pony | a9186b357248f1b8107c1992b4a0d32010950e263f4d5378781fa03fd4b08ed3 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

08e942ee1a520c78b87de34abe5d643b_JaffaCakes118
Size

2.2MB
Sample

240430-dxe1tsbf81
MD5

08e942ee1a520c78b87de34abe5d643b
SHA1

f56fec956ba2b1531bf5aea3a3d820b8c135dbff
SHA256

a9186b357248f1b8107c1992b4a0d32010950e263f4d5378781fa03fd4b08ed3
SHA512

5c98c42c8b74ef9cb2d602a0f692d7bfaad6d3456aabcbefbbed5870513effb1fdd8e2f4b704a0fc706ee727d610d6e18ddb4255cfdb3f4eff26f7343db93311
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ1:0UzeyQMS4DqodCnoe+iitjWwwx

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Targets

- Target
  
  08e942ee1a520c78b87de34abe5d643b_JaffaCakes118
- Size
  
  2.2MB
- MD5
  
  08e942ee1a520c78b87de34abe5d643b
- SHA1
  
  f56fec956ba2b1531bf5aea3a3d820b8c135dbff
- SHA256
  
  a9186b357248f1b8107c1992b4a0d32010950e263f4d5378781fa03fd4b08ed3
- SHA512
  
  5c98c42c8b74ef9cb2d602a0f692d7bfaad6d3456aabcbefbbed5870513effb1fdd8e2f4b704a0fc706ee727d610d6e18ddb4255cfdb3f4eff26f7343db93311
- SSDEEP
  
  24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ1:0UzeyQMS4DqodCnoe+iitjWwwx
Score

10^/10

pony evasion persistence rat spyware stealer
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Modifies Installed Components in the registry
  persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ponyevasionpersistenceratspywarestealer

behavioral2

ponyevasionpersistenceratspywarestealer