pony | b475d20cf7e6facb0a9ffa5a51e3ed7d50eeadd3ad90394b14a8989260694e7c

General

Target

1cfdc1d171614dec2d83d1d85d028551_JaffaCakes118
Size

92KB
Sample

240702-abamfayanh
MD5

1cfdc1d171614dec2d83d1d85d028551
SHA1

7d1ec11608a949572e47fc499d568620fa1f6d5d
SHA256

b475d20cf7e6facb0a9ffa5a51e3ed7d50eeadd3ad90394b14a8989260694e7c
SHA512

2cf2f192bfb263ed4062633a30389ef86e84f5be02d4f2cabc2035b9ecf8568201735ca7d9de8c95d9163d321505db9a9f18302dff100694c9cc7da5497710c9
SSDEEP

1536:7zARgxLF+yZcU5bUriFh751xKn9TZ9egzWwMjB5P3aU9HxTEpZmv8/NA79n/lxiK:7zhpNUeFd49TZ9S3vHCZ3/Ny9n5

Score

10^/10

Malware Config

Targets

- Target
  
  1cfdc1d171614dec2d83d1d85d028551_JaffaCakes118
- Size
  
  92KB
- MD5
  
  1cfdc1d171614dec2d83d1d85d028551
- SHA1
  
  7d1ec11608a949572e47fc499d568620fa1f6d5d
- SHA256
  
  b475d20cf7e6facb0a9ffa5a51e3ed7d50eeadd3ad90394b14a8989260694e7c
- SHA512
  
  2cf2f192bfb263ed4062633a30389ef86e84f5be02d4f2cabc2035b9ecf8568201735ca7d9de8c95d9163d321505db9a9f18302dff100694c9cc7da5497710c9
- SSDEEP
  
  1536:7zARgxLF+yZcU5bUriFh751xKn9TZ9egzWwMjB5P3aU9HxTEpZmv8/NA79n/lxiK:7zhpNUeFd49TZ9S3vHCZ3/Ny9n5
Score

10^/10

pony risepro defense_evasion discovery persistence privilege_escalation rat spyware stealer
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies RDP port number used by Windows
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1