pony | b2050e70dd2d045b445e372f31e83215291e2128b95461498c91de7d6f82e3af

General

Target

e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe
Size

556KB
MD5

e6b6af3fa3af6e9f4ae44fce90988389
SHA1

bd325fdf83d8c2d37f04163a07d3ec8eea58bba9
SHA256

b2050e70dd2d045b445e372f31e83215291e2128b95461498c91de7d6f82e3af
SHA512

88a68cfac89f56a8f9c680de1de47c51125e7dc266592978a39dd145aec190b33d5d5cf5b437162235351c1cb4a1909d8a1d47fc65d372615a9ed898f3675558
SSDEEP

6144:xIoSRgtpfD2ywM9r6o/AT59zMXd509EdXYH0U5p4:xwCfD2A9mS859YXdKgn3

Score

10^/10

pony collection credential_access discovery rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://jo-blanc-fils.com/vsop/panelnew/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\null.url	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2900 set thread context of 2604	2900	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	33

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2900	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe
2900	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2604	vbc.exe
Token: SeTcbPrivilege	2604	vbc.exe
Token: SeChangeNotifyPrivilege	2604	vbc.exe
Token: SeCreateTokenPrivilege	2604	vbc.exe
Token: SeBackupPrivilege	2604	vbc.exe
Token: SeRestorePrivilege	2604	vbc.exe
Token: SeIncreaseQuotaPrivilege	2604	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2604	vbc.exe
Token: SeImpersonatePrivilege	2604	vbc.exe
Token: SeTcbPrivilege	2604	vbc.exe
Token: SeChangeNotifyPrivilege	2604	vbc.exe
Token: SeCreateTokenPrivilege	2604	vbc.exe
Token: SeBackupPrivilege	2604	vbc.exe
Token: SeRestorePrivilege	2604	vbc.exe
Token: SeIncreaseQuotaPrivilege	2604	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2604	vbc.exe
Token: SeImpersonatePrivilege	2604	vbc.exe
Token: SeTcbPrivilege	2604	vbc.exe
Token: SeChangeNotifyPrivilege	2604	vbc.exe
Token: SeCreateTokenPrivilege	2604	vbc.exe
Token: SeBackupPrivilege	2604	vbc.exe
Token: SeRestorePrivilege	2604	vbc.exe
Token: SeIncreaseQuotaPrivilege	2604	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2604	vbc.exe
Token: SeImpersonatePrivilege	2604	vbc.exe
Token: SeTcbPrivilege	2604	vbc.exe
Token: SeChangeNotifyPrivilege	2604	vbc.exe
Token: SeCreateTokenPrivilege	2604	vbc.exe
Token: SeBackupPrivilege	2604	vbc.exe
Token: SeRestorePrivilege	2604	vbc.exe
Token: SeIncreaseQuotaPrivilege	2604	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2604	vbc.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2176	2900	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	30
PID 2900 wrote to memory of 2176	2900	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	30
PID 2900 wrote to memory of 2176	2900	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	30
PID 2900 wrote to memory of 2176	2900	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2940	2176	csc.exe	32
PID 2176 wrote to memory of 2940	2176	csc.exe	32
PID 2176 wrote to memory of 2940	2176	csc.exe	32
PID 2176 wrote to memory of 2940	2176	csc.exe	32
PID 2900 wrote to memory of 2604	2900	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	33
PID 2900 wrote to memory of 2604	2900	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	33
PID 2900 wrote to memory of 2604	2900	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	33
PID 2900 wrote to memory of 2604	2900	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	33
PID 2900 wrote to memory of 2604	2900	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	33
PID 2900 wrote to memory of 2604	2900	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	33
PID 2900 wrote to memory of 2604	2900	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	33
PID 2900 wrote to memory of 2604	2900	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	33
PID 2900 wrote to memory of 2604	2900	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	33
PID 2604 wrote to memory of 940	2604	vbc.exe	34
PID 2604 wrote to memory of 940	2604	vbc.exe	34
PID 2604 wrote to memory of 940	2604	vbc.exe	34
PID 2604 wrote to memory of 940	2604	vbc.exe	34

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fwjdtgc4\fwjdtgc4.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B03.tmp" "c:\Users\Admin\AppData\Local\Temp\fwjdtgc4\CSCBE7BD69BD1E4641B2DC354E4CD17099.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2940
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_win_path
  PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\259424623.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

2

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259424623.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6B03.tmp

Filesize
1KB

MD5
062638a57edbfd2af561d918149ad4f0

SHA1
b9f7b3d79bd2e6ac5e0bbcc9bd49fdd697275243

SHA256
39c6ad22dc04ac010280bbcb5d3375cca46cd049d5796502a4c9011d43924755

SHA512
d2681932f365e190cf3da8a5cc69bae5a1430d99ba6ea2c96ca1d72f46765fdfaa6ff35392d4ac60d7668b949b9e48801b15c08364355e5f81aa3a361b23369f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwjdtgc4\fwjdtgc4.dll

Filesize
7KB

MD5
223d2ca4e417aa82f33bac9f4a479b43

SHA1
d9eafea0caefe995201259a8e8c010e0dff8d35a

SHA256
98fc561dc11141fa4d3338f5cb7b38662216ae285fd5ef98a559a785ba9cdf69

SHA512
16c0456fb7a555d54033f9cc174dfe033fadbd2e0db10395fcbad9cb7f8dac9611552943842bd1fb5a6ce65223537db0c0e39fa457cecf77571afa2b1137e573

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwjdtgc4\fwjdtgc4.pdb

Filesize
19KB

MD5
115f6e116495eab4e97f6d07021f4e9b

SHA1
0e7932075d5087a2fca9d14bab85f469a7de69d8

SHA256
fa8db37c01be583810e6729dab8bf98ebb115038f2f43e87f4cf1f91d5466bdd

SHA512
851605fd67f71d4bd5e0b85c33aea0a6d6dd00e6d7f1fe641db029d933dab2393a68a59aba8d0c940a393a03be64098540eb6e436474301455c40d3db9416ba8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fwjdtgc4\CSCBE7BD69BD1E4641B2DC354E4CD17099.TMP

Filesize
1KB

MD5
9f9624c433cd5a7455ba77cb10c10f25

SHA1
e0f62eed32eaa1f6c2aafa03a035dc308ed62aab

SHA256
dcb3d90617893b7258d4ae32b953219ccb12ec5559df7e7327042eed5d338a5b

SHA512
a8376eeabe230c841ae50c8fad75bb1a4f098275c95c303519875501292531d5903f9016551f5b5042af5f6b8f477b6a4a67c2a1d655eb716f85cda35a89427a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fwjdtgc4\fwjdtgc4.0.cs

Filesize
6KB

MD5
be3ee94e0df736f6079cf3f82039b9b9

SHA1
b1e5a6f2cf3790dd17e19dbe9d4f881b7922c817

SHA256
44b89526f2f795feff6e5c6762e55466699f8e6b09f74aff7968b94c1249e1fd

SHA512
655b49fcd792823219e5381e2e232606e86296d46e8b6b37c1c2656eb98927bce532aca4179584a595b00c612c569ee870da00a5f8684cb461d2a29d948aedb7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fwjdtgc4\fwjdtgc4.cmdline

Filesize
312B

MD5
26377fa0febd81a926b523ade487911f

SHA1
4c10383a20c5fdfacdbec1a944234a6d54a62584

SHA256
479ec353c60dd796d871772bb5caac5ef585b316ec2653951df5c254a444235c

SHA512
b4606f7800990a83cfcdc2f83d0b694985c0ca317cd62d9ca1629e160ceb95e80a5a243f95dd7679b0f12711e14bcd707f51d62028370a828a9a94e4bd1cc193

Download Submit
memory/2604-31-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2604-37-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2604-50-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2604-38-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2604-29-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2604-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2604-35-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2604-27-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2604-25-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2900-24-0x0000000001EB0000-0x0000000001EC9000-memory.dmp

Filesize
100KB

Download
memory/2900-21-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/2900-0-0x000000007430E000-0x000000007430F000-memory.dmp

Filesize
4KB

Download
memory/2900-20-0x0000000001FC0000-0x0000000001FE6000-memory.dmp

Filesize
152KB

Download
memory/2900-3-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/2900-18-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/2900-39-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/2900-1-0x00000000008C0000-0x000000000091E000-memory.dmp

Filesize
376KB

Download
memory/2900-2-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads