pony | c3571d5888250683eca3b201dc9d6d54e66d49624c9e2f0e8f7802334188a154

Analysis

max time kernel
142s
max time network
143s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
30/08/2024, 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

caaf60c089e04c0c57acc2e1a1f8b01c_JaffaCakes118.exe
Size

287KB
MD5

caaf60c089e04c0c57acc2e1a1f8b01c
SHA1

1d21e97578db99a5a596695fa908a1616e319b03
SHA256

c3571d5888250683eca3b201dc9d6d54e66d49624c9e2f0e8f7802334188a154
SHA512

f3ec6014c41796b2d076619bddbe269c8dc5ea8f0641f9df89ebcf69cae4245288d9489abd030fab2df81d3567698ab752851b5b22f3ccffd781181f7644cedc
SSDEEP

6144:d0F/Kpm6dNAUmmS0QU/81h70QaDDhhy+8/mOnK:EKE8QU01h0/I/

Score

10^/10

pony credential_access discovery rat spyware stealer upx

Malware Config

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 1 IoCs

pid	Process
336	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2296	caaf60c089e04c0c57acc2e1a1f8b01c_JaffaCakes118.exe
844	DllHost.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2296-30-0x00000000021A0000-0x00000000021B6000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2296 set thread context of 2396	2296	caaf60c089e04c0c57acc2e1a1f8b01c_JaffaCakes118.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caaf60c089e04c0c57acc2e1a1f8b01c_JaffaCakes118.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{be07978f-a6bd-2781-954d-4e38738a35a1}\cid = "4727032911743233688"	explorer.exe
Key created	\registry\machine\Software\Classes\Interface\{be07978f-a6bd-2781-954d-4e38738a35a1}	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{be07978f-a6bd-2781-954d-4e38738a35a1}\u = "860049491"	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
336	csrss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	explorer.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2396	2296	caaf60c089e04c0c57acc2e1a1f8b01c_JaffaCakes118.exe	30
PID 2296 wrote to memory of 2396	2296	caaf60c089e04c0c57acc2e1a1f8b01c_JaffaCakes118.exe	30
PID 2296 wrote to memory of 2396	2296	caaf60c089e04c0c57acc2e1a1f8b01c_JaffaCakes118.exe	30
PID 2296 wrote to memory of 2396	2296	caaf60c089e04c0c57acc2e1a1f8b01c_JaffaCakes118.exe	30
PID 2296 wrote to memory of 2396	2296	caaf60c089e04c0c57acc2e1a1f8b01c_JaffaCakes118.exe	30
PID 2396 wrote to memory of 336	2396	explorer.exe	2
PID 336 wrote to memory of 2128	336	csrss.exe	31
PID 336 wrote to memory of 2128	336	csrss.exe	31
PID 336 wrote to memory of 856	336	csrss.exe	13
PID 336 wrote to memory of 844	336	csrss.exe	32

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:856
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2128

C:\Users\Admin\AppData\Local\Temp\caaf60c089e04c0c57acc2e1a1f8b01c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\caaf60c089e04c0c57acc2e1a1f8b01c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\explorer.exe
  000000FC*
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2396

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Loads dropped DLL
PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
cbdc0cde70c329fb9591e7a9aaf088e4

SHA1
de133dd7454c261676b95cc6a336df0c56672343

SHA256
7d29714741933527b3d738273c9a24691ee595925dcc9a394871de600dbca843

SHA512
fa41ed526cce671fe6bc0a0336dd49c9f97aa9032bb16e42b7480fd0376c284f9ddd73bee0e92d7a4991405d385f13c125cc310ab33d20fb49dd33caf6b45365

Download Submit
\Windows\System32\consrv.dll

Filesize
53KB

MD5
d3bd9c7e7a29daa24c66dc62cd5f5633

SHA1
3895247052b6244659e73334e6398677dafa0ac1

SHA256
6b87925d0e03ab5daa4760b1a62bed66c49cb489d011e2c9633eb0fe466df83f

SHA512
e243a2272887b02417b08b0d0728689c8f01cc57d473ed811ba98c2f5aa4d985d02d0fd7772bc33356474abcc815609ab7a6c0e905d6fe884fb7bc70bc67e9d0

Download Submit
\Windows\assembly\GAC_32\Desktop.ini

Filesize
4KB

MD5
ff7d5ec20bf73c02317e7a740fffe018

SHA1
365ac8cfe5b939854cc1c341caf051bcc45f9372

SHA256
1e230847d7034f5ab3bf010f569315e00673859af0574fc9f915636ed905779a

SHA512
30854c0d703fd7c6cbc0769d9be4125baa2577ec529d5e48177a434685b66752fd79c50f0321324e23eeb985738f403347748afefae7d8a3bfad388a5b512a44

Download Submit
\Windows\assembly\GAC_64\Desktop.ini

Filesize
5KB

MD5
3e7a118b119428247edfc5d5ef3761bc

SHA1
140e4cb00107678160411f016c4c17611580a209

SHA256
97c19f4103a16798202e50a501375d0bf3d7ec1bb654dda230337e85b01b1ec5

SHA512
b0e27a4d7aa62f937f275b9f413f75857846ae670bf3aed6e55c1db865485fda89e33dcdffa02ae2ab25f48d5f63f869232f9e6d69f9cdc8a5c93f39de09a925

Download Submit
memory/336-20-0x0000000000E60000-0x0000000000E72000-memory.dmp

Filesize
72KB

Download
memory/336-32-0x0000000000E60000-0x0000000000E72000-memory.dmp

Filesize
72KB

Download
memory/336-19-0x0000000000E60000-0x0000000000E72000-memory.dmp

Filesize
72KB

Download
memory/856-44-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

Filesize
32KB

Download
memory/856-39-0x0000000000D50000-0x0000000000D5B000-memory.dmp

Filesize
44KB

Download
memory/856-52-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

Filesize
32KB

Download
memory/856-53-0x0000000000D60000-0x0000000000D6B000-memory.dmp

Filesize
44KB

Download
memory/856-43-0x0000000000D50000-0x0000000000D5B000-memory.dmp

Filesize
44KB

Download
memory/856-45-0x0000000000D60000-0x0000000000D6B000-memory.dmp

Filesize
44KB

Download
memory/856-35-0x0000000000D50000-0x0000000000D5B000-memory.dmp

Filesize
44KB

Download
memory/2296-31-0x0000000000400000-0x000000000044BC00-memory.dmp

Filesize
303KB

Download
memory/2296-30-0x00000000021A0000-0x00000000021B6000-memory.dmp

Filesize
88KB

Download
memory/2296-0-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2296-25-0x0000000000400000-0x000000000044BC00-memory.dmp

Filesize
303KB

Download
memory/2296-1-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2296-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2296-24-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2296-23-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2396-7-0x0000000001EF0000-0x0000000001F09000-memory.dmp

Filesize
100KB

Download
memory/2396-9-0x0000000000060000-0x0000000000076000-memory.dmp

Filesize
88KB

Download
memory/2396-2-0x0000000001EF0000-0x0000000001F09000-memory.dmp

Filesize
100KB

Download
memory/2396-13-0x0000000001EF0000-0x0000000001F09000-memory.dmp

Filesize
100KB

Download