General
-
Target
7c503a5c60063b5192ebaeeec9750e46_JaffaCakes118
-
Size
90KB
-
Sample
240528-kb1tqsde94
-
MD5
7c503a5c60063b5192ebaeeec9750e46
-
SHA1
3bee8adfaedfd7dbb4b036199b4d71b069c0d1fe
-
SHA256
f269639e908fd241e7eb3ec86979e880178965b2bee4c10aab0d63e329b74ed4
-
SHA512
2473f57ad0a1043725019c64b8fc82eace6b620fe2b6f428e62dd09449f97ae2748f8e83b6af2d23d79928f3fbeb9d3a7c14e577c79b8fbcaad0f86e7ba4e669
-
SSDEEP
1536:qbQkt0/qTpimVU2siDW6cxbXMiKBSguaIQp8AxfnG+6aMc0jOEJ15DTvlEwLkzmy:/lgVU2siDWHxjMiGIQpRfG9OOEwzy
Malware Config
Extracted
pony
http://4maat.com/by/back/gate.php
-
payload_url
http://4maat.com/by/back/micro.exe
Targets
-
-
Target
7c503a5c60063b5192ebaeeec9750e46_JaffaCakes118
-
Size
90KB
-
MD5
7c503a5c60063b5192ebaeeec9750e46
-
SHA1
3bee8adfaedfd7dbb4b036199b4d71b069c0d1fe
-
SHA256
f269639e908fd241e7eb3ec86979e880178965b2bee4c10aab0d63e329b74ed4
-
SHA512
2473f57ad0a1043725019c64b8fc82eace6b620fe2b6f428e62dd09449f97ae2748f8e83b6af2d23d79928f3fbeb9d3a7c14e577c79b8fbcaad0f86e7ba4e669
-
SSDEEP
1536:qbQkt0/qTpimVU2siDW6cxbXMiKBSguaIQp8AxfnG+6aMc0jOEJ15DTvlEwLkzmy:/lgVU2siDWHxjMiGIQpRfG9OOEwzy
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-