Overview

overview

10

Static

static

3

74bd7667f2...18.exe

windows7-x64

10

74bd7667f2...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    74bd7667f28661090382e2901c9ad698_JaffaCakes118

  • Size

    108KB

  • Sample

    240726-tgw76sxhrk

  • MD5

    74bd7667f28661090382e2901c9ad698

  • SHA1

    24289e76f8db1d0eea29df06cbe6f540152dac9f

  • SHA256

    05621564b2fb3f1afafddc5060ad009125260eb20e5a60f733b00a6a86b58f3f

  • SHA512

    a3e0fb8c0c3e752e0febfcf342f3a8ff7612b148d30559e47b0818584f6739820e441951fb30866f4b19d5b89175f88aff8ea07030a23f6d22694329a2e4aba1

  • SSDEEP

    3072:tUzh5P2WViCdlpQKI08ZWY+mEZ2cqiKL9oRz:tgh5fbQjZZlgR

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://187.9.27.164:8080/forum/viewtopic.php

http://74.91.121.211/forum/viewtopic.php
Attributes
  • payload_url

    http://www.fcpw.at/w6uR.exe

    http://medismindia.com/X7NqF9e.exe

    http://visionworksadvertising.com/K1mPFt1.exe

Targets

    • Target

      74bd7667f28661090382e2901c9ad698_JaffaCakes118

    • Size

      108KB

    • MD5

      74bd7667f28661090382e2901c9ad698

    • SHA1

      24289e76f8db1d0eea29df06cbe6f540152dac9f

    • SHA256

      05621564b2fb3f1afafddc5060ad009125260eb20e5a60f733b00a6a86b58f3f

    • SHA512

      a3e0fb8c0c3e752e0febfcf342f3a8ff7612b148d30559e47b0818584f6739820e441951fb30866f4b19d5b89175f88aff8ea07030a23f6d22694329a2e4aba1

    • SSDEEP

      3072:tUzh5P2WViCdlpQKI08ZWY+mEZ2cqiKL9oRz:tgh5fbQjZZlgR

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

1
T1012

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks