Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

b3673107a6...18.exe

windows7-x64

10

b3673107a6...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    16/06/2024, 12:02 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b3673107a68559808a97fcb9939a111f_JaffaCakes118.exe

  • Size

    35KB

  • MD5

    b3673107a68559808a97fcb9939a111f

  • SHA1

    6b706f30a2a8fba6a44a834242bc141e06f82353

  • SHA256

    6409f2521b4b1baa956a79fcbf052889abeee7c0f7294c42ee48abeef297a17e

  • SHA512

    bc8a0b9f735e61e5710b61c90a047875754a82c5cd75f91cc08edbd97b4e082806ebf094d1f34314c2f722292c584b60c82868441c29cb159b75e47f56df48b0

  • SSDEEP

    768:gaNfTb7OUlsKYJDPMWLRPWMjjypfZ3tDOQiCUUdUYJ6UZnbcuyD7Ug:1NbtsKwPtPYfZ3taknJbZnouy8g

Score
10/10
ponycollectiondiscoveryratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://192.99.224.252/ponx/gate.php

Attributes
  • payload_url

    http://192.99.224.252/load/aa.exe

    http://192.99.224.252/load/ad.exe

    http://192.99.224.252/load/dll.exe

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b3673107a68559808a97fcb9939a111f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b3673107a68559808a97fcb9939a111f_JaffaCakes118.exe"
    1⤵
    • Accesses Microsoft Outlook accounts
    • Accesses Microsoft Outlook profiles
    • Suspicious use of AdjustPrivilegeToken
    • outlook_win_path
    PID:1848

Network

    No results found
  • 192.99.224.252:80
    b3673107a68559808a97fcb9939a111f_JaffaCakes118.exe
    152 B
     3
  • 192.99.224.252:80
    b3673107a68559808a97fcb9939a111f_JaffaCakes118.exe
    152 B
     3
  • 192.99.224.252:80
    b3673107a68559808a97fcb9939a111f_JaffaCakes118.exe
    152 B
     3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1848-0-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1848-1-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1848-7-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.