pony | f44d696d38b639db5546aabe65b04cbc374cfe2f9d3480087c00e0afa42da137

Analysis

max time kernel
31s
max time network
44s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 03:08

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe
Size

2.6MB
MD5

dbb3fed1ddbe1dba7915ac77f70fb445
SHA1

1fa65a682d2ccf5c961b73f8bd8670a2169aefc1
SHA256

f44d696d38b639db5546aabe65b04cbc374cfe2f9d3480087c00e0afa42da137
SHA512

e58ab91c2677a3ba64ec4c697bbf9392fb66030dd5bf313697b6da844b9fe8c329fc6c1f88eee3f12a1badc8b3ee997eebd775733199defde5af52fb133f7351
SSDEEP

49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlj:86SIROiFJiwp0xlrlj

Score

10^/10

pony discovery rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1288	explorer.exe
540	explorer.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2020 set thread context of 3760	2020	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	84
PID 3760 set thread context of 4804	3760	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	96
PID 1288 set thread context of 540	1288	explorer.exe	98

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\explorer.exe	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4804	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe
4804	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2020	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe
4804	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe
4804	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe
1288	explorer.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 3760	2020	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	84
PID 2020 wrote to memory of 3760	2020	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	84
PID 2020 wrote to memory of 3760	2020	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	84
PID 2020 wrote to memory of 3760	2020	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	84
PID 2020 wrote to memory of 3760	2020	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	84
PID 2020 wrote to memory of 3760	2020	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	84
PID 2020 wrote to memory of 3760	2020	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	84
PID 2020 wrote to memory of 3760	2020	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	84
PID 2020 wrote to memory of 3760	2020	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	84
PID 2020 wrote to memory of 3760	2020	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	84
PID 2020 wrote to memory of 3760	2020	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	84
PID 2020 wrote to memory of 3760	2020	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	84
PID 2020 wrote to memory of 3760	2020	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	84
PID 3760 wrote to memory of 3540	3760	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	85
PID 3760 wrote to memory of 3540	3760	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	85
PID 3760 wrote to memory of 4804	3760	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	96
PID 3760 wrote to memory of 4804	3760	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	96
PID 3760 wrote to memory of 4804	3760	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	96
PID 3760 wrote to memory of 4804	3760	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	96
PID 3760 wrote to memory of 4804	3760	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	96
PID 4804 wrote to memory of 1288	4804	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	97
PID 4804 wrote to memory of 1288	4804	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	97
PID 4804 wrote to memory of 1288	4804	dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe	97
PID 1288 wrote to memory of 540	1288	explorer.exe	98
PID 1288 wrote to memory of 540	1288	explorer.exe	98
PID 1288 wrote to memory of 540	1288	explorer.exe	98
PID 1288 wrote to memory of 540	1288	explorer.exe	98
PID 1288 wrote to memory of 540	1288	explorer.exe	98
PID 1288 wrote to memory of 540	1288	explorer.exe	98
PID 1288 wrote to memory of 540	1288	explorer.exe	98
PID 1288 wrote to memory of 540	1288	explorer.exe	98
PID 1288 wrote to memory of 540	1288	explorer.exe	98
PID 1288 wrote to memory of 540	1288	explorer.exe	98
PID 1288 wrote to memory of 540	1288	explorer.exe	98
PID 1288 wrote to memory of 540	1288	explorer.exe	98
PID 1288 wrote to memory of 540	1288	explorer.exe	98

C:\Users\Admin\AppData\Local\Temp\dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe"
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:3540
- - C:\Users\Admin\AppData\Local\Temp\dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dbb3fed1ddbe1dba7915ac77f70fb445_JaffaCakes118.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1288
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.6MB

MD5
8243eb7c2bc675b89aa55bc112cd7af2

SHA1
e9bf0b43d5143be1ce1118c12dc164fc3fe69039

SHA256
ca052ad6b3cc42e94569031fe2cc306f15b0bfc0a60221699643a7e97f6a691f

SHA512
d4d561ac2ef6a7f707faec29932b18f5f4b50674b6f920b874111e05f47331cafdba8157e3600364daf9e7a00b9a3aade100d0021eefb1246ad8177f0ff0f570

Download Submit
memory/540-59-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2020-2-0x0000000000407000-0x0000000000408000-memory.dmp

Filesize
4KB

Download
memory/3760-5-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3760-7-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3760-6-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3760-38-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3760-48-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3760-4-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3760-3-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4804-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4804-42-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4804-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download