Malware Analysis Report

2025-04-14 08:03

Sample ID 250109-hraalssmdz
Target JaffaCakes118_c1bc0cca3a8784bbc7d5d3e9e47e6ba4
SHA256 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1
Tags
raccoon 2f2ad1a1aa093c5a9d17040c8efd5650a99640b5 discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1

Threat Level: Known bad

The file JaffaCakes118_c1bc0cca3a8784bbc7d5d3e9e47e6ba4 was found to be: Known bad.

Malicious Activity Summary

raccoon 2f2ad1a1aa093c5a9d17040c8efd5650a99640b5 discovery stealer

Raccoon

Raccoon Stealer V1 payload

Raccoon family

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-09 06:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-09 06:57

Reported

2025-01-09 07:00

Platform

win7-20240903-en

Max time kernel

141s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1bc0cca3a8784bbc7d5d3e9e47e6ba4.exe"

Signatures

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Raccoon family

raccoon

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1bc0cca3a8784bbc7d5d3e9e47e6ba4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1bc0cca3a8784bbc7d5d3e9e47e6ba4.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1bc0cca3a8784bbc7d5d3e9e47e6ba4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 telegatt.top udp
US 8.8.8.8:53 telegka.top udp
US 107.178.223.183:80 telegka.top tcp
US 107.178.223.183:80 telegka.top tcp
US 107.178.223.183:80 telegka.top tcp
US 107.178.223.183:80 telegka.top tcp
US 107.178.223.183:80 telegka.top tcp
US 107.178.223.183:80 telegka.top tcp
US 8.8.8.8:53 telegin.top udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp

Files

memory/2936-1-0x00000000017E0000-0x00000000018E0000-memory.dmp

memory/2936-2-0x0000000000310000-0x000000000039E000-memory.dmp

memory/2936-3-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2936-4-0x00000000017E0000-0x00000000018E0000-memory.dmp

memory/2936-5-0x0000000000310000-0x000000000039E000-memory.dmp

memory/2936-7-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2936-6-0x0000000000400000-0x00000000016FB000-memory.dmp

memory/2936-16-0x0000000000400000-0x00000000016FB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-09 06:57

Reported

2025-01-09 07:00

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1bc0cca3a8784bbc7d5d3e9e47e6ba4.exe"

Signatures

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Raccoon family

raccoon

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1bc0cca3a8784bbc7d5d3e9e47e6ba4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1bc0cca3a8784bbc7d5d3e9e47e6ba4.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1bc0cca3a8784bbc7d5d3e9e47e6ba4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 telegatt.top udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 telegatt.top udp
US 8.8.8.8:53 telegatt.top udp
US 8.8.8.8:53 telegka.top udp
US 104.155.138.21:80 telegka.top tcp
US 8.8.8.8:53 21.138.155.104.in-addr.arpa udp
US 104.155.138.21:80 telegka.top tcp
US 104.155.138.21:80 telegka.top tcp
US 104.155.138.21:80 telegka.top tcp
US 104.155.138.21:80 telegka.top tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 104.155.138.21:80 telegka.top tcp
US 8.8.8.8:53 telegin.top udp
US 8.8.8.8:53 telegin.top udp
US 8.8.8.8:53 telegin.top udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1512-1-0x0000000001820000-0x0000000001920000-memory.dmp

memory/1512-2-0x0000000003440000-0x00000000034CE000-memory.dmp

memory/1512-3-0x0000000000400000-0x0000000000491000-memory.dmp

memory/1512-4-0x0000000001820000-0x0000000001920000-memory.dmp

memory/1512-6-0x0000000003440000-0x00000000034CE000-memory.dmp

memory/1512-5-0x0000000000400000-0x00000000016FB000-memory.dmp

memory/1512-7-0x0000000000400000-0x0000000000491000-memory.dmp

memory/1512-14-0x0000000000400000-0x00000000016FB000-memory.dmp