General

  • Target

    16b61170623f07f2920f2d9ce4980980_JaffaCakes118

  • Size

    128KB

  • Sample

    240627-t3tzyascqq

  • MD5

    16b61170623f07f2920f2d9ce4980980

  • SHA1

    168527f59f6ac6d0e0da75aaae18eab260c337ea

  • SHA256

    8ae804090260573207bea218713786854e27858d7a694c594b859f652f120302

  • SHA512

    7e645dde4a72d8ceff69cf32af183ac226fa097066e52ce44b872c0dd4c932828b907f51f561ac3bf8719f3db2d810587ad9a76ef9a072aeaf361b9fa703d28a

  • SSDEEP

    3072:uGHi6mwJfjNHsXJNYxHWPKBV4ENNoDjrqVDAEmJI:+OfjOXJSxH54ENijrODAE

Malware Config

Extracted

Family

pony

C2

http://67.215.225.205:8080/ponys/gate.php

http://216.231.139.111/ponys/gate.php

Attributes
  • payload_url

    http://build-in.cz/CBopQ0TA/YD94an.exe

    http://heincountry.com/Lx38YeDG/PZ2AC.exe

    http://waxsurfers.com/KrYtpYBC/a0Y.exe

Targets

    • Target

      16b61170623f07f2920f2d9ce4980980_JaffaCakes118

    • Size

      128KB

    • MD5

      16b61170623f07f2920f2d9ce4980980

    • SHA1

      168527f59f6ac6d0e0da75aaae18eab260c337ea

    • SHA256

      8ae804090260573207bea218713786854e27858d7a694c594b859f652f120302

    • SHA512

      7e645dde4a72d8ceff69cf32af183ac226fa097066e52ce44b872c0dd4c932828b907f51f561ac3bf8719f3db2d810587ad9a76ef9a072aeaf361b9fa703d28a

    • SSDEEP

      3072:uGHi6mwJfjNHsXJNYxHWPKBV4ENNoDjrqVDAEmJI:+OfjOXJSxH54ENijrODAE

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks