raccoon | 29924af043739881674c7d7ac9d2d08a5021e41484a49f28ee43d253cb9e3be7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2024 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61debeeaa664d8da1d895749ca13f932_JaffaCakes118.exe
Size

504KB
MD5

61debeeaa664d8da1d895749ca13f932
SHA1

aa0ee173649f0d0e16fdf42c5ce54049dab4acd9
SHA256

29924af043739881674c7d7ac9d2d08a5021e41484a49f28ee43d253cb9e3be7
SHA512

6858e239d997fbcb9ca8a4585e44d895d914f970f27852a0eaef2f77ed3505510dcb61d9aa07a6c7e50636144b4efaba099523db00063b09491b13a8343432b7
SSDEEP

12288:24NvWXvrIjkAp78k+or6GcLuSEYSIGoI:2IcvokHormLsQI

Score

10^/10

raccoon 83fbe81dd43f775dd8af3cd619f88f428fbd9a96 discovery stealer

Malware Config

Extracted

Family

raccoon

Version

1.7.3

Botnet

83fbe81dd43f775dd8af3cd619f88f428fbd9a96

Attributes

url4cnc
https://telete.in/opa4kiprivatem

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3416-2-0x0000000004A40000-0x0000000004AD3000-memory.dmp	family_raccoon_v1
behavioral2/memory/3416-3-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral2/memory/3416-5-0x0000000004A40000-0x0000000004AD3000-memory.dmp	family_raccoon_v1
behavioral2/memory/3416-7-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral2/memory/3416-6-0x0000000000400000-0x0000000002CB4000-memory.dmp	family_raccoon_v1

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
4692	3416	WerFault.exe	83
2188	3416	WerFault.exe	83
1228	3416	WerFault.exe	83
2248	3416	WerFault.exe	83
4828	3416	WerFault.exe	83
752	3416	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

61debeeaa664d8da1d895749ca13f932_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61debeeaa664d8da1d895749ca13f932_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\61debeeaa664d8da1d895749ca13f932_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\61debeeaa664d8da1d895749ca13f932_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 740
  2⤵
  - Program crash
  PID:4692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 776
  2⤵
  - Program crash
  PID:2188
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 876
  2⤵
  - Program crash
  PID:1228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 884
  2⤵
  - Program crash
  PID:2248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 1196
  2⤵
  - Program crash
  PID:4828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 1236
  2⤵
  - Program crash
  PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3416 -ip 3416
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3416 -ip 3416
1⤵
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3416 -ip 3416
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3416 -ip 3416
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3416 -ip 3416
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3416 -ip 3416
1⤵
PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3416-1-0x0000000002DD0000-0x0000000002ED0000-memory.dmp

Filesize
1024KB

Download
memory/3416-2-0x0000000004A40000-0x0000000004AD3000-memory.dmp

Filesize
588KB

Download
memory/3416-3-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3416-4-0x0000000002DD0000-0x0000000002ED0000-memory.dmp

Filesize
1024KB

Download
memory/3416-5-0x0000000004A40000-0x0000000004AD3000-memory.dmp

Filesize
588KB

Download
memory/3416-7-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3416-6-0x0000000000400000-0x0000000002CB4000-memory.dmp

Filesize
40.7MB

Download