pony | 203c5ba77074cc8c916e0c6d62dc7227a5bfbf83265ce620e83763f1c32c7983

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1c3629119f5302d063ffdc6b12ea3b0_JaffaCakes118.exe
Size

291KB
MD5

e1c3629119f5302d063ffdc6b12ea3b0
SHA1

f00fcee9d817012bd14477dc4ca1168a8768e4a2
SHA256

203c5ba77074cc8c916e0c6d62dc7227a5bfbf83265ce620e83763f1c32c7983
SHA512

a9973c250c8d0f58d66e490f0849ff521dbb8deb910999d136d12b59b1d55d7f13ecb8cba27229d3cede1cf9a92666026eef9d88d8c1c62f9455640eb5b66631
SSDEEP

6144:TTDGSslfdUY26SmrEsNU8BsR3E5BOiUgUAUaBvS9ltGrnRgCm:JsyUEYBscB13UAOenGl

Score

10^/10

pony credential_access discovery rat spyware stealer upx

Malware Config

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 1 IoCs

pid	Process
336	csrss.exe

Loads dropped DLL 1 IoCs

pid	Process
1820	e1c3629119f5302d063ffdc6b12ea3b0_JaffaCakes118.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1820-30-0x0000000001E40000-0x0000000001E56000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1820 set thread context of 2312	1820	e1c3629119f5302d063ffdc6b12ea3b0_JaffaCakes118.exe	28

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1c3629119f5302d063ffdc6b12ea3b0_JaffaCakes118.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\registry\machine\Software\Classes\Interface\{0ec5cbda-3e74-470a-ed06-b289fae0cf35}	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0ec5cbda-3e74-470a-ed06-b289fae0cf35}\u = "860049491"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0ec5cbda-3e74-470a-ed06-b289fae0cf35}\cid = "7797932186060349393"	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
336	csrss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	explorer.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2312	1820	e1c3629119f5302d063ffdc6b12ea3b0_JaffaCakes118.exe	28
PID 1820 wrote to memory of 2312	1820	e1c3629119f5302d063ffdc6b12ea3b0_JaffaCakes118.exe	28
PID 1820 wrote to memory of 2312	1820	e1c3629119f5302d063ffdc6b12ea3b0_JaffaCakes118.exe	28
PID 1820 wrote to memory of 2312	1820	e1c3629119f5302d063ffdc6b12ea3b0_JaffaCakes118.exe	28
PID 1820 wrote to memory of 2312	1820	e1c3629119f5302d063ffdc6b12ea3b0_JaffaCakes118.exe	28
PID 2312 wrote to memory of 336	2312	explorer.exe	2
PID 336 wrote to memory of 856	336	csrss.exe	13

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:856

C:\Users\Admin\AppData\Local\Temp\e1c3629119f5302d063ffdc6b12ea3b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e1c3629119f5302d063ffdc6b12ea3b0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\explorer.exe
  000001C4*
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.DLL

Filesize
53KB

MD5
d3bd9c7e7a29daa24c66dc62cd5f5633

SHA1
3895247052b6244659e73334e6398677dafa0ac1

SHA256
6b87925d0e03ab5daa4760b1a62bed66c49cb489d011e2c9633eb0fe466df83f

SHA512
e243a2272887b02417b08b0d0728689c8f01cc57d473ed811ba98c2f5aa4d985d02d0fd7772bc33356474abcc815609ab7a6c0e905d6fe884fb7bc70bc67e9d0

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
22b145be33c5628e318be510eff46251

SHA1
949644fe4d6bd0e569566de2b557bb9683b0a2b0

SHA256
cf5fc19fb60b078af51af79cdba21ff563ae8c9ccf89cee7c9c09547587e7009

SHA512
e39ad1d6dcb42a1fcd31d8f3c2b3ac11adab8d8f0f7f2a4c33067079f84517c5ef61a17df7a88cbe069cca1ac2c3fb7aaeb3e1aeb8711520a75808a5c724416d

Download Submit
\Windows\assembly\GAC_32\Desktop.ini

Filesize
4KB

MD5
ff7d5ec20bf73c02317e7a740fffe018

SHA1
365ac8cfe5b939854cc1c341caf051bcc45f9372

SHA256
1e230847d7034f5ab3bf010f569315e00673859af0574fc9f915636ed905779a

SHA512
30854c0d703fd7c6cbc0769d9be4125baa2577ec529d5e48177a434685b66752fd79c50f0321324e23eeb985738f403347748afefae7d8a3bfad388a5b512a44

Download Submit
memory/336-20-0x0000000000B60000-0x0000000000B72000-memory.dmp

Filesize
72KB

Download
memory/336-32-0x0000000000B60000-0x0000000000B72000-memory.dmp

Filesize
72KB

Download
memory/336-25-0x0000000000B60000-0x0000000000B72000-memory.dmp

Filesize
72KB

Download
memory/336-19-0x0000000000B60000-0x0000000000B72000-memory.dmp

Filesize
72KB

Download
memory/856-44-0x00000000004A0000-0x00000000004AB000-memory.dmp

Filesize
44KB

Download
memory/856-46-0x00000000004B0000-0x00000000004BB000-memory.dmp

Filesize
44KB

Download
memory/856-50-0x00000000004B0000-0x00000000004BB000-memory.dmp

Filesize
44KB

Download
memory/856-36-0x00000000004A0000-0x00000000004AB000-memory.dmp

Filesize
44KB

Download
memory/856-41-0x00000000004A0000-0x00000000004AB000-memory.dmp

Filesize
44KB

Download
memory/856-35-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/1820-31-0x0000000000400000-0x000000000044CA00-memory.dmp

Filesize
306KB

Download
memory/1820-30-0x0000000001E40000-0x0000000001E56000-memory.dmp

Filesize
88KB

Download
memory/1820-1-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1820-24-0x0000000000400000-0x000000000044CA00-memory.dmp

Filesize
306KB

Download
memory/1820-0-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1820-49-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1820-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2312-9-0x00000000001F0000-0x0000000000209000-memory.dmp

Filesize
100KB

Download
memory/2312-3-0x0000000000060000-0x0000000000076000-memory.dmp

Filesize
88KB

Download
memory/2312-13-0x00000000001F0000-0x0000000000209000-memory.dmp

Filesize
100KB

Download
memory/2312-2-0x00000000001F0000-0x0000000000209000-memory.dmp

Filesize
100KB

Download