Overview

overview

10

Static

static

1

3bd838a0d9...18.exe

windows7-x64

10

3bd838a0d9...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3bd838a0d9a18bea7b2e44aa0e2785d2_JaffaCakes118

  • Size

    133KB

  • Sample

    240729-h2q14syarp

  • MD5

    3bd838a0d9a18bea7b2e44aa0e2785d2

  • SHA1

    e9deb6e25635a1177c395fdb597c4b5bcd4b0e46

  • SHA256

    939e6a369e627141616143feb0fd8a07c345081497d6d24fe96b81ea820e0efa

  • SHA512

    40d4a93f193de9cee83d28d79daf214256d8b65f7dc08c2b6d1ca6f0986c85e02a4433685c649573d7a0df299af04c7d521c5bfcafa36300dc19c7fb73ba399e

  • SSDEEP

    1536:EkppaDFMmiF/zh3M9etvtsSC+Lgu95ogO6ewxQ55/oC9+cRFfc9zPG3R7:lpOO1Oet1tlClBoCxrua3p

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://capitulosde.com:8080/forum/viewtopic.php

http://168.144.38.105:8080/forum/viewtopic.php
Attributes
  • payload_url

    http://fundepalma.org/hr5JHr1.exe

    http://74.208.218.30/RngUvek.exe

    http://rdquark.com/cAB.exe

    http://matheusilva.com/ttmX4XF.exe

    http://aasamant.com/0bBNjyL.exe

    http://josemarmolclub.com.ar/BJJr.exe

    http://alispide.net/V61zmw.exe

    http://docencia.cl/gUXoWb.exe

Targets

    • Target

      3bd838a0d9a18bea7b2e44aa0e2785d2_JaffaCakes118

    • Size

      133KB

    • MD5

      3bd838a0d9a18bea7b2e44aa0e2785d2

    • SHA1

      e9deb6e25635a1177c395fdb597c4b5bcd4b0e46

    • SHA256

      939e6a369e627141616143feb0fd8a07c345081497d6d24fe96b81ea820e0efa

    • SHA512

      40d4a93f193de9cee83d28d79daf214256d8b65f7dc08c2b6d1ca6f0986c85e02a4433685c649573d7a0df299af04c7d521c5bfcafa36300dc19c7fb73ba399e

    • SSDEEP

      1536:EkppaDFMmiF/zh3M9etvtsSC+Lgu95ogO6ewxQ55/oC9+cRFfc9zPG3R7:lpOO1Oet1tlClBoCxrua3p

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks