pony | 5e8a1953756950b7068b3672a336c17f104ab8683d0dcaea7eee2910bb922dae | Triage

Sharing

General

Target

c977088f8bb8f4c90e9433b2c2a7a045_JaffaCakes118
Size

2.6MB
Sample

240829-x11w9ayfmp
MD5

c977088f8bb8f4c90e9433b2c2a7a045
SHA1

2add572e75fa70b919931f8a2817bc57869844db
SHA256

5e8a1953756950b7068b3672a336c17f104ab8683d0dcaea7eee2910bb922dae
SHA512

e8be158c50bbad4f0ef55a1bb48214b75aeed0bd062802ddd8c1ea9c3001b37aa17e7ef86189782c7ddf33e86d2e02eeac453863fe66a41e6a8f856878012264
SSDEEP

49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrl6:86SIROiFJiwp0xlrl6

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Targets

- Target
  
  c977088f8bb8f4c90e9433b2c2a7a045_JaffaCakes118
- Size
  
  2.6MB
- MD5
  
  c977088f8bb8f4c90e9433b2c2a7a045
- SHA1
  
  2add572e75fa70b919931f8a2817bc57869844db
- SHA256
  
  5e8a1953756950b7068b3672a336c17f104ab8683d0dcaea7eee2910bb922dae
- SHA512
  
  e8be158c50bbad4f0ef55a1bb48214b75aeed0bd062802ddd8c1ea9c3001b37aa17e7ef86189782c7ddf33e86d2e02eeac453863fe66a41e6a8f856878012264
- SSDEEP
  
  49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrl6:86SIROiFJiwp0xlrl6
Score

10^/10

pony discovery evasion persistence rat spyware stealer
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ponydiscoveryevasionpersistenceratspywarestealer

behavioral2

ponydiscoveryevasionpersistenceratspywarestealer