Overview

overview

10

Static

static

10

e0229fa1e7...18.exe

windows7-x64

10

e0229fa1e7...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e0229fa1e799bac0373054b1aeb117e9_JaffaCakes118

  • Size

    161KB

  • Sample

    240914-n5wzessdnq

  • MD5

    e0229fa1e799bac0373054b1aeb117e9

  • SHA1

    48df6d035fe892059f1a0908bbe996a1c82fbc16

  • SHA256

    710b8cebc63318007f640fa363986ddea990aa3c06904b7b768d9d0fa09174ab

  • SHA512

    83d478678cdd7094bfffa18368c5455342193446fb1821b3eabdf9968a804ff5ba8106d35b9dda96500c01e86d6abdb3e755de007915036364cf3d253a19004b

  • SSDEEP

    3072:9ITLZhs0uDI0rAfOXl+y+uql/GOtsrVrqhTqndtndhndKndI:mTLFuD6fOXlql/GLJrqqndtndhndKndI

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://butterchoco.net/admin/bull/gate.php

Targets

    • Target

      e0229fa1e799bac0373054b1aeb117e9_JaffaCakes118

    • Size

      161KB

    • MD5

      e0229fa1e799bac0373054b1aeb117e9

    • SHA1

      48df6d035fe892059f1a0908bbe996a1c82fbc16

    • SHA256

      710b8cebc63318007f640fa363986ddea990aa3c06904b7b768d9d0fa09174ab

    • SHA512

      83d478678cdd7094bfffa18368c5455342193446fb1821b3eabdf9968a804ff5ba8106d35b9dda96500c01e86d6abdb3e755de007915036364cf3d253a19004b

    • SSDEEP

      3072:9ITLZhs0uDI0rAfOXl+y+uql/GOtsrVrqhTqndtndhndKndI:mTLFuD6fOXlql/GLJrqqndtndhndKndI

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks