Overview

overview

10

Static

static

10

60ce17786c...18.exe

windows7-x64

10

60ce17786c...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    60ce17786c23189a88406eb311ae5ba9_JaffaCakes118

  • Size

    88KB

  • Sample

    240729-z592tsvhjd

  • MD5

    60ce17786c23189a88406eb311ae5ba9

  • SHA1

    872bb2a324578a46bf38d43515b8662d1c9f1d79

  • SHA256

    3998a536d5dadd84b6e006752762ef0cec6fd857f251339c5ca114cc2ffcb63c

  • SHA512

    de2e4df26e9a742093edb99a0bdb0e40deaa4268ea6957f9d6ca5da874a1058e3bf84ad55ea6edb17467f5c509f0f358219009791fbbd052ed5d177c865e1721

  • SSDEEP

    1536:x3V3e8KytqTZkYu5SCvaDBzgM+5zu9kS24zxAkOg8WTvMEIHkzZ3:9dOy+ubiDBzv+1H4OgYEIo3

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://comune.fuscaldo.cs.it/default.php?wLZTbsAk2VmMKdz1XkzlAWD5Wz9tnW

http://poppahomes.com/default.php?apKK5OaOhqBncRzIFxYc3apTaVIs2RFZKIlGV

http://illinoisrates.com/default.php?VrMPNM1OJpKRxodD9FFl5qhr64ZkYOc8gX

http://waldenserhof-springpferde.de/default.php?1fTu2rfRc19RzfjVDKjjJLn

http://endless.svdownloadurl.com/default.php?PXZMMvnbwOLB15drrmlpUre1hW

Targets

    • Target

      60ce17786c23189a88406eb311ae5ba9_JaffaCakes118

    • Size

      88KB

    • MD5

      60ce17786c23189a88406eb311ae5ba9

    • SHA1

      872bb2a324578a46bf38d43515b8662d1c9f1d79

    • SHA256

      3998a536d5dadd84b6e006752762ef0cec6fd857f251339c5ca114cc2ffcb63c

    • SHA512

      de2e4df26e9a742093edb99a0bdb0e40deaa4268ea6957f9d6ca5da874a1058e3bf84ad55ea6edb17467f5c509f0f358219009791fbbd052ed5d177c865e1721

    • SSDEEP

      1536:x3V3e8KytqTZkYu5SCvaDBzgM+5zu9kS24zxAkOg8WTvMEIHkzZ3:9dOy+ubiDBzv+1H4OgYEIo3

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks