Analysis
-
max time kernel
92s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 16:22
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_d5a663ffd4cec14f0b2f3cfa45dab4e556b9788bf6c74a2fbb37a915fd4b0231.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_d5a663ffd4cec14f0b2f3cfa45dab4e556b9788bf6c74a2fbb37a915fd4b0231.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_d5a663ffd4cec14f0b2f3cfa45dab4e556b9788bf6c74a2fbb37a915fd4b0231.exe
-
Size
726.7MB
-
MD5
e00c7511778383c619f6058e39021082
-
SHA1
9fb3fde1999b7af20660f2f66a559e6409e23800
-
SHA256
d5a663ffd4cec14f0b2f3cfa45dab4e556b9788bf6c74a2fbb37a915fd4b0231
-
SHA512
b094d12a830de5e45426321a0ab8b983b2c95402371b90ebe121398269b31a24bf7128dbc476175e83497b9dd0b21ab1be2a92a747039260a4cb94b5be8a3204
-
SSDEEP
196608:fLs7SGlfumJcL4H2rAVdQSfJeHlvhAGlpXHrls2p/Z2E5XCe:Ds9mmJO4H2M73xgzvlpXLls2n5Se
Malware Config
Extracted
raccoon
467a953db8cf896cec6946f6144f8158
http://80.85.241.20/
http://79.137.202.30/
-
user_agent
901785252112
Signatures
-
Raccoon Stealer V2 payload 4 IoCs
resource yara_rule behavioral2/memory/4696-11-0x0000000000400000-0x0000000000EE5000-memory.dmp family_raccoon_v2 behavioral2/memory/4696-10-0x0000000000400000-0x0000000000EE5000-memory.dmp family_raccoon_v2 behavioral2/memory/4696-13-0x0000000000400000-0x0000000000EE5000-memory.dmp family_raccoon_v2 behavioral2/memory/4696-15-0x0000000000400000-0x0000000000EE5000-memory.dmp family_raccoon_v2 -
Raccoon family
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4696 JaffaCakes118_d5a663ffd4cec14f0b2f3cfa45dab4e556b9788bf6c74a2fbb37a915fd4b0231.exe 4696 JaffaCakes118_d5a663ffd4cec14f0b2f3cfa45dab4e556b9788bf6c74a2fbb37a915fd4b0231.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d5a663ffd4cec14f0b2f3cfa45dab4e556b9788bf6c74a2fbb37a915fd4b0231.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4696 JaffaCakes118_d5a663ffd4cec14f0b2f3cfa45dab4e556b9788bf6c74a2fbb37a915fd4b0231.exe 4696 JaffaCakes118_d5a663ffd4cec14f0b2f3cfa45dab4e556b9788bf6c74a2fbb37a915fd4b0231.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d5a663ffd4cec14f0b2f3cfa45dab4e556b9788bf6c74a2fbb37a915fd4b0231.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d5a663ffd4cec14f0b2f3cfa45dab4e556b9788bf6c74a2fbb37a915fd4b0231.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4696