General
-
Target
cbcc73a1b708fca4b8e1b9c5cb2258e4_JaffaCakes118
-
Size
130KB
-
Sample
240830-2hjx8szhpp
-
MD5
cbcc73a1b708fca4b8e1b9c5cb2258e4
-
SHA1
9e8141550cfcb0f92feaae7a53e623a3bc6fb662
-
SHA256
046dd3a4763cc21ae21dd815d64d92179f3e14d03552115c44b103ba7497f5e1
-
SHA512
fe357d1d1b9cc03ac33cb9c75a10edaad559d3b76dec67554a401810729c05ebf983477fb3cdca5cb79c069558b7c7701533fd66952395c809ba0f5de1e728a1
-
SSDEEP
3072:xKNDpxhwmggTQien+UJ/djOyWWP9Bh4TjZ4Vt+xtr:ENFxYjzhFZWWZQjZ4m
Malware Config
Extracted
pony
http://stareanatiunii.com:8080/pony/gate.php
http://173.83.251.73:8080/pony/gate.php
-
payload_url
http://bellaprobeauty.com/TUZCpyj.exe
http://taberah.co.za/KCM63Mi.exe
http://208.43.29.73/zFY.exe
Targets
-
-
Target
cbcc73a1b708fca4b8e1b9c5cb2258e4_JaffaCakes118
-
Size
130KB
-
MD5
cbcc73a1b708fca4b8e1b9c5cb2258e4
-
SHA1
9e8141550cfcb0f92feaae7a53e623a3bc6fb662
-
SHA256
046dd3a4763cc21ae21dd815d64d92179f3e14d03552115c44b103ba7497f5e1
-
SHA512
fe357d1d1b9cc03ac33cb9c75a10edaad559d3b76dec67554a401810729c05ebf983477fb3cdca5cb79c069558b7c7701533fd66952395c809ba0f5de1e728a1
-
SSDEEP
3072:xKNDpxhwmggTQien+UJ/djOyWWP9Bh4TjZ4Vt+xtr:ENFxYjzhFZWWZQjZ4m
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-