pony | 96636e5bcd4cd79a7f594c4ce1a95270b0892f7b53ad0eae8221e50c02e98aaa

General

Target

96636e5bcd4cd79a7f594c4ce1a95270b0892f7b53ad0eae8221e50c02e98aaa.jar
Size

315KB
MD5

da86ebc58406c0e5f462e5a1ae16f861
SHA1

c4f437cff14b052b0deb707887ea09c9e68383f6
SHA256

96636e5bcd4cd79a7f594c4ce1a95270b0892f7b53ad0eae8221e50c02e98aaa
SHA512

523e542dffa2dca34dff8b85beb4554250539f31f20e345308945f10b7aa1a0f4104da3604b1529ffe745ad672e57456d2651f47a37c8ac5c4cda3d35ccaf2fd
SSDEEP

6144:unNXtwg3rsWNqvXuQCocAUpZxlAbtaoiOlUd9USANf/0BqcpzrzR0/+LM7dL+M:und3rsWNqBCocAUvxyagNXUqclZ0/iQj

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://ghoesi.tk/scala/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 2 IoCs

Processes:

asdqw83349861051483817720Jamesss.exeasdqw83349861051483817720Jamesss.exe

pid process

944 asdqw83349861051483817720Jamesss.exe
1448 asdqw83349861051483817720Jamesss.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1808 attrib.exe
580 attrib.exe
Loads dropped DLL 1 IoCs

Processes:

asdqw83349861051483817720Jamesss.exe

pid process

944 asdqw83349861051483817720Jamesss.exe

pid	process
944	asdqw83349861051483817720Jamesss.exe
1448	asdqw83349861051483817720Jamesss.exe

pid	process
1808	attrib.exe
580	attrib.exe

pid	process
944	asdqw83349861051483817720Jamesss.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FlUYHJ7y3x = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ie0BjxAPXD\\OYmREFT1Hb.VwA\""	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FlUYHJ7y3x = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ie0BjxAPXD\\OYmREFT1Hb.VwA\""	reg.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

javaw.exeattrib.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\ie0BjxAPXD\Desktop.ini	javaw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\ie0BjxAPXD\Desktop.ini	attrib.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

asdqw83349861051483817720Jamesss.exe

description pid process target process

PID 944 set thread context of 1448 944 asdqw83349861051483817720Jamesss.exe asdqw83349861051483817720Jamesss.exe

description	pid	process	target process
PID 944 set thread context of 1448	944	asdqw83349861051483817720Jamesss.exe	asdqw83349861051483817720Jamesss.exe

Drops file in Windows directory 4 IoCs

Processes:

javaw.exejavaw.exe

description	ioc	process
File created	C:\Windows\tem	javaw.exe
File opened for modification	C:\Windows\tem	javaw.exe
File created	C:\Windows\tem	javaw.exe
File opened for modification	C:\Windows\tem	javaw.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

1712 reg.exe
996 reg.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

asdqw83349861051483817720Jamesss.exe

pid process

944 asdqw83349861051483817720Jamesss.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

asdqw83349861051483817720Jamesss.exe

description pid process

Token: SeDebugPrivilege 944 asdqw83349861051483817720Jamesss.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

java.exejavaw.exejavaw.exe

pid process

1044 java.exe
1160 javaw.exe
828 javaw.exe

pid	process
1712	reg.exe
996	reg.exe

pid	process
944	asdqw83349861051483817720Jamesss.exe

description	pid	process
Token: SeDebugPrivilege	944	asdqw83349861051483817720Jamesss.exe

pid	process
1044	java.exe
1160	javaw.exe
828	javaw.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

java.execmd.exejavaw.exeasdqw83349861051483817720Jamesss.exejavaw.exe

description	pid	process	target process
PID 1044 wrote to memory of 924	1044	java.exe	cmd.exe
PID 1044 wrote to memory of 924	1044	java.exe	cmd.exe
PID 1044 wrote to memory of 924	1044	java.exe	cmd.exe
PID 1044 wrote to memory of 1160	1044	java.exe	javaw.exe
PID 1044 wrote to memory of 1160	1044	java.exe	javaw.exe
PID 1044 wrote to memory of 1160	1044	java.exe	javaw.exe
PID 924 wrote to memory of 944	924	cmd.exe	asdqw83349861051483817720Jamesss.exe
PID 924 wrote to memory of 944	924	cmd.exe	asdqw83349861051483817720Jamesss.exe
PID 924 wrote to memory of 944	924	cmd.exe	asdqw83349861051483817720Jamesss.exe
PID 924 wrote to memory of 944	924	cmd.exe	asdqw83349861051483817720Jamesss.exe
PID 1160 wrote to memory of 1712	1160	javaw.exe	reg.exe
PID 1160 wrote to memory of 1712	1160	javaw.exe	reg.exe
PID 1160 wrote to memory of 1712	1160	javaw.exe	reg.exe
PID 1160 wrote to memory of 1808	1160	javaw.exe	attrib.exe
PID 1160 wrote to memory of 1808	1160	javaw.exe	attrib.exe
PID 1160 wrote to memory of 1808	1160	javaw.exe	attrib.exe
PID 1160 wrote to memory of 580	1160	javaw.exe	attrib.exe
PID 1160 wrote to memory of 580	1160	javaw.exe	attrib.exe
PID 1160 wrote to memory of 580	1160	javaw.exe	attrib.exe
PID 1160 wrote to memory of 828	1160	javaw.exe	javaw.exe
PID 1160 wrote to memory of 828	1160	javaw.exe	javaw.exe
PID 1160 wrote to memory of 828	1160	javaw.exe	javaw.exe
PID 944 wrote to memory of 1448	944	asdqw83349861051483817720Jamesss.exe	asdqw83349861051483817720Jamesss.exe
PID 944 wrote to memory of 1448	944	asdqw83349861051483817720Jamesss.exe	asdqw83349861051483817720Jamesss.exe
PID 944 wrote to memory of 1448	944	asdqw83349861051483817720Jamesss.exe	asdqw83349861051483817720Jamesss.exe
PID 944 wrote to memory of 1448	944	asdqw83349861051483817720Jamesss.exe	asdqw83349861051483817720Jamesss.exe
PID 944 wrote to memory of 1448	944	asdqw83349861051483817720Jamesss.exe	asdqw83349861051483817720Jamesss.exe
PID 944 wrote to memory of 1448	944	asdqw83349861051483817720Jamesss.exe	asdqw83349861051483817720Jamesss.exe
PID 944 wrote to memory of 1448	944	asdqw83349861051483817720Jamesss.exe	asdqw83349861051483817720Jamesss.exe
PID 944 wrote to memory of 1448	944	asdqw83349861051483817720Jamesss.exe	asdqw83349861051483817720Jamesss.exe
PID 944 wrote to memory of 1448	944	asdqw83349861051483817720Jamesss.exe	asdqw83349861051483817720Jamesss.exe
PID 828 wrote to memory of 996	828	javaw.exe	reg.exe
PID 828 wrote to memory of 996	828	javaw.exe	reg.exe
PID 828 wrote to memory of 996	828	javaw.exe	reg.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1808 attrib.exe
580 attrib.exe

pid	process
1808	attrib.exe
580	attrib.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\96636e5bcd4cd79a7f594c4ce1a95270b0892f7b53ad0eae8221e50c02e98aaa.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asdqw83349861051483817720Jamesss.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:924

C:\Users\Admin\AppData\Local\Temp\asdqw83349861051483817720Jamesss.exe
C:\Users\Admin\AppData\Local\Temp\asdqw83349861051483817720Jamesss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Local\Temp\asdqw83349861051483817720Jamesss.exe
"C:\Users\Admin\AppData\Local\Temp\asdqw83349861051483817720Jamesss.exe"
4⤵
- Executes dropped EXE
PID:1448

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\asdqw66524409487039364261List.jar"
2⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\system32\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v FlUYHJ7y3x /t REG_SZ /d "\"C:\Program Files\Java\jre7\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\ie0BjxAPXD\OYmREFT1Hb.VwA\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1712

C:\Windows\system32\attrib.exe
attrib +s +h +r "C:\Users\Admin\AppData\Roaming\ie0BjxAPXD\*.*"
3⤵
- Sets file to hidden
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:1808

C:\Windows\system32\attrib.exe
attrib +s +h +r "C:\Users\Admin\AppData\Roaming\ie0BjxAPXD"
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:580

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ie0BjxAPXD\OYmREFT1Hb.VwA"
3⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\system32\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v FlUYHJ7y3x /t REG_SZ /d "\"C:\Program Files\Java\jre7\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\ie0BjxAPXD\OYmREFT1Hb.VwA\"" /f
4⤵
- Adds Run key to start application
- Modifies registry key
PID:996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asdqw66524409487039364261List.jar
Filesize
97KB

MD5
d5adb5e6f16786fb8e87f4ba6ca59311

SHA1
1078e0a3637412550770acafcaaa9a70b37bbc53

SHA256
f9549ed3c45c8e5c305883fd79052437e0ab666c2b8c0c96f1781f71dcd64085

SHA512
75259756e11eb2a3a3b646e9daebc18ff21db5e323878b1e65566d945513fa66eb56f59433cd26b8e4647a577612cadfa4f376bf5d2e651341fc208ad99448c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\asdqw83349861051483817720Jamesss.exe
Filesize
359KB

MD5
770cfc8f837ede9ff7775ed9aee3c736

SHA1
9fb5c22f1972ee661b7c432a6ff0797cd3b007b3

SHA256
5f7c788a387ee39a271554870a764feaeb19c80efc6935a38e3762b867ead0b8

SHA512
e64efd8c2d4bf6fca5da6de2e2c6388f072c74a999b061da76a05cb8580c951d3e868345407d6a7056802c81965f7ae9201e0abd7aa32a6c2e050e31cc1d03f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\asdqw83349861051483817720Jamesss.exe
Filesize
359KB

MD5
770cfc8f837ede9ff7775ed9aee3c736

SHA1
9fb5c22f1972ee661b7c432a6ff0797cd3b007b3

SHA256
5f7c788a387ee39a271554870a764feaeb19c80efc6935a38e3762b867ead0b8

SHA512
e64efd8c2d4bf6fca5da6de2e2c6388f072c74a999b061da76a05cb8580c951d3e868345407d6a7056802c81965f7ae9201e0abd7aa32a6c2e050e31cc1d03f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\asdqw83349861051483817720Jamesss.exe
Filesize
359KB

MD5
770cfc8f837ede9ff7775ed9aee3c736

SHA1
9fb5c22f1972ee661b7c432a6ff0797cd3b007b3

SHA256
5f7c788a387ee39a271554870a764feaeb19c80efc6935a38e3762b867ead0b8

SHA512
e64efd8c2d4bf6fca5da6de2e2c6388f072c74a999b061da76a05cb8580c951d3e868345407d6a7056802c81965f7ae9201e0abd7aa32a6c2e050e31cc1d03f8

Download Submit
C:\Users\Admin\AppData\Roaming\ie0BjxAPXD\Desktop.ini
Filesize
63B

MD5
e783bdd20a976eaeaae1ff4624487420

SHA1
c2a44fab9df00b3e11582546b16612333c2f9286

SHA256
2f65fa9c7ed712f493782abf91467f869419a2f8b5adf23b44019c08190fa3f3

SHA512
8c883678e4625ef44f4885b8c6d7485196774f9cb0b9eee7dd18711749bcae474163df9965effcd13ecd1a33cd7265010c152f8504d6013e4f4d85d68a901a80

Download Submit
C:\Users\Admin\AppData\Roaming\ie0BjxAPXD\OYmREFT1Hb.VwA
Filesize
97KB

MD5
d5adb5e6f16786fb8e87f4ba6ca59311

SHA1
1078e0a3637412550770acafcaaa9a70b37bbc53

SHA256
f9549ed3c45c8e5c305883fd79052437e0ab666c2b8c0c96f1781f71dcd64085

SHA512
75259756e11eb2a3a3b646e9daebc18ff21db5e323878b1e65566d945513fa66eb56f59433cd26b8e4647a577612cadfa4f376bf5d2e651341fc208ad99448c8

Download Submit
\Users\Admin\AppData\Local\Temp\asdqw83349861051483817720Jamesss.exe
Filesize
359KB

MD5
770cfc8f837ede9ff7775ed9aee3c736

SHA1
9fb5c22f1972ee661b7c432a6ff0797cd3b007b3

SHA256
5f7c788a387ee39a271554870a764feaeb19c80efc6935a38e3762b867ead0b8

SHA512
e64efd8c2d4bf6fca5da6de2e2c6388f072c74a999b061da76a05cb8580c951d3e868345407d6a7056802c81965f7ae9201e0abd7aa32a6c2e050e31cc1d03f8

Download Submit
memory/580-95-0x0000000000000000-mapping.dmp

Download
memory/828-122-0x00000000022C0000-0x00000000052C0000-memory.dmp

Filesize
48.0MB

Download
memory/828-108-0x00000000022C0000-0x00000000052C0000-memory.dmp

Filesize
48.0MB

Download
memory/828-96-0x0000000000000000-mapping.dmp

Download
memory/924-68-0x0000000000000000-mapping.dmp

Download
memory/944-74-0x0000000000000000-mapping.dmp

Download
memory/944-92-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/944-89-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/944-88-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/944-121-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/996-123-0x0000000000000000-mapping.dmp

Download
memory/1044-57-0x00000000020B0000-0x00000000050B0000-memory.dmp

Filesize
48.0MB

Download
memory/1044-54-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/1160-91-0x00000000021D0000-0x00000000051D0000-memory.dmp

Filesize
48.0MB

Download
memory/1160-87-0x00000000021D0000-0x00000000051D0000-memory.dmp

Filesize
48.0MB

Download
memory/1160-69-0x0000000000000000-mapping.dmp

Download
memory/1448-110-0x00000000000C0000-0x00000000000D9000-memory.dmp

Filesize
100KB

Download
memory/1448-114-0x00000000000C0000-0x00000000000D9000-memory.dmp

Filesize
100KB

Download
memory/1448-117-0x000000000041043C-mapping.dmp

Download
memory/1448-119-0x00000000000C0000-0x00000000000D9000-memory.dmp

Filesize
100KB

Download
memory/1448-113-0x00000000000C0000-0x00000000000D9000-memory.dmp

Filesize
100KB

Download
memory/1448-111-0x00000000000C0000-0x00000000000D9000-memory.dmp

Filesize
100KB

Download
memory/1712-93-0x0000000000000000-mapping.dmp

Download
memory/1808-94-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads