pony | 3771360d99c96e30f94bc4f2afa22fea5e7c6a28358814fa7848701ee75debed

General

Target

d7dee32795765518126524be383a5081_JaffaCakes118
Size

920KB
Sample

240910-j77rgswanc
MD5

d7dee32795765518126524be383a5081
SHA1

60c3e2811efcba3b84395948465b7738625a22e6
SHA256

3771360d99c96e30f94bc4f2afa22fea5e7c6a28358814fa7848701ee75debed
SHA512

a9550596dac2ab4095aac7bff98968895e8a58a103c6e763184257a846480f48fd096feb19622f13c1317bf1a3b000fcb3ee84484eb155235977bbfa8cc9764b
SSDEEP

24576:IJXWAayET+QuawV+XTUknfiuG7weke8juowZKMnunK:tTzuaxjnsywKMnY

Score

10^/10

Malware Config

Targets

- Target
  
  d7dee32795765518126524be383a5081_JaffaCakes118
- Size
  
  920KB
- MD5
  
  d7dee32795765518126524be383a5081
- SHA1
  
  60c3e2811efcba3b84395948465b7738625a22e6
- SHA256
  
  3771360d99c96e30f94bc4f2afa22fea5e7c6a28358814fa7848701ee75debed
- SHA512
  
  a9550596dac2ab4095aac7bff98968895e8a58a103c6e763184257a846480f48fd096feb19622f13c1317bf1a3b000fcb3ee84484eb155235977bbfa8cc9764b
- SSDEEP
  
  24576:IJXWAayET+QuawV+XTUknfiuG7weke8juowZKMnunK:tTzuaxjnsywKMnY
Score

10^/10

discovery pony credential_access evasion persistence rat spyware stealer upx
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Disables taskbar notifications via registry modification
  evasion
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Enumerates processes with tasklist
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2