raccoon | 6d4e0d5aab0b739d7a588ac8388fda6683d7aeb89218bc90a6e31e678d694732

Analysis

max time kernel
133s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72f0ed6c41455ffba00e8d70230fb385_JaffaCakes118.exe
Size

548KB
MD5

72f0ed6c41455ffba00e8d70230fb385
SHA1

d66ff526c4fce9dc2400b3f62b9a85290a0e43ae
SHA256

6d4e0d5aab0b739d7a588ac8388fda6683d7aeb89218bc90a6e31e678d694732
SHA512

3f80888e2367c57a5ee1888fdaff6a048f146db09cb177cfff66145c85e69f710df1e605b47afc5481b88bba4804c667b70bda453e72bb847e57aa355da2fda2
SSDEEP

12288:OJlhw548nlk6CObOADVdHU6MGBjhRWVh0EBpAwX2NmBdWccZ6vbiG:Qw5482hbADnMcwAE2NIcp6vbiG

Score

10^/10

raccoon 7e5543c4289f26dea3d9e04ebd343c28eb0f44fe stealer

Malware Config

Extracted

Family

raccoon

Botnet

7e5543c4289f26dea3d9e04ebd343c28eb0f44fe

Attributes

url4cnc
https://drive.google.com/uc?export=download&id=1QQXAXArU8BU4kJZ6IBsSCCyLtmLftiOV

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/464-2-0x0000000000720000-0x000000000079C000-memory.dmp	family_raccoon_v1
behavioral2/memory/464-3-0x0000000000400000-0x000000000047F000-memory.dmp	family_raccoon_v1
behavioral2/memory/464-4-0x0000000000400000-0x00000000004F8000-memory.dmp	family_raccoon_v1
behavioral2/memory/464-5-0x0000000000400000-0x000000000047F000-memory.dmp	family_raccoon_v1
behavioral2/memory/464-6-0x0000000000720000-0x000000000079C000-memory.dmp	family_raccoon_v1

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 drive.google.com
6 drive.google.com
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5000 464 WerFault.exe 72f0ed6c41455ffba00e8d70230fb385_JaffaCakes118.exe

flow	ioc
5	drive.google.com
6	drive.google.com

pid	pid_target	process	target process
5000	464	WerFault.exe	72f0ed6c41455ffba00e8d70230fb385_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\72f0ed6c41455ffba00e8d70230fb385_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\72f0ed6c41455ffba00e8d70230fb385_JaffaCakes118.exe"
1⤵
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1212
2⤵
- Program crash
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 464 -ip 464
1⤵
PID:4516

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/464-1-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/464-2-0x0000000000720000-0x000000000079C000-memory.dmp

Filesize
496KB

Download
memory/464-3-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/464-4-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/464-5-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/464-6-0x0000000000720000-0x000000000079C000-memory.dmp

Filesize
496KB

Download