Overview

overview

10

Static

static

10

764dc5df91...18.exe

windows7-x64

10

764dc5df91...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    764dc5df91de4c732e80876d829c05ec_JaffaCakes118

  • Size

    88KB

  • Sample

    240727-adaefswhma

  • MD5

    764dc5df91de4c732e80876d829c05ec

  • SHA1

    fd34f060b395954e8ae914c8f9f5ac231f75c8ff

  • SHA256

    0471d29064e611e0704009780d81905bfa81b656c6a4fa8637836530534d9cce

  • SHA512

    80490a31e31ea055cb6cbf207d5749fcc8bcdffea57c796d28da49383b7882fb20b254070197a9a70a10595c90ef4c38681221f3fa86e096dfd5b70617ba3fd3

  • SSDEEP

    1536:x3V3e8KytqTZkYu5SCvaDBzgM+5zu9kS24zxAkOg8WTvMEIzkzZ3:9dOy+ubiDBzv+1H4OgYEI83

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://comune.fuscaldo.cs.it/default.php?EYWX9yPesjsQ2FnhwMa1c61ghOJzNo

http://poppahomes.com/default.php?QSuAwSdEeSPh5oTsmu5F9TPnV8fVfZcdTWP11

http://illinoisrates.com/default.php?u2EvjYo85y3Zp8XEogzuRq7rWqExNHaNBy

http://waldenserhof-springpferde.de/default.php?fNaKRrCcxCMMzRK8vLPYTA3

http://endless.svdownloadurl.com/default.php?uueTQAHHK2qwDhRmRjAxR1NpDb

Targets

    • Target

      764dc5df91de4c732e80876d829c05ec_JaffaCakes118

    • Size

      88KB

    • MD5

      764dc5df91de4c732e80876d829c05ec

    • SHA1

      fd34f060b395954e8ae914c8f9f5ac231f75c8ff

    • SHA256

      0471d29064e611e0704009780d81905bfa81b656c6a4fa8637836530534d9cce

    • SHA512

      80490a31e31ea055cb6cbf207d5749fcc8bcdffea57c796d28da49383b7882fb20b254070197a9a70a10595c90ef4c38681221f3fa86e096dfd5b70617ba3fd3

    • SSDEEP

      1536:x3V3e8KytqTZkYu5SCvaDBzgM+5zu9kS24zxAkOg8WTvMEIzkzZ3:9dOy+ubiDBzv+1H4OgYEI83

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks