Overview

overview

10

Static

static

8

e1ca6f61c2...18.doc

windows7-x64

10

e1ca6f61c2...18.doc

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e1ca6f61c23df9799053446fa05d8ef4_JaffaCakes118

  • Size

    158KB

  • Sample

    240915-f6fptsxfmh

  • MD5

    e1ca6f61c23df9799053446fa05d8ef4

  • SHA1

    77f70d6b160537099f96736749f461417def33a9

  • SHA256

    6438a69ffb139cff501e2f669abb517715dea485fe9a591a2e5545fd4430a1a8

  • SHA512

    627f71f98fc2f99c71f19795f350caee63b505eee4fcdc485c323ed9e5bc0568e85f25a01a839b1c4ae0da0872418d31d9b063e82d6b7ece77b061a53cc3b05f

  • SSDEEP

    3072:O6IBe4V8VwlbE7OEYrL9J0hLaGTC3jvg/kVa1U:eBsmlwOPrL9J06M/kVa1U

Score
10/10
ponycollectioncredential_accessdiscoverymacromacro_on_actionratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://henratronrol.com/zapoy/gate.php

http://arletaltont.ru/zapoy/gate.php

http://woserinde.ru/zapoy/gate.php
Attributes
  • payload_url

    http://knnew.webri.ru/system/logs/ztool.exe

    http://mf-shop.ru/system/logs/ztool.exe

    http://elstore.ml/system/logs/ztool.exe

Targets

    • Target

      e1ca6f61c23df9799053446fa05d8ef4_JaffaCakes118

    • Size

      158KB

    • MD5

      e1ca6f61c23df9799053446fa05d8ef4

    • SHA1

      77f70d6b160537099f96736749f461417def33a9

    • SHA256

      6438a69ffb139cff501e2f669abb517715dea485fe9a591a2e5545fd4430a1a8

    • SHA512

      627f71f98fc2f99c71f19795f350caee63b505eee4fcdc485c323ed9e5bc0568e85f25a01a839b1c4ae0da0872418d31d9b063e82d6b7ece77b061a53cc3b05f

    • SSDEEP

      3072:O6IBe4V8VwlbE7OEYrL9J0hLaGTC3jvg/kVa1U:eBsmlwOPrL9J06M/kVa1U

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks