Overview

overview

10

Static

static

10

62c766ff65...18.exe

windows7-x64

10

62c766ff65...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    62c766ff6525a05483e9b8ec2f13c050_JaffaCakes118

  • Size

    88KB

  • Sample

    240729-1s7avasenp

  • MD5

    62c766ff6525a05483e9b8ec2f13c050

  • SHA1

    40485d4229762a03b7fca40c8f82d04884936363

  • SHA256

    68b44c46b4512112874ba35dbb4c7ea1e97d900428d0fc9ce0b04aea615d073e

  • SHA512

    2112193833c7582223a0bcd9a0e083c4af75ce4a934e80b3c8afc0d0e0b8034f9df08ab6a0b7a2acc8b23155ef2daaae106a7d50187b2f99ac1825e7903721cf

  • SSDEEP

    1536:x3V3e8KytqTZkYu5SCvaDBzgM+5zu9kS24zxAkOg8WTvMEIy9kzZ3:9dOy+ubiDBzv+1H4OgYEIy+3

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://bmzblog.com/default.php?5L6PGBkdZacy8NWlzc1iWwvafZxYtWw7ufhfL9Ne

http://brooklynpremium.com/default.php?Hl6C3s7pmemdZRosz4eAt6FkCO58Bolr

http://klamicro.com/default.php?CyXuiDAcp21uPrfbAuv6hkCmHUVRTwhjGBZTGMB

http://install-cap.com.mx/default.php?HuIRSkboVeo37JtK7C1gLiUZAFhjy71Gk

http://globalpaytech.com/default.php?iPPCgIdQ25LKPoiBniZiQ8MYAWJT7NfZlj

Targets

    • Target

      62c766ff6525a05483e9b8ec2f13c050_JaffaCakes118

    • Size

      88KB

    • MD5

      62c766ff6525a05483e9b8ec2f13c050

    • SHA1

      40485d4229762a03b7fca40c8f82d04884936363

    • SHA256

      68b44c46b4512112874ba35dbb4c7ea1e97d900428d0fc9ce0b04aea615d073e

    • SHA512

      2112193833c7582223a0bcd9a0e083c4af75ce4a934e80b3c8afc0d0e0b8034f9df08ab6a0b7a2acc8b23155ef2daaae106a7d50187b2f99ac1825e7903721cf

    • SSDEEP

      1536:x3V3e8KytqTZkYu5SCvaDBzgM+5zu9kS24zxAkOg8WTvMEIy9kzZ3:9dOy+ubiDBzv+1H4OgYEIy+3

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks