Overview

overview

10

Static

static

10

cc599d35b7...18.exe

windows7-x64

10

cc599d35b7...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cc599d35b77d1a1d6234978af54000c0_JaffaCakes118

  • Size

    92KB

  • Sample

    240831-g2351azdln

  • MD5

    cc599d35b77d1a1d6234978af54000c0

  • SHA1

    67c7795d3fe191cd44de2f5a9e8d8c9cf06d0258

  • SHA256

    2e3628b613ef186e1d6723613336045bf60b7ec1aea2b01a2ae2267068b89d63

  • SHA512

    26be6a228487fe833ce3153387e74de8dafdd36f0937e90ccf2700d277922e714c3ec37c7fbcad18945a0cbcb1b1294d9e80cebb3d0c0b209d00f63d4cf75a45

  • SSDEEP

    1536:bkicSQt1+qTFncNXk9Gm+gzkz0KSCSiueflfVw9gzOrNkzTvZEq/kzm5B:oXt1+AG2zkz0KSs/fNzO5QEq/r

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://cis.commlinkglobal.com:8080/forum/viewtopic.php

http://pbx.commlinkglobal.com:8080/forum/viewtopic.php

http://www.telecomlinkph.com:8080/forum/viewtopic.php

http://www.twinsquality.com:8080/forum/viewtopic.php
Attributes
  • payload_url

    http://cmonline.co.nz/1D2e.exe

    http://DOWNLOADS.ARGO-NETWORKS.COM/jsPRUmRu.exe

    http://ftp.riddlepress.com/ZNap.exe

Targets

    • Target

      cc599d35b77d1a1d6234978af54000c0_JaffaCakes118

    • Size

      92KB

    • MD5

      cc599d35b77d1a1d6234978af54000c0

    • SHA1

      67c7795d3fe191cd44de2f5a9e8d8c9cf06d0258

    • SHA256

      2e3628b613ef186e1d6723613336045bf60b7ec1aea2b01a2ae2267068b89d63

    • SHA512

      26be6a228487fe833ce3153387e74de8dafdd36f0937e90ccf2700d277922e714c3ec37c7fbcad18945a0cbcb1b1294d9e80cebb3d0c0b209d00f63d4cf75a45

    • SSDEEP

      1536:bkicSQt1+qTFncNXk9Gm+gzkz0KSCSiueflfVw9gzOrNkzTvZEq/kzm5B:oXt1+AG2zkz0KSs/fNzO5QEq/r

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks