Overview

overview

10

Static

static

10

e34505b0a4...18.exe

windows7-x64

10

e34505b0a4...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e34505b0a488f480fb44ba948160cd53_JaffaCakes118

  • Size

    90KB

  • Sample

    240915-yh35bs1ajk

  • MD5

    e34505b0a488f480fb44ba948160cd53

  • SHA1

    85ac7fe846c5d3d2ad9bfbe4bfb6eeb84d50bb0e

  • SHA256

    f0c169f97e0321d0c5f0eacafc341914319652472a22a92f352a9eb57385d83a

  • SHA512

    5f20c71a9f181087dac419f45cba71688867f6a467fcb5c5bec80844cf19e3947e1466ce81455c3fb516fa39ba456871b744e3fb8f4ccbe2755e8fbfd8e3dd7c

  • SSDEEP

    1536:KgSU3wg/2ZqTesdiq3POMzDEVw+BTua0hMc6ONwtFTvGEiDkzZs:4Ux2Vq3POMzDiw+lzXON0wEiss

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://br1.irontrial.com:8080/forum/viewtopic.php

http://br1.pineapplesdonthavesleeves.com:8080/forum/viewtopic.php

http://89.166.50.40:8080/forum/viewtopic.php

http://6.magicalomaha.com/forum/viewtopic.php
Attributes
  • payload_url

    http://dynamotouren.de/4XM2f.exe

    http://app.bi.com.tr/fPFa.exe

    http://208.116.13.164/b6dK7rwV.exe

    http://ossenmoorpark.de/TzLenPA.exe

    http://www.seigner-art.at/fPsx8i.exe

    http://www.aboessen24.de/WWkULwkq.exe

Targets

    • Target

      e34505b0a488f480fb44ba948160cd53_JaffaCakes118

    • Size

      90KB

    • MD5

      e34505b0a488f480fb44ba948160cd53

    • SHA1

      85ac7fe846c5d3d2ad9bfbe4bfb6eeb84d50bb0e

    • SHA256

      f0c169f97e0321d0c5f0eacafc341914319652472a22a92f352a9eb57385d83a

    • SHA512

      5f20c71a9f181087dac419f45cba71688867f6a467fcb5c5bec80844cf19e3947e1466ce81455c3fb516fa39ba456871b744e3fb8f4ccbe2755e8fbfd8e3dd7c

    • SSDEEP

      1536:KgSU3wg/2ZqTesdiq3POMzDEVw+BTua0hMc6ONwtFTvGEiDkzZs:4Ux2Vq3POMzDiw+lzXON0wEiss

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks