General

  • Target

    477f9071a2494106f3bab9d866bf491e_JaffaCakes118

  • Size

    2.0MB

  • Sample

    240729-pzct2atbjc

  • MD5

    477f9071a2494106f3bab9d866bf491e

  • SHA1

    5bdbec0b011c60945154742de74c75cf11a6e8c7

  • SHA256

    30f309b4912eea977732ec38083cf4e363ff4f757df1b2a5170d9033fa831655

  • SHA512

    d1efe71ff34b986b72e4ca13210a019efe12fb6f08728a56350ce7ce5dcab566035db26429e104f2524dfe4774e77b4845863f3350971fc79ddae69b062e74f3

  • SSDEEP

    49152:5n2CWZeY24D4n8pKd7IXuZzKRQ54ZxrC/ccha5FzGNUbWkt9:J2CWZess8pAsu8y5qxrmhaTvbWu9

Malware Config

Extracted

Family

babylonrat

C2

cryfreeman042.ddns.net

Extracted

Family

pony

C2

http://www.mytonnymaxltd.com/wp-content/Panel/gate.php

Targets

    • Target

      477f9071a2494106f3bab9d866bf491e_JaffaCakes118

    • Size

      2.0MB

    • MD5

      477f9071a2494106f3bab9d866bf491e

    • SHA1

      5bdbec0b011c60945154742de74c75cf11a6e8c7

    • SHA256

      30f309b4912eea977732ec38083cf4e363ff4f757df1b2a5170d9033fa831655

    • SHA512

      d1efe71ff34b986b72e4ca13210a019efe12fb6f08728a56350ce7ce5dcab566035db26429e104f2524dfe4774e77b4845863f3350971fc79ddae69b062e74f3

    • SSDEEP

      49152:5n2CWZeY24D4n8pKd7IXuZzKRQ54ZxrC/ccha5FzGNUbWkt9:J2CWZess8pAsu8y5qxrmhaTvbWu9

    • Babylon RAT

      Babylon RAT is remote access trojan written in C++.

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks