Overview

overview

10

Static

static

10

4d4b9740fc...18.exe

windows7-x64

10

4d4b9740fc...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4d4b9740fceb875ea8b5c0e75eee518c_JaffaCakes118

  • Size

    89KB

  • Sample

    240729-r71l6stckr

  • MD5

    4d4b9740fceb875ea8b5c0e75eee518c

  • SHA1

    e8d30f1012b70a8b80672dad829a7f77156fe50c

  • SHA256

    00cbc16f250d25dd2633d07c071692ee26823e055d2ed4d7cd87766dce41e704

  • SHA512

    eaaa5020cbaafc884482101fa3fcc14a413ef0c7a1aa4a73993fa3899894a0ca8c5f1dad6d2c86f48c66e9db5b2ac498680b8f94f2adcf8e156400f8a24e3f4c

  • SSDEEP

    1536:mTfV30H1G7tqT3ngZcYYzdFDIJT+fuY/13GFGO+MYMTvCEyskzZx:2VGybcYYzdFIJTQJ5O+lLEyvx

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://br1.irontrial.com:8080/ponyb/gate.php

http://br1.pineapplesdonthavesleeves.com:8080/ponyb/gate.php

http://89.166.50.40:8080/ponyb/gate.php

http://6.magicalomaha.com/ponyb/gate.php
Attributes
  • payload_url

    http://gleeclub.bplaced.net/eHeSq.exe

    http://mybuss.com.mx/bvpVa0E.exe

    http://blazingindustrial.net/eKcV.exe

    http://208.109.123.21/sjqviLEQ.exe

    http://khioffices.com/T4Li.exe

Targets

    • Target

      4d4b9740fceb875ea8b5c0e75eee518c_JaffaCakes118

    • Size

      89KB

    • MD5

      4d4b9740fceb875ea8b5c0e75eee518c

    • SHA1

      e8d30f1012b70a8b80672dad829a7f77156fe50c

    • SHA256

      00cbc16f250d25dd2633d07c071692ee26823e055d2ed4d7cd87766dce41e704

    • SHA512

      eaaa5020cbaafc884482101fa3fcc14a413ef0c7a1aa4a73993fa3899894a0ca8c5f1dad6d2c86f48c66e9db5b2ac498680b8f94f2adcf8e156400f8a24e3f4c

    • SSDEEP

      1536:mTfV30H1G7tqT3ngZcYYzdFDIJT+fuY/13GFGO+MYMTvCEyskzZx:2VGybcYYzdFIJTQJ5O+lLEyvx

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks