Overview

overview

10

Static

static

3

d9972f52b2...18.exe

windows7-x64

10

d9972f52b2...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d9972f52b288be3fad07664f34a12b93_JaffaCakes118

  • Size

    96KB

  • Sample

    240911-ethg8asblm

  • MD5

    d9972f52b288be3fad07664f34a12b93

  • SHA1

    6618b0deebe1dbebf475d06116df737e970ae3a0

  • SHA256

    944fe04d665db2f19ab49044c32067e9c2c3b558d087f948276baa7a22948f56

  • SHA512

    303b2f91fd4bb51b4cc75396147359e14e91ee925110064f5488d49ddc79067e30b037733081938cf938357c8d5a7d05f4ba053a83968c5eaf6b6bbdadc2383f

  • SSDEEP

    1536:CuZQ4OaD0uIwaq7M4KoQuURcKc2sXTc3+yA7TNeNQ5BAkdlFKT172:d967wf7M4KoQukcRXTaH8TNv0kZKTB2

Score
10/10
ponycredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://88.85.99.44:8080/pony/gate.php

http://91.121.140.103:8080/pony/gate.php

http://91.121.178.156:8080/pony/gate.php
Attributes
  • payload_url

    http://www.stablerkraemer.at/15Psv3zJ/4ah6NuS.exe

    http://www.grupozear.es/5PYpsVTJ/mPt0Zx.exe

    http://cairngorm.basestationdev.co.uk/tv9TcPVk/rXExfz.exe

Targets

    • Target

      d9972f52b288be3fad07664f34a12b93_JaffaCakes118

    • Size

      96KB

    • MD5

      d9972f52b288be3fad07664f34a12b93

    • SHA1

      6618b0deebe1dbebf475d06116df737e970ae3a0

    • SHA256

      944fe04d665db2f19ab49044c32067e9c2c3b558d087f948276baa7a22948f56

    • SHA512

      303b2f91fd4bb51b4cc75396147359e14e91ee925110064f5488d49ddc79067e30b037733081938cf938357c8d5a7d05f4ba053a83968c5eaf6b6bbdadc2383f

    • SSDEEP

      1536:CuZQ4OaD0uIwaq7M4KoQuURcKc2sXTc3+yA7TNeNQ5BAkdlFKT172:d967wf7M4KoQukcRXTaH8TNv0kZKTB2

    Score
    10/10
    ponycredential_accessdiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks