General

  • Target

    16539a96225a3ebb48a61596a70cdd11_JaffaCakes118

  • Size

    128KB

  • Sample

    240627-rq1kvavfmd

  • MD5

    16539a96225a3ebb48a61596a70cdd11

  • SHA1

    7a2381e8cb70f0582cbac81ada6b61f4c7e9b090

  • SHA256

    8efc054c2e43d9abb3af709453fc4d415742dc1927e9d1629b8667aaee3f8140

  • SHA512

    6c5ec72d3d8c4f976f0ea3a7758e748fc5c475ccd4105d4f019798e7fcb77c618c3ff73f430f255b963359c026100138eab207e358a729e0c5896941fc15f556

  • SSDEEP

    3072:uGHi6mwefyGLCNpW6ZCNRXUPw8+4O0oG4gAJq:+5f6NpW6ZCv8+zG4/

Malware Config

Extracted

Family

pony

C2

http://67.215.225.205:8080/ponys/gate.php

http://209.59.219.88/ponys/gate.php

Attributes
  • payload_url

    http://build-in.cz/CBopQ0TA/YD94an.exe

    http://heincountry.com/Lx38YeDG/PZ2AC.exe

    http://waxsurfers.com/KrYtpYBC/a0Y.exe

Targets

    • Target

      16539a96225a3ebb48a61596a70cdd11_JaffaCakes118

    • Size

      128KB

    • MD5

      16539a96225a3ebb48a61596a70cdd11

    • SHA1

      7a2381e8cb70f0582cbac81ada6b61f4c7e9b090

    • SHA256

      8efc054c2e43d9abb3af709453fc4d415742dc1927e9d1629b8667aaee3f8140

    • SHA512

      6c5ec72d3d8c4f976f0ea3a7758e748fc5c475ccd4105d4f019798e7fcb77c618c3ff73f430f255b963359c026100138eab207e358a729e0c5896941fc15f556

    • SSDEEP

      3072:uGHi6mwefyGLCNpW6ZCNRXUPw8+4O0oG4gAJq:+5f6NpW6ZCv8+zG4/

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks