pony | 7ca43ea21757fae55fb2da95f623116b5b7592a9ed603717909fef5823b78e33 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

a989e2bd83b70377051a41ef7247600f_JaffaCakes118
Size

2.2MB
Sample

240614-n2kf8atbmr
MD5

a989e2bd83b70377051a41ef7247600f
SHA1

4af8b3a89a8216d14fd2b2b0831d42e8192cfef0
SHA256

7ca43ea21757fae55fb2da95f623116b5b7592a9ed603717909fef5823b78e33
SHA512

2d7ce6d6128ad02728ca5268e153e3018911d815a8eeb75bb6458155dda4967d32cc6ac338119d05adbf08afe39585edd26a9764caa0ea99699ce7a9c27f98bf
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZi:0UzeyQMS4DqodCnoe+iitjWww+

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Targets

- Target
  
  a989e2bd83b70377051a41ef7247600f_JaffaCakes118
- Size
  
  2.2MB
- MD5
  
  a989e2bd83b70377051a41ef7247600f
- SHA1
  
  4af8b3a89a8216d14fd2b2b0831d42e8192cfef0
- SHA256
  
  7ca43ea21757fae55fb2da95f623116b5b7592a9ed603717909fef5823b78e33
- SHA512
  
  2d7ce6d6128ad02728ca5268e153e3018911d815a8eeb75bb6458155dda4967d32cc6ac338119d05adbf08afe39585edd26a9764caa0ea99699ce7a9c27f98bf
- SSDEEP
  
  24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZi:0UzeyQMS4DqodCnoe+iitjWww+
Score

10^/10

pony evasion persistence rat spyware stealer
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Modifies Installed Components in the registry
  persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ponyevasionpersistenceratspywarestealer

behavioral2

ponyevasionpersistenceratspywarestealer