pony | 3b5402a65f8301b97bfc1dc276b97f695ec7cb44efc1e941ed0f4778eda26fa6

General

Target

6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe
Size

1.1MB
MD5

6e75b846207c166f882226e6ffb7c000
SHA1

94ca9238a4888754df1f7e0cef0d4cab6f1eef24
SHA256

3b5402a65f8301b97bfc1dc276b97f695ec7cb44efc1e941ed0f4778eda26fa6
SHA512

166321f32b0196bc5577f13e72e3b4d4db6c5fcd95423b639711c18e4d7bb767f6e98fa905aa1cc8195e262c56bce3ac46e9e80b569ea076a29973f20aec9bbe
SSDEEP

24576:kO0N1KqkD77mkJxTjloSVpXcgs4hI/twQ/:5YE1T+ONWD

Score

10^/10

pony rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://199.192.25.237/~catchusnot/panel/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 5 IoCs

Processes:

Wservices.exeWservices.exeWservices.exeWservices.exeWservices.exe

pid process

2512 Wservices.exe
1608 Wservices.exe
2036 Wservices.exe
1476 Wservices.exe
2400 Wservices.exe

pid	process
2512	Wservices.exe
1608	Wservices.exe
2036	Wservices.exe
1476	Wservices.exe
2400	Wservices.exe

Loads dropped DLL 15 IoCs

Processes:

6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exeWerFault.exeWerFault.exe

pid	process
2244	6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Wservices.exeWservices.exe

description	pid	process	target process
PID 2512 set thread context of 2036	2512	Wservices.exe	Wservices.exe
PID 1476 set thread context of 2400	1476	Wservices.exe	Wservices.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1204 2036 WerFault.exe Wservices.exe
1676 2400 WerFault.exe Wservices.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2452 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2748 AcroRd32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

2748 AcroRd32.exe
2748 AcroRd32.exe
2748 AcroRd32.exe

pid	pid_target	process	target process
1204	2036	WerFault.exe	Wservices.exe
1676	2400	WerFault.exe	Wservices.exe

pid	process
2452	schtasks.exe

pid	process
2748	AcroRd32.exe

pid	process
2748	AcroRd32.exe
2748	AcroRd32.exe
2748	AcroRd32.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exetaskeng.exeWservices.exeWservices.exeWservices.exeWservices.exe

description	pid	process	target process
PID 2244 wrote to memory of 2748	2244	6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe	AcroRd32.exe
PID 2244 wrote to memory of 2748	2244	6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe	AcroRd32.exe
PID 2244 wrote to memory of 2748	2244	6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe	AcroRd32.exe
PID 2244 wrote to memory of 2748	2244	6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe	AcroRd32.exe
PID 2244 wrote to memory of 2452	2244	6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe	schtasks.exe
PID 2244 wrote to memory of 2452	2244	6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe	schtasks.exe
PID 2244 wrote to memory of 2452	2244	6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe	schtasks.exe
PID 2244 wrote to memory of 2452	2244	6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe	schtasks.exe
PID 2244 wrote to memory of 2512	2244	6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe	Wservices.exe
PID 2244 wrote to memory of 2512	2244	6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe	Wservices.exe
PID 2244 wrote to memory of 2512	2244	6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe	Wservices.exe
PID 2244 wrote to memory of 2512	2244	6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe	Wservices.exe
PID 2416 wrote to memory of 1608	2416	taskeng.exe	Wservices.exe
PID 2416 wrote to memory of 1608	2416	taskeng.exe	Wservices.exe
PID 2416 wrote to memory of 1608	2416	taskeng.exe	Wservices.exe
PID 2416 wrote to memory of 1608	2416	taskeng.exe	Wservices.exe
PID 2512 wrote to memory of 2036	2512	Wservices.exe	Wservices.exe
PID 2512 wrote to memory of 2036	2512	Wservices.exe	Wservices.exe
PID 2512 wrote to memory of 2036	2512	Wservices.exe	Wservices.exe
PID 2512 wrote to memory of 2036	2512	Wservices.exe	Wservices.exe
PID 2512 wrote to memory of 2036	2512	Wservices.exe	Wservices.exe
PID 2512 wrote to memory of 2036	2512	Wservices.exe	Wservices.exe
PID 2512 wrote to memory of 2036	2512	Wservices.exe	Wservices.exe
PID 2512 wrote to memory of 2036	2512	Wservices.exe	Wservices.exe
PID 2512 wrote to memory of 2036	2512	Wservices.exe	Wservices.exe
PID 2036 wrote to memory of 1204	2036	Wservices.exe	WerFault.exe
PID 2036 wrote to memory of 1204	2036	Wservices.exe	WerFault.exe
PID 2036 wrote to memory of 1204	2036	Wservices.exe	WerFault.exe
PID 2036 wrote to memory of 1204	2036	Wservices.exe	WerFault.exe
PID 2416 wrote to memory of 1476	2416	taskeng.exe	Wservices.exe
PID 2416 wrote to memory of 1476	2416	taskeng.exe	Wservices.exe
PID 2416 wrote to memory of 1476	2416	taskeng.exe	Wservices.exe
PID 2416 wrote to memory of 1476	2416	taskeng.exe	Wservices.exe
PID 1476 wrote to memory of 2400	1476	Wservices.exe	Wservices.exe
PID 1476 wrote to memory of 2400	1476	Wservices.exe	Wservices.exe
PID 1476 wrote to memory of 2400	1476	Wservices.exe	Wservices.exe
PID 1476 wrote to memory of 2400	1476	Wservices.exe	Wservices.exe
PID 1476 wrote to memory of 2400	1476	Wservices.exe	Wservices.exe
PID 1476 wrote to memory of 2400	1476	Wservices.exe	Wservices.exe
PID 1476 wrote to memory of 2400	1476	Wservices.exe	Wservices.exe
PID 1476 wrote to memory of 2400	1476	Wservices.exe	Wservices.exe
PID 1476 wrote to memory of 2400	1476	Wservices.exe	Wservices.exe
PID 2400 wrote to memory of 1676	2400	Wservices.exe	WerFault.exe
PID 2400 wrote to memory of 1676	2400	Wservices.exe	WerFault.exe
PID 2400 wrote to memory of 1676	2400	Wservices.exe	WerFault.exe
PID 2400 wrote to memory of 1676	2400	Wservices.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ICOBOX PROPOSAL.pdf"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2748
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc minute /mo 1 /tn "'6e75b846207c166f882226e6ffb7c000_JaffaCakes118'" /tr "'C:\Users\Admin\AppData\Roaming\Wservices.exe'"
  2⤵
  - Creates scheduled task(s)
  PID:2452
- C:\Users\Admin\AppData\Roaming\Wservices.exe
  "C:\Users\Admin\AppData\Roaming\Wservices.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Users\Admin\AppData\Roaming\Wservices.exe
    "C:\Users\Admin\AppData\Roaming\Wservices.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 156
      4⤵
      Loads dropped DLL
      Program crash
      PID:1204

C:\Windows\system32\taskeng.exe
taskeng.exe {121B2CC2-94A9-4107-BF45-7032009356B0} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Roaming\Wservices.exe
  C:\Users\Admin\AppData\Roaming\Wservices.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Users\Admin\AppData\Roaming\Wservices.exe
  C:\Users\Admin\AppData\Roaming\Wservices.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Users\Admin\AppData\Roaming\Wservices.exe
    "C:\Users\Admin\AppData\Roaming\Wservices.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 156
      4⤵
      Loads dropped DLL
      Program crash
      PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ICOBOX PROPOSAL.pdf

Filesize
495KB

MD5
660380474df2fa5a174e3a25b680fff6

SHA1
59c78b29da6b1441e5b6a8196abf320e67113510

SHA256
79b2b935f1b6ec7474663ce9a9011954feca17b740ce921c34fe6ac4469bcb92

SHA512
43c20cd8d01a773ae935e3b1bed767ff3e8983ccffdca87b46c919eb62c0364cc81c312439a2b67fa46eaa4460a7ea54f91910b9255f8b64eacb36fead8ceec3

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
1322c6658e3b5e5aa9f1062567d0499d

SHA1
2f629049957876f75681a07fb8b8ed99baa38d27

SHA256
bc03c5135e2ae1be6565b4f7a8b62c3df3e4d6780ee7ac98d66c666f346ba126

SHA512
6351efb7085bb3589fbdf243f7857629c33304e013bedfa0a59036596e53556fb799b6bb2d9fe6ddbc4d5d3bfc35bb474c320a36698fb0f52852c4b57dfa1cdc

Download Submit
\Users\Admin\AppData\Roaming\Wservices.exe

Filesize
1.1MB

MD5
6e75b846207c166f882226e6ffb7c000

SHA1
94ca9238a4888754df1f7e0cef0d4cab6f1eef24

SHA256
3b5402a65f8301b97bfc1dc276b97f695ec7cb44efc1e941ed0f4778eda26fa6

SHA512
166321f32b0196bc5577f13e72e3b4d4db6c5fcd95423b639711c18e4d7bb767f6e98fa905aa1cc8195e262c56bce3ac46e9e80b569ea076a29973f20aec9bbe

Download Submit
memory/1476-60-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2036-42-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2036-37-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2036-46-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2036-44-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2036-35-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2036-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2036-33-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2036-39-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2244-0-0x0000000074B4E000-0x0000000074B4F000-memory.dmp

Filesize
4KB

Download
memory/2244-21-0x0000000074B4E000-0x0000000074B4F000-memory.dmp

Filesize
4KB

Download
memory/2244-30-0x0000000074B40000-0x000000007522E000-memory.dmp

Filesize
6.9MB

Download
memory/2244-3-0x0000000074B40000-0x000000007522E000-memory.dmp

Filesize
6.9MB

Download
memory/2244-22-0x0000000074B40000-0x000000007522E000-memory.dmp

Filesize
6.9MB

Download
memory/2244-1-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2512-32-0x00000000049A0000-0x00000000049BC000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads