pony | 6438a69ffb139cff501e2f669abb517715dea485fe9a591a2e5545fd4430a1a8

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1ca6f61c23df9799053446fa05d8ef4_JaffaCakes118.doc
Size

158KB
MD5

e1ca6f61c23df9799053446fa05d8ef4
SHA1

77f70d6b160537099f96736749f461417def33a9
SHA256

6438a69ffb139cff501e2f669abb517715dea485fe9a591a2e5545fd4430a1a8
SHA512

627f71f98fc2f99c71f19795f350caee63b505eee4fcdc485c323ed9e5bc0568e85f25a01a839b1c4ae0da0872418d31d9b063e82d6b7ece77b061a53cc3b05f
SSDEEP

3072:O6IBe4V8VwlbE7OEYrL9J0hLaGTC3jvg/kVa1U:eBsmlwOPrL9J06M/kVa1U

Score

10^/10

pony collection credential_access discovery rat spyware stealer

Malware Config

Extracted

Family

pony

http://henratronrol.com/zapoy/gate.php

http://arletaltont.ru/zapoy/gate.php

http://woserinde.ru/zapoy/gate.php

Attributes

payload_url
http://knnew.webri.ru/system/logs/ztool.exe

http://mf-shop.ru/system/logs/ztool.exe

http://elstore.ml/system/logs/ztool.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 1 IoCs

pid	Process
1976	f4.tmp

Loads dropped DLL 1 IoCs

pid	Process
2900	WINWORD.EXE

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	f4.tmp

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	f4.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	f4.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	f4.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4.tmp

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2900	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	1976	f4.tmp
Token: SeTcbPrivilege	1976	f4.tmp
Token: SeChangeNotifyPrivilege	1976	f4.tmp
Token: SeCreateTokenPrivilege	1976	f4.tmp
Token: SeBackupPrivilege	1976	f4.tmp
Token: SeRestorePrivilege	1976	f4.tmp
Token: SeIncreaseQuotaPrivilege	1976	f4.tmp
Token: SeAssignPrimaryTokenPrivilege	1976	f4.tmp

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp
1976	f4.tmp

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2900	WINWORD.EXE
2900	WINWORD.EXE
2720	WINWORD.EXE
2720	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2876	2900	WINWORD.EXE	30
PID 2900 wrote to memory of 2876	2900	WINWORD.EXE	30
PID 2900 wrote to memory of 2876	2900	WINWORD.EXE	30
PID 2900 wrote to memory of 2876	2900	WINWORD.EXE	30
PID 2900 wrote to memory of 1976	2900	WINWORD.EXE	33
PID 2900 wrote to memory of 1976	2900	WINWORD.EXE	33
PID 2900 wrote to memory of 1976	2900	WINWORD.EXE	33
PID 2900 wrote to memory of 1976	2900	WINWORD.EXE	33

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	f4.tmp

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	f4.tmp

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e1ca6f61c23df9799053446fa05d8ef4_JaffaCakes118.doc"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2876
- C:\Users\Admin\AppData\Local\Temp\f4.tmp
  C:\Users\Admin\AppData\Local\Temp\f4.tmp
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - outlook_office_path
  - outlook_win_path
  PID:1976

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CD9EF932.emf

Filesize
5KB

MD5
9e93c25028290ed27c190beba24f371e

SHA1
b0388d5310a669aaa0399c4a061fbb46a9d501ad

SHA256
a548eeb99161b0c130c9d6c29e656c95c8b66062f1361d5582d74dfce0035b82

SHA512
cc67ceaa9f1fc65e181522e56fb3129c66634208c0ab2f4301163a26a14668950837fe3c49a8213228b1ec7ca70cc7d8387b94677817ac07785172eecf114cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4.tmp

Filesize
110KB

MD5
49259230ec1327f9e0659c71065a23e2

SHA1
b9c5276b711aa3719556a84b24b7b516bd71bcd6

SHA256
82cc68f7568fd0c9ecb5d81ff65baa6e0799579d2e538e328abc64b41a76f005

SHA512
931bfd681e88af955eb3bdedbda8015a6d67c48476430350a8c1dc19fe9fe2ff058fff761ae264af3cd7b2595f2d81173c2817827be8d858f2d95b00ff281216

Download Submit
C:\Users\Admin\AppData\Local\Temp\jebq.rtf

Filesize
688KB

MD5
78f620c55c79e3202d0f4ce340cbb508

SHA1
74305f23ec5f54960e4fd783e3ce140b9ecc7f00

SHA256
4617fd6f429d51c9b981ced40628dac240f5db25ab614f9c8319d251c6c1f2b7

SHA512
100f9ae4024ac745f03a8a9888b1eaa1c88c05a5c2f102c6287c45d487a892e9c8b09c004f903ce921755f616964b7c645dd66dfb6bfb81e1b57f992f38b924b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~WRD0001.tmp

Filesize
688KB

MD5
05f22a04088daa5824f66c56b88a6756

SHA1
9b17170f1813ba86c360df2cd471cb648f76770f

SHA256
07e0161e0825d4ffe7858bd3982383fd213bf877d3e0104471c7c59e8a5fc2e2

SHA512
e796ed068a145f31756f0cab7d2bc92560c960258a1e2ca67201ee1f113b42f8b205d8b11cc368ec0d6fd09df1d3c9d50602308a9b59078214af0dc366c1db94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
375B

MD5
cc62f3fede0dff7fbc800d3b3443c765

SHA1
4241a8eb29dab0a37ddb16b249f6fd570709c98b

SHA256
1eb251b75df189c89f5acfd89347f2d3621351b9cdad569842f5ddd71aa0540a

SHA512
27656ce5b8aa4fae9de57d1a138c1428cb1ff97f07f3e1bafd427927822f204fff4646ed3e0f53b0c2078550c6b724ae9058cc53e81d6338faa37f683334fa3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
4b6e6990c1715decae38a3f7b9cb3c21

SHA1
a59b47d6fd7d8e351750d00e833056a2627ff9e0

SHA256
fc704f4adacc70b525987922151d6df12ff0da7cb53e54a9b7a8ec6289eb547c

SHA512
cfe321ee3cef81ca6e93ea3a9f1135efc8dd0dc5d1b234a99b6fc9badb59e214eca34cd8e1768057ae11b110fb3a8b6a01edc43aee4a8db0d67a73874c353b61

Download Submit
memory/1976-102-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1976-97-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2720-121-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2720-100-0x000000007183D000-0x0000000071848000-memory.dmp

Filesize
44KB

Download
memory/2720-83-0x000000007183D000-0x0000000071848000-memory.dmp

Filesize
44KB

Download
memory/2720-81-0x000000002FCC1000-0x000000002FCC2000-memory.dmp

Filesize
4KB

Download
memory/2720-124-0x000000007183D000-0x0000000071848000-memory.dmp

Filesize
44KB

Download
memory/2900-41-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-14-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-45-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-44-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-43-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-42-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-0-0x000000002FCC1000-0x000000002FCC2000-memory.dmp

Filesize
4KB

Download
memory/2900-40-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-39-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-38-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-37-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-36-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-35-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-34-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-33-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-32-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-31-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-30-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-29-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-28-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-27-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-26-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-25-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-24-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-23-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-22-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-21-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-20-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-19-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-18-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-17-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-16-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-15-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-47-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-13-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-12-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-11-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-9-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-8-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-5-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-4-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-46-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-64-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-48-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-49-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-80-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-78-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-50-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-51-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-52-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-89-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-90-0x000000007183D000-0x0000000071848000-memory.dmp

Filesize
44KB

Download
memory/2900-91-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-93-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-53-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-55-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-98-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-99-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-56-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-101-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-10-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-7-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-6-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2900-2-0x000000007183D000-0x0000000071848000-memory.dmp

Filesize
44KB

Download
memory/2900-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2900-170-0x000000007183D000-0x0000000071848000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads