pony | a33e5817ece2c6f4251367dabeeb6c5943ab92f72b30479863ee347c3229d932 | Triage

Sharing

General

Target

cb6c272a13a9b9b82cec098615754a57_JaffaCakes118
Size

2.2MB
Sample

240830-w8czqaydnh
MD5

cb6c272a13a9b9b82cec098615754a57
SHA1

0a9df7b33d397f5bd2d21aecd01139e8c7e41b06
SHA256

a33e5817ece2c6f4251367dabeeb6c5943ab92f72b30479863ee347c3229d932
SHA512

2f808e179c2897b30b85e3074b3d94533adf13dbe2ca1948bb86a53f3230f8953ba6d703e58b15ff3dd5f4da527b2098d329dd357a689d93ed54fdbdb8ecf74e
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZZ:0UzeyQMS4DqodCnoe+iitjWwwd

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Targets

- Target
  
  cb6c272a13a9b9b82cec098615754a57_JaffaCakes118
- Size
  
  2.2MB
- MD5
  
  cb6c272a13a9b9b82cec098615754a57
- SHA1
  
  0a9df7b33d397f5bd2d21aecd01139e8c7e41b06
- SHA256
  
  a33e5817ece2c6f4251367dabeeb6c5943ab92f72b30479863ee347c3229d932
- SHA512
  
  2f808e179c2897b30b85e3074b3d94533adf13dbe2ca1948bb86a53f3230f8953ba6d703e58b15ff3dd5f4da527b2098d329dd357a689d93ed54fdbdb8ecf74e
- SSDEEP
  
  24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZZ:0UzeyQMS4DqodCnoe+iitjWwwd
Score

10^/10

pony discovery evasion persistence rat spyware stealer
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ponydiscoveryevasionpersistenceratspywarestealer

behavioral2

ponydiscoveryevasionpersistenceratspywarestealer