pony | a1aed2bfd1e4419ac07e2f5bea4806045b408fe03e1d3069eeb39f23ff6dc154 | Triage

Sharing

General

Target

7bd43947f22e2925c3dcbc6414dbf6a8_JaffaCakes118
Size

2.2MB
Sample

240528-fydkhaff6t
MD5

7bd43947f22e2925c3dcbc6414dbf6a8
SHA1

1eb989cc43aade2f5c16bab148615cde06a8c55a
SHA256

a1aed2bfd1e4419ac07e2f5bea4806045b408fe03e1d3069eeb39f23ff6dc154
SHA512

16a4d10d6b65c0da6089dda792383e9d3d8fa5b5a4e4b0d8dc7052519e30564d0e24c13de2857133ff5d0caffe9aaff4d96134e4d0f8d8d7c6b559ea071f20a1
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZS:0UzeyQMS4DqodCnoe+iitjWwwm

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Targets

- Target
  
  7bd43947f22e2925c3dcbc6414dbf6a8_JaffaCakes118
- Size
  
  2.2MB
- MD5
  
  7bd43947f22e2925c3dcbc6414dbf6a8
- SHA1
  
  1eb989cc43aade2f5c16bab148615cde06a8c55a
- SHA256
  
  a1aed2bfd1e4419ac07e2f5bea4806045b408fe03e1d3069eeb39f23ff6dc154
- SHA512
  
  16a4d10d6b65c0da6089dda792383e9d3d8fa5b5a4e4b0d8dc7052519e30564d0e24c13de2857133ff5d0caffe9aaff4d96134e4d0f8d8d7c6b559ea071f20a1
- SSDEEP
  
  24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZS:0UzeyQMS4DqodCnoe+iitjWwwm
Score

10^/10

pony evasion persistence rat spyware stealer
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Modifies Installed Components in the registry
  persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

ponyevasionpersistenceratspywarestealer

behavioral2

ponyevasionpersistenceratspywarestealer