Overview

overview

10

Static

static

1

2331eb1f53...18.exe

windows7-x64

10

2331eb1f53...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2024, 17:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2331eb1f530c236db56da6c117b26b0a_JaffaCakes118.exe

  • Size

    147KB

  • MD5

    2331eb1f530c236db56da6c117b26b0a

  • SHA1

    137fa9f702ef0964ceb1a63a8fc89abfb81f6e2e

  • SHA256

    85b26ca78afef8aef9328efb3a2a2eafd913ed868afb4bc2497b082d1ca72ba4

  • SHA512

    7354460db5dcee8f58a05eb0f1f7f122ad82ec78feb16b2d9babbe8da5155641285f4c9533d5626e039dbb5fe52319322d1a47a8d9422068add47357d2f667d6

  • SSDEEP

    3072:yqs1XYO4927RHWobfC+rIkLyqCmQJujb2ltgpP/PTNo:ydzWIfC6Ly+QJu46m

Score
10/10
ponydiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://178.32.160.255:8080/pony/gate.php

http://88.85.99.44:8080/pony/gate.php
Attributes
  • payload_url

    http://terrafogojoias.com.br/sVK4XT.exe

    http://faratel.com/bNidsRD.exe

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2331eb1f530c236db56da6c117b26b0a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2331eb1f530c236db56da6c117b26b0a_JaffaCakes118.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3260
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1324,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:8
    1⤵
      PID:2552

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3260-0-0x0000000000530000-0x0000000000547000-memory.dmp

      Filesize

      92KB

      Download

    • memory/3260-2-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/3260-1-0x00000000021C0000-0x00000000021EB000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3260-5-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download