pony | 8f45c80bbc293678b1fdf7b1157f94440eefceb9bb867132ee1f4666797e355a | Triage

Sharing

General

Target

e2a026dca73745b48fb6cf6f20eba210_JaffaCakes118
Size

2.2MB
Sample

240915-q4rz7axckj
MD5

e2a026dca73745b48fb6cf6f20eba210
SHA1

5e6b0c1f3313819bf669c75490132d2cf46876c3
SHA256

8f45c80bbc293678b1fdf7b1157f94440eefceb9bb867132ee1f4666797e355a
SHA512

d7f3e8c009f7701eb62b10b4cd1814ddc54ab7a8ff2b09b2f3c8a6548cca152d3489fc3c234afb7f7d603a14f670e17f69ab37af385ff58113c1b0d249a1f459
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZk:0UzeyQMS4DqodCnoe+iitjWwwA

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Targets

- Target
  
  e2a026dca73745b48fb6cf6f20eba210_JaffaCakes118
- Size
  
  2.2MB
- MD5
  
  e2a026dca73745b48fb6cf6f20eba210
- SHA1
  
  5e6b0c1f3313819bf669c75490132d2cf46876c3
- SHA256
  
  8f45c80bbc293678b1fdf7b1157f94440eefceb9bb867132ee1f4666797e355a
- SHA512
  
  d7f3e8c009f7701eb62b10b4cd1814ddc54ab7a8ff2b09b2f3c8a6548cca152d3489fc3c234afb7f7d603a14f670e17f69ab37af385ff58113c1b0d249a1f459
- SSDEEP
  
  24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZk:0UzeyQMS4DqodCnoe+iitjWwwA
Score

10^/10

pony discovery evasion persistence rat spyware stealer
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ponydiscoveryevasionpersistenceratspywarestealer

behavioral2

ponydiscoveryevasionpersistenceratspywarestealer