General
-
Target
229c65728a42df032580ee643bb28e9f_JaffaCakes118
-
Size
114KB
-
Sample
240728-zfffxsxeqc
-
MD5
229c65728a42df032580ee643bb28e9f
-
SHA1
9aab8222466e2dd10d8b99db1a3f11809e957d66
-
SHA256
b81224079d7cc62cef7161a107065d40e94ac84502f4d46c2f71e28daaf3403a
-
SHA512
597e92cf533a0f5a3204d6cf084d9b168550c68dbc740438dc5cbb953af9a22252ed1d9f775ddc7eb464836fc3a0bdfdfb7ac6ea26b7ab5f4665b0cfa4f0804d
-
SSDEEP
3072:/XAtWYKBlVoPGswrC47B9lHjHn36moFW3TkppDxf9:fAoYKXVoLwG47dTX4Dx
Malware Config
Extracted
pony
http://209.59.216.75/pony/gate.php
http://66.175.212.25/pony/gate.php
-
payload_url
http://www.nipbr.com/Macs.exe
http://propasmanagement.com/qTNc.exe
http://imprenta.cal24.pl/Tz9V.exe
Targets
-
-
Target
229c65728a42df032580ee643bb28e9f_JaffaCakes118
-
Size
114KB
-
MD5
229c65728a42df032580ee643bb28e9f
-
SHA1
9aab8222466e2dd10d8b99db1a3f11809e957d66
-
SHA256
b81224079d7cc62cef7161a107065d40e94ac84502f4d46c2f71e28daaf3403a
-
SHA512
597e92cf533a0f5a3204d6cf084d9b168550c68dbc740438dc5cbb953af9a22252ed1d9f775ddc7eb464836fc3a0bdfdfb7ac6ea26b7ab5f4665b0cfa4f0804d
-
SSDEEP
3072:/XAtWYKBlVoPGswrC47B9lHjHn36moFW3TkppDxf9:fAoYKXVoLwG47dTX4Dx
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-