Overview

overview

10

Static

static

3

d2b7c64389...18.exe

windows7-x64

10

d2b7c64389...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d2b7c64389abca98d342911db0fadfb4_JaffaCakes118

  • Size

    125KB

  • Sample

    240907-ynq2ys1hqk

  • MD5

    d2b7c64389abca98d342911db0fadfb4

  • SHA1

    ee12057a3b190f55cbb5a3a5aac80ba401b37e56

  • SHA256

    d4264dccc6248816b1388ee92425aa8a3a74fffdac969501ad77f13388664acc

  • SHA512

    8be016348163ea5a9871a3089f25d7adb892c5187ba1d05c94775553776d544e7cb0cf7b5d5382214a54340b70fb8416f2a8c5a9df7e959cc3edd83a056328b6

  • SSDEEP

    3072:NRtoUHQY6TRSg7dsbxbZUfFDDI+C1q8V6shtLHUd5LSKGj1Q:1QxRdCZU93I51qYYcj

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://rolex6.serverthuis.nl/po/gate.php

http://rolex7.serverthuis.nl/po/gate.php
Attributes
  • payload_url

    http://skin.mad.buttobi.net/11.exe

    http://skin.mad.buttobi.net/22.exe

    http://skin.mad.buttobi.net/33.exe

    http://deltagoma.es/Scripts/11.exe

    http://deltagoma.es/Scripts/22.exe

    http://deltagoma.es/Scripts/33.exe

    http://energy.elsat.net.pl/Delikatesy/11.exe

    http://energy.elsat.net.pl/Delikatesy/22.exe

    http://energy.elsat.net.pl/Delikatesy/33.exe

Targets

    • Target

      d2b7c64389abca98d342911db0fadfb4_JaffaCakes118

    • Size

      125KB

    • MD5

      d2b7c64389abca98d342911db0fadfb4

    • SHA1

      ee12057a3b190f55cbb5a3a5aac80ba401b37e56

    • SHA256

      d4264dccc6248816b1388ee92425aa8a3a74fffdac969501ad77f13388664acc

    • SHA512

      8be016348163ea5a9871a3089f25d7adb892c5187ba1d05c94775553776d544e7cb0cf7b5d5382214a54340b70fb8416f2a8c5a9df7e959cc3edd83a056328b6

    • SSDEEP

      3072:NRtoUHQY6TRSg7dsbxbZUfFDDI+C1q8V6shtLHUd5LSKGj1Q:1QxRdCZU93I51qYYcj

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks