Overview

overview

10

Static

static

3

da00410092...18.exe

windows7-x64

10

da00410092...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    da00410092bac5ec368789940617f2c9_JaffaCakes118

  • Size

    115KB

  • Sample

    240911-kwcyeasgmg

  • MD5

    da00410092bac5ec368789940617f2c9

  • SHA1

    49cf32548201b80be47ef1a7bbc3f1168d89a578

  • SHA256

    8f19ff322ab90644573e5dc2d5c7243fbc9a21f084051aa4c33f64374512e06e

  • SHA512

    67cfdd041a482426fc4bdbb9af409a96a21a9f0773048774ad7e439c5960df4a82ffef5ba025e4ee8b2255cc25e5727fa77e61752c0757955028d2f1b8697bf6

  • SSDEEP

    3072:bXAtWYKBlLpHBGwG6yDSHlALt6mowYPdqR86w9:DAoYKXLplbyDBtei86

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://etsiunjour.fr:81/pony/gate.php

http://69.194.194.238/pony/gate.php
Attributes
  • payload_url

    http://certidao.adv.br/UnVcLzvR/scC.exe

    http://deccatanks.co.uk/4CWKRhBv/oXmSXT1s.exe

    http://cfinder.dtme.net/FEDdYaMM/bzTbkvu.exe

    http://imo213.com/Y0BDbt8p/GhnU.exe

    http://lab.nghcc.org.tw/yMczUqoA/CtPZ.exe

    http://padariaestrelasjc.com.br/76pquByi/yqc5ufFM.exe

    http://drinkpilot.com/dfAqK8cD/8gR.exe

    http://wiki.ehost.pl/ePb25EHR/vy4U.exe

    http://hernandezmotores.cl/fhouFXAc/SWvU2uC.exe

    http://praticaprojetos.com.br/fHVwaTjV/EBExe7.exe

    http://ctamdq.org.ar/mr3ARzbf/5c43.exe

    http://comf.com.br/qiVc6c4E/vDnU22yZ.exe

    http://profitwithauctions.com/UQGXPnim/w5oG6.exe

    http://www.futuremetrics.net/XmEay48n/6TmiYF.exe

Targets

    • Target

      da00410092bac5ec368789940617f2c9_JaffaCakes118

    • Size

      115KB

    • MD5

      da00410092bac5ec368789940617f2c9

    • SHA1

      49cf32548201b80be47ef1a7bbc3f1168d89a578

    • SHA256

      8f19ff322ab90644573e5dc2d5c7243fbc9a21f084051aa4c33f64374512e06e

    • SHA512

      67cfdd041a482426fc4bdbb9af409a96a21a9f0773048774ad7e439c5960df4a82ffef5ba025e4ee8b2255cc25e5727fa77e61752c0757955028d2f1b8697bf6

    • SSDEEP

      3072:bXAtWYKBlLpHBGwG6yDSHlALt6mowYPdqR86w9:DAoYKXLplbyDBtei86

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks