Overview

overview

10

Static

static

10

621324886e...18.exe

windows7-x64

10

621324886e...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    621324886e649377c4d3f1cb9e532525_JaffaCakes118

  • Size

    89KB

  • Sample

    240729-1kmlgawerc

  • MD5

    621324886e649377c4d3f1cb9e532525

  • SHA1

    35d4abad95007a7264c3bfe0cb5c9eb91a01ceaa

  • SHA256

    8bd42f4b867ccda4090f241e5d4ad9cb645fb0eec3b5e1276c8945ff2aa87b75

  • SHA512

    ab646d9176c1a0487df46939dc50a30fc0bc1d0d39d3608257a6505827416ab4b40a24f8213c5a4f2e91842782010ccd6603c78872382dc7fb23aff498baace3

  • SSDEEP

    1536:5RK3u/II/qTMO+IjkiLXzxYm+ObOO+uiiEupmJc0Z44OGsxt0Tv+E7WX+kzZxov:/qdIUwiLXzxV+Ob6vTupmJXOGOXE6h+

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://paralysiesfaciale.com:8080/ponyb/gate.php

http://paralysiesfaciales.com:8080/ponyb/gate.php

http://shop.smsmpi.com:8080/ponyb/gate.php

http://smsmpi.com:8080/ponyb/gate.php
Attributes
  • payload_url

    http://cerram.es/222Xu.exe

    http://alina-schmitt.de/qJ1qhU.exe

    http://smallbizsuccessguide.com/g6XiC.exe

    http://alkri.od.ua/sdoaeLWE.exe

    http://pastamutfagi.com/up0UEB.exe

Targets

    • Target

      621324886e649377c4d3f1cb9e532525_JaffaCakes118

    • Size

      89KB

    • MD5

      621324886e649377c4d3f1cb9e532525

    • SHA1

      35d4abad95007a7264c3bfe0cb5c9eb91a01ceaa

    • SHA256

      8bd42f4b867ccda4090f241e5d4ad9cb645fb0eec3b5e1276c8945ff2aa87b75

    • SHA512

      ab646d9176c1a0487df46939dc50a30fc0bc1d0d39d3608257a6505827416ab4b40a24f8213c5a4f2e91842782010ccd6603c78872382dc7fb23aff498baace3

    • SSDEEP

      1536:5RK3u/II/qTMO+IjkiLXzxYm+ObOO+uiiEupmJc0Z44OGsxt0Tv+E7WX+kzZxov:/qdIUwiLXzxV+Ob6vTupmJXOGOXE6h+

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks