General

  • Target

    1828043dde2dc716db61b0e3f0aaa288_JaffaCakes118

  • Size

    128KB

  • Sample

    240628-a131aa1fkd

  • MD5

    1828043dde2dc716db61b0e3f0aaa288

  • SHA1

    b6a72edc4746b47246b4d4f04fe12193e212719f

  • SHA256

    7f3b77895c64bbee48c03befaefee8426608b74466775d659eda052cb3a9580b

  • SHA512

    eb79f54b8cd755c1acde46ed2cb692b2e44e4a3c2d97920461423e36ec5830ac24e4d9f9d0187503d950d415a040289c697339d33060f6af70857e59a30fd66f

  • SSDEEP

    3072:OTgKjae+rir66ji5HndwFur+n3uhlMw6TxpeR:Oc9e4w6II91SnwMwbR

Malware Config

Extracted

Family

pony

C2

http://200.72.183.54:81/pony/gate.php

http://91.121.84.204:8080/pony/gate.php

Attributes
  • payload_url

    http://astrum-rybka.ru/CUyfRYaU/JrhtN.exe

    http://hermesdiepenbeek.be/5sGmi7RJ/ZSY.exe

    http://mysophiebiz.co.cc/m2bmBf3r/q1z.exe

Targets

    • Target

      1828043dde2dc716db61b0e3f0aaa288_JaffaCakes118

    • Size

      128KB

    • MD5

      1828043dde2dc716db61b0e3f0aaa288

    • SHA1

      b6a72edc4746b47246b4d4f04fe12193e212719f

    • SHA256

      7f3b77895c64bbee48c03befaefee8426608b74466775d659eda052cb3a9580b

    • SHA512

      eb79f54b8cd755c1acde46ed2cb692b2e44e4a3c2d97920461423e36ec5830ac24e4d9f9d0187503d950d415a040289c697339d33060f6af70857e59a30fd66f

    • SSDEEP

      3072:OTgKjae+rir66ji5HndwFur+n3uhlMw6TxpeR:Oc9e4w6II91SnwMwbR

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks