pony | 885b2a41e4956f97629f7bcd404f1a51b83b3a57926b2c5235f74f472f4269cf | Triage

Sharing

General

Target

dcdc7a11a670c2b0d5079a35749da9d7_JaffaCakes118
Size

2.2MB
Sample

240912-xnmtvsygnl
MD5

dcdc7a11a670c2b0d5079a35749da9d7
SHA1

b47faaf9d94cb0b4da91579f0a68ddea96f4e7f9
SHA256

885b2a41e4956f97629f7bcd404f1a51b83b3a57926b2c5235f74f472f4269cf
SHA512

cfcc398b93ec1adef2dc2af887637d6d7ad722d7c3ec620f6a6dc32110c9cdfac013f82dd1029b0b7c8ebb9f40a23319422f99e5d7e479da56f9e9ef3f678edc
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZw:0UzeyQMS4DqodCnoe+iitjWwwM

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Targets

- Target
  
  dcdc7a11a670c2b0d5079a35749da9d7_JaffaCakes118
- Size
  
  2.2MB
- MD5
  
  dcdc7a11a670c2b0d5079a35749da9d7
- SHA1
  
  b47faaf9d94cb0b4da91579f0a68ddea96f4e7f9
- SHA256
  
  885b2a41e4956f97629f7bcd404f1a51b83b3a57926b2c5235f74f472f4269cf
- SHA512
  
  cfcc398b93ec1adef2dc2af887637d6d7ad722d7c3ec620f6a6dc32110c9cdfac013f82dd1029b0b7c8ebb9f40a23319422f99e5d7e479da56f9e9ef3f678edc
- SSDEEP
  
  24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZw:0UzeyQMS4DqodCnoe+iitjWwwM
Score

10^/10

pony discovery evasion persistence rat spyware stealer
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ponydiscoveryevasionpersistenceratspywarestealer

behavioral2

ponydiscoveryevasionpersistenceratspywarestealer