos

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 4 IoCs

resource	yara_rule
behavioral2/memory/1496-61-0x0000000000400000-0x0000000000496000-memory.dmp	family_raccoon_v1
behavioral2/memory/1496-65-0x0000000000400000-0x0000000000496000-memory.dmp	family_raccoon_v1
behavioral2/memory/1496-63-0x0000000000400000-0x0000000000496000-memory.dmp	family_raccoon_v1
behavioral2/memory/1496-72-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4704	GuiHelper.exe
1496	GuiHelper.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4704 set thread context of 1496	4704	GuiHelper.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GuiHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GuiHelper.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4704	GuiHelper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4704	GuiHelper.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 3500	2164	0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe	82
PID 2164 wrote to memory of 3500	2164	0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe	82
PID 2164 wrote to memory of 4704	2164	0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe	84
PID 2164 wrote to memory of 4704	2164	0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe	84
PID 2164 wrote to memory of 4704	2164	0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe	84
PID 4704 wrote to memory of 1496	4704	GuiHelper.exe	92
PID 4704 wrote to memory of 1496	4704	GuiHelper.exe	92
PID 4704 wrote to memory of 1496	4704	GuiHelper.exe	92
PID 4704 wrote to memory of 1496	4704	GuiHelper.exe	92

C:\Users\Admin\AppData\Local\Temp\0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Local\Temp\GuiHelper\KillDuplicate.cmd" "C:\Users\Admin\AppData\Local\Temp\GuiHelper" "0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe""
  2⤵
  PID:3500
- C:\Users\Admin\AppData\Local\Temp\GuiHelper\GuiHelper.exe
  "C:\Users\Admin\AppData\Local\Temp\GuiHelper\GuiHelper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Users\Admin\AppData\Local\Temp\GuiHelper\GuiHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\GuiHelper\GuiHelper.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GuiHelper\GuiHelper.exe

Filesize
1.1MB

MD5
533dd7c6e2d03b192937a23e72679572

SHA1
c3f823ad2660f2c3fe5f0a9f4a98130a3c799be6

SHA256
753c49e96e7d6991dfa47778186e7f8f4eb1dec274a9b43d38731b573c311fe6

SHA512
42ecc05b9b533a7ef2a4b85f71c6198a9fadf1a1a361b3d016bdee72a9777b1896fbb7d61d642724488dc7244c317cb9bd247f4874372527da105f0eface2922

Download Submit
memory/1496-61-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1496-70-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/1496-72-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1496-63-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1496-65-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/4704-23-0x00000000736E1000-0x00000000736E2000-memory.dmp

Filesize
4KB

Download
memory/4704-29-0x00000000736B0000-0x000000007380D000-memory.dmp

Filesize
1.4MB

Download
memory/4704-54-0x00000000736B0000-0x000000007380D000-memory.dmp

Filesize
1.4MB

Download
memory/4704-25-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/4704-24-0x00000000736B0000-0x000000007380D000-memory.dmp

Filesize
1.4MB

Download
memory/4704-64-0x00000000736B0000-0x000000007380D000-memory.dmp

Filesize
1.4MB

Download
memory/4704-22-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/4704-17-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/4704-71-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/4704-16-0x00000000773F2000-0x00000000773F3000-memory.dmp

Filesize
4KB

Download
memory/4704-69-0x00000000736B0000-0x000000007380D000-memory.dmp

Filesize
1.4MB

Download
memory/4704-68-0x00000000736B0000-0x000000007380D000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing