pony | ad9039f3e400adc14b58c206d8d5cec9950bfab350d321cb8c40349a165ade1a

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e36b9884e0eabe6cd76aedd74f4b3151_JaffaCakes118.exe
Size

208KB
MD5

e36b9884e0eabe6cd76aedd74f4b3151
SHA1

e98df4c6dbeb5e505026b824457722093c77feb5
SHA256

ad9039f3e400adc14b58c206d8d5cec9950bfab350d321cb8c40349a165ade1a
SHA512

de30462aeb3ffc85ed00ca5c195cde026f124096f25d1d73dda6beeed5c28eb6083e1325dbbc004fe662d2feaec1458329cae804ea2c84371864ee531653a7fb
SSDEEP

3072:C1Q52m+tPGmjZQ84GbS2DIzG9bRDvPEw/IBAIXODpzyN0MPegMtBH0:4HumT1Dm4tscU0MPegKBH0

Score

10^/10

pony collection credential_access discovery persistence rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://poneiu.esy.es/gate.php

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\nvidia\\nvtmru.exe,explorer.exe"	reg.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	e36b9884e0eabe6cd76aedd74f4b3151_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/644-7-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/644-9-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/644-10-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/644-19-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/644-20-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NVIDIA GeForce Experience = "C:\\Users\\Admin\\AppData\\Local\\nvidia\\nvtmru.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2488 set thread context of 644	2488	e36b9884e0eabe6cd76aedd74f4b3151_JaffaCakes118.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e36b9884e0eabe6cd76aedd74f4b3151_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
984	reg.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	644	svchost.exe
Token: SeTcbPrivilege	644	svchost.exe
Token: SeChangeNotifyPrivilege	644	svchost.exe
Token: SeCreateTokenPrivilege	644	svchost.exe
Token: SeBackupPrivilege	644	svchost.exe
Token: SeRestorePrivilege	644	svchost.exe
Token: SeIncreaseQuotaPrivilege	644	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	644	svchost.exe
Token: SeImpersonatePrivilege	644	svchost.exe
Token: SeTcbPrivilege	644	svchost.exe
Token: SeChangeNotifyPrivilege	644	svchost.exe
Token: SeCreateTokenPrivilege	644	svchost.exe
Token: SeBackupPrivilege	644	svchost.exe
Token: SeRestorePrivilege	644	svchost.exe
Token: SeIncreaseQuotaPrivilege	644	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	644	svchost.exe
Token: SeImpersonatePrivilege	644	svchost.exe
Token: SeTcbPrivilege	644	svchost.exe
Token: SeChangeNotifyPrivilege	644	svchost.exe
Token: SeCreateTokenPrivilege	644	svchost.exe
Token: SeBackupPrivilege	644	svchost.exe
Token: SeRestorePrivilege	644	svchost.exe
Token: SeIncreaseQuotaPrivilege	644	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	644	svchost.exe
Token: SeImpersonatePrivilege	644	svchost.exe
Token: SeTcbPrivilege	644	svchost.exe
Token: SeChangeNotifyPrivilege	644	svchost.exe
Token: SeCreateTokenPrivilege	644	svchost.exe
Token: SeBackupPrivilege	644	svchost.exe
Token: SeRestorePrivilege	644	svchost.exe
Token: SeIncreaseQuotaPrivilege	644	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	644	svchost.exe
Token: SeImpersonatePrivilege	644	svchost.exe
Token: SeTcbPrivilege	644	svchost.exe
Token: SeChangeNotifyPrivilege	644	svchost.exe
Token: SeCreateTokenPrivilege	644	svchost.exe
Token: SeBackupPrivilege	644	svchost.exe
Token: SeRestorePrivilege	644	svchost.exe
Token: SeIncreaseQuotaPrivilege	644	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	644	svchost.exe
Token: SeImpersonatePrivilege	644	svchost.exe
Token: SeTcbPrivilege	644	svchost.exe
Token: SeChangeNotifyPrivilege	644	svchost.exe
Token: SeCreateTokenPrivilege	644	svchost.exe
Token: SeBackupPrivilege	644	svchost.exe
Token: SeRestorePrivilege	644	svchost.exe
Token: SeIncreaseQuotaPrivilege	644	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	644	svchost.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 644	2488	e36b9884e0eabe6cd76aedd74f4b3151_JaffaCakes118.exe	89
PID 2488 wrote to memory of 644	2488	e36b9884e0eabe6cd76aedd74f4b3151_JaffaCakes118.exe	89
PID 2488 wrote to memory of 644	2488	e36b9884e0eabe6cd76aedd74f4b3151_JaffaCakes118.exe	89
PID 2488 wrote to memory of 644	2488	e36b9884e0eabe6cd76aedd74f4b3151_JaffaCakes118.exe	89
PID 2488 wrote to memory of 644	2488	e36b9884e0eabe6cd76aedd74f4b3151_JaffaCakes118.exe	89
PID 2488 wrote to memory of 644	2488	e36b9884e0eabe6cd76aedd74f4b3151_JaffaCakes118.exe	89
PID 2488 wrote to memory of 644	2488	e36b9884e0eabe6cd76aedd74f4b3151_JaffaCakes118.exe	89
PID 2488 wrote to memory of 924	2488	e36b9884e0eabe6cd76aedd74f4b3151_JaffaCakes118.exe	90
PID 2488 wrote to memory of 924	2488	e36b9884e0eabe6cd76aedd74f4b3151_JaffaCakes118.exe	90
PID 2488 wrote to memory of 924	2488	e36b9884e0eabe6cd76aedd74f4b3151_JaffaCakes118.exe	90
PID 2488 wrote to memory of 780	2488	e36b9884e0eabe6cd76aedd74f4b3151_JaffaCakes118.exe	92
PID 2488 wrote to memory of 780	2488	e36b9884e0eabe6cd76aedd74f4b3151_JaffaCakes118.exe	92
PID 2488 wrote to memory of 780	2488	e36b9884e0eabe6cd76aedd74f4b3151_JaffaCakes118.exe	92
PID 924 wrote to memory of 984	924	cmd.exe	94
PID 924 wrote to memory of 984	924	cmd.exe	94
PID 924 wrote to memory of 984	924	cmd.exe	94
PID 780 wrote to memory of 4564	780	cmd.exe	95
PID 780 wrote to memory of 4564	780	cmd.exe	95
PID 780 wrote to memory of 4564	780	cmd.exe	95

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

C:\Users\Admin\AppData\Local\Temp\e36b9884e0eabe6cd76aedd74f4b3151_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e36b9884e0eabe6cd76aedd74f4b3151_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - outlook_win_path
  PID:644
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "NVIDIA GeForce Experience" /t REG_SZ /d "C:\Users\Admin\AppData\Local\nvidia\nvtmru.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "NVIDIA GeForce Experience" /t REG_SZ /d "C:\Users\Admin\AppData\Local\nvidia\nvtmru.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\nvidia\nvtmru.exe",explorer.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\nvidia\nvtmru.exe",explorer.exe /f
    3⤵
    - Modifies WinLogon for persistence
    - System Location Discovery: System Language Discovery
    PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4288,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=3756 /prefetch:8
1⤵
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\nvidia\nvtmru.exe

Filesize
208KB

MD5
e36b9884e0eabe6cd76aedd74f4b3151

SHA1
e98df4c6dbeb5e505026b824457722093c77feb5

SHA256
ad9039f3e400adc14b58c206d8d5cec9950bfab350d321cb8c40349a165ade1a

SHA512
de30462aeb3ffc85ed00ca5c195cde026f124096f25d1d73dda6beeed5c28eb6083e1325dbbc004fe662d2feaec1458329cae804ea2c84371864ee531653a7fb

Download Submit
memory/644-7-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/644-9-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/644-10-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/644-19-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/644-20-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2488-0-0x0000000074952000-0x0000000074953000-memory.dmp

Filesize
4KB

Download
memory/2488-1-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/2488-2-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/2488-18-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads