Overview

overview

10

Static

static

3

013f51adbd...18.exe

windows7-x64

10

013f51adbd...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    013f51adbdfc57805523576f0864be2d_JaffaCakes118

  • Size

    386KB

  • Sample

    240426-vm7rjagb92

  • MD5

    013f51adbdfc57805523576f0864be2d

  • SHA1

    2b1a2b04e027c5b238fe8aef247da0873ea7cc3e

  • SHA256

    e57c9320ec6ae7d2fcb1bdc7d59033411b50fc5d4d28c88137d19fc1edaa279b

  • SHA512

    579970a03258981a9ae879cd351ed8db06d4469dc726a82216886eb883087f7293afbeb2e54d3b2d7e185420517f55fd48740098a8e38291a6adc1f38cd1cbd0

  • SSDEEP

    6144:TjbeifBxa5tFRRpYUcds1xuLhcmhqFecw51q99swY1JGfYIcg/9QmKX7:TuEAPFxZce1xuccq9w51q/sB1JfloOzr

Score
10/10
ponycollectiondiscoverypersistenceratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://gregorian.club/ifamandiebyaccident/gate.php

Attributes
  • payload_url

    http://myp0nysite.ru/shit.exe

Targets

    • Target

      013f51adbdfc57805523576f0864be2d_JaffaCakes118

    • Size

      386KB

    • MD5

      013f51adbdfc57805523576f0864be2d

    • SHA1

      2b1a2b04e027c5b238fe8aef247da0873ea7cc3e

    • SHA256

      e57c9320ec6ae7d2fcb1bdc7d59033411b50fc5d4d28c88137d19fc1edaa279b

    • SHA512

      579970a03258981a9ae879cd351ed8db06d4469dc726a82216886eb883087f7293afbeb2e54d3b2d7e185420517f55fd48740098a8e38291a6adc1f38cd1cbd0

    • SSDEEP

      6144:TjbeifBxa5tFRRpYUcds1xuLhcmhqFecw51q99swY1JGfYIcg/9QmKX7:TuEAPFxZce1xuccq9w51q/sB1JfloOzr

    Score
    10/10
    ponycollectiondiscoverypersistenceratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks