raccoon | ef78f0a9adbce0219107853dc81c042274989f06ce947267cdd8485a56b4da46

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

989b40c26b532486a70f659a91532af7_JaffaCakes118.exe
Size

515KB
MD5

989b40c26b532486a70f659a91532af7
SHA1

ab7382d83f917e5bc6df9d59994974899bf109a5
SHA256

ef78f0a9adbce0219107853dc81c042274989f06ce947267cdd8485a56b4da46
SHA512

c11ec14c57b371d0a45d6367ab0705b2fc4b11900bafdd54a9f0e61ff9cb041fb92594f70943445100a3aedc116c5e16dec5b5a8f3919930e5426f0d61830931
SSDEEP

12288:sdIcOip5Tys7Egwkz3Fob/j9geUjpKxoDkNN7roE:kiLSEkz3avUjpy7cE

Score

10^/10

raccoon 038d8533550cc2efd80d5d5f28d7b8f1ae07b0a3 stealer

Malware Config

Extracted

Family

raccoon

Botnet

038d8533550cc2efd80d5d5f28d7b8f1ae07b0a3

Attributes

url4cnc
https://drive.google.com/uc?export=download&id=1EpM5PfanjdCKrhBdxjnAx3nC77jXFBDm

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1444-2-0x0000000000400000-0x0000000000477000-memory.dmp	family_raccoon_v1
behavioral2/memory/1444-4-0x0000000000400000-0x0000000000477000-memory.dmp	family_raccoon_v1
behavioral2/memory/1444-3-0x0000000000400000-0x00000000013F4000-memory.dmp	family_raccoon_v1

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

15 drive.google.com
16 drive.google.com

flow	ioc
15	drive.google.com
16	drive.google.com

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1300	1444	WerFault.exe	989b40c26b532486a70f659a91532af7_JaffaCakes118.exe
60	1444	WerFault.exe	989b40c26b532486a70f659a91532af7_JaffaCakes118.exe
540	1444	WerFault.exe	989b40c26b532486a70f659a91532af7_JaffaCakes118.exe
1552	1444	WerFault.exe	989b40c26b532486a70f659a91532af7_JaffaCakes118.exe
3436	1444	WerFault.exe	989b40c26b532486a70f659a91532af7_JaffaCakes118.exe
3076	1444	WerFault.exe	989b40c26b532486a70f659a91532af7_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\989b40c26b532486a70f659a91532af7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\989b40c26b532486a70f659a91532af7_JaffaCakes118.exe"
1⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 708
2⤵
- Program crash
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 728
2⤵
- Program crash
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 864
2⤵
- Program crash
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 736
2⤵
- Program crash
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1192
2⤵
- Program crash
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1240
2⤵
- Program crash
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1444 -ip 1444
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1444 -ip 1444
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1444 -ip 1444
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1444 -ip 1444
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1444 -ip 1444
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1444 -ip 1444
1⤵
PID:5100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1444-1-0x0000000001550000-0x0000000001650000-memory.dmp

Filesize
1024KB

Download
memory/1444-2-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1444-4-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1444-3-0x0000000000400000-0x00000000013F4000-memory.dmp

Filesize
16.0MB

Download