pony | b2050e70dd2d045b445e372f31e83215291e2128b95461498c91de7d6f82e3af

Analysis

max time kernel
93s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2024 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe
Size

556KB
MD5

e6b6af3fa3af6e9f4ae44fce90988389
SHA1

bd325fdf83d8c2d37f04163a07d3ec8eea58bba9
SHA256

b2050e70dd2d045b445e372f31e83215291e2128b95461498c91de7d6f82e3af
SHA512

88a68cfac89f56a8f9c680de1de47c51125e7dc266592978a39dd145aec190b33d5d5cf5b437162235351c1cb4a1909d8a1d47fc65d372615a9ed898f3675558
SSDEEP

6144:xIoSRgtpfD2ywM9r6o/AT59zMXd509EdXYH0U5p4:xwCfD2A9mS859YXdKgn3

Score

10^/10

pony collection credential_access discovery rat spyware stealer

Malware Config

Extracted

Family

pony

http://jo-blanc-fils.com/vsop/panelnew/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\null.url	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2516 set thread context of 1064	2516	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	85

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2516	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe
2516	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe
Token: SeImpersonatePrivilege	1064	vbc.exe
Token: SeTcbPrivilege	1064	vbc.exe
Token: SeChangeNotifyPrivilege	1064	vbc.exe
Token: SeCreateTokenPrivilege	1064	vbc.exe
Token: SeBackupPrivilege	1064	vbc.exe
Token: SeRestorePrivilege	1064	vbc.exe
Token: SeIncreaseQuotaPrivilege	1064	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1064	vbc.exe
Token: SeImpersonatePrivilege	1064	vbc.exe
Token: SeTcbPrivilege	1064	vbc.exe
Token: SeChangeNotifyPrivilege	1064	vbc.exe
Token: SeCreateTokenPrivilege	1064	vbc.exe
Token: SeBackupPrivilege	1064	vbc.exe
Token: SeRestorePrivilege	1064	vbc.exe
Token: SeIncreaseQuotaPrivilege	1064	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1064	vbc.exe
Token: SeImpersonatePrivilege	1064	vbc.exe
Token: SeTcbPrivilege	1064	vbc.exe
Token: SeChangeNotifyPrivilege	1064	vbc.exe
Token: SeCreateTokenPrivilege	1064	vbc.exe
Token: SeBackupPrivilege	1064	vbc.exe
Token: SeRestorePrivilege	1064	vbc.exe
Token: SeIncreaseQuotaPrivilege	1064	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1064	vbc.exe
Token: SeImpersonatePrivilege	1064	vbc.exe
Token: SeTcbPrivilege	1064	vbc.exe
Token: SeChangeNotifyPrivilege	1064	vbc.exe
Token: SeCreateTokenPrivilege	1064	vbc.exe
Token: SeBackupPrivilege	1064	vbc.exe
Token: SeRestorePrivilege	1064	vbc.exe
Token: SeIncreaseQuotaPrivilege	1064	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1064	vbc.exe
Token: SeImpersonatePrivilege	1064	vbc.exe
Token: SeTcbPrivilege	1064	vbc.exe
Token: SeChangeNotifyPrivilege	1064	vbc.exe
Token: SeCreateTokenPrivilege	1064	vbc.exe
Token: SeBackupPrivilege	1064	vbc.exe
Token: SeRestorePrivilege	1064	vbc.exe
Token: SeIncreaseQuotaPrivilege	1064	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1064	vbc.exe
Token: SeImpersonatePrivilege	1064	vbc.exe
Token: SeTcbPrivilege	1064	vbc.exe
Token: SeChangeNotifyPrivilege	1064	vbc.exe
Token: SeCreateTokenPrivilege	1064	vbc.exe
Token: SeBackupPrivilege	1064	vbc.exe
Token: SeRestorePrivilege	1064	vbc.exe
Token: SeIncreaseQuotaPrivilege	1064	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1064	vbc.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 3792	2516	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	82
PID 2516 wrote to memory of 3792	2516	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	82
PID 2516 wrote to memory of 3792	2516	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	82
PID 3792 wrote to memory of 844	3792	csc.exe	84
PID 3792 wrote to memory of 844	3792	csc.exe	84
PID 3792 wrote to memory of 844	3792	csc.exe	84
PID 2516 wrote to memory of 1064	2516	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	85
PID 2516 wrote to memory of 1064	2516	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	85
PID 2516 wrote to memory of 1064	2516	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	85
PID 2516 wrote to memory of 1064	2516	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	85
PID 2516 wrote to memory of 1064	2516	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	85
PID 2516 wrote to memory of 1064	2516	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	85
PID 2516 wrote to memory of 1064	2516	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	85
PID 2516 wrote to memory of 1064	2516	e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe	85
PID 1064 wrote to memory of 4100	1064	vbc.exe	86
PID 1064 wrote to memory of 4100	1064	vbc.exe	86
PID 1064 wrote to memory of 4100	1064	vbc.exe	86

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e6b6af3fa3af6e9f4ae44fce90988389_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s1bdzd25\s1bdzd25.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES68DC.tmp" "c:\Users\Admin\AppData\Local\Temp\s1bdzd25\CSC96CD459A66234D85AACE152242242143.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:844
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_win_path
  PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240610656.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240610656.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES68DC.tmp

Filesize
1KB

MD5
bf7e155f0c7a41a264933aff3bd6f164

SHA1
bcd8f2b0a21842f43790d6fb51132de3e05f8906

SHA256
40c2577a292cb8b7f1c96fbc497d6378f1f5018f293eaedc6b6bb850f25749da

SHA512
153a1d18fcd55204d6cec954831fa31937474b52448b274b8b5bd68de764d97a73932ee5f4c54719ffd620f9be3fcb7662d8ecdf41eb7f0be276b433d6a336a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1bdzd25\s1bdzd25.dll

Filesize
7KB

MD5
11e2069a2ecfc51f57b79237939d8380

SHA1
3393ce43b7ac7935c651087325017d2457fc95e4

SHA256
60a606901cba6167e7d26cfe4f6ec5bbf7d7290ab7c6c8c5e6d0ac9d36cc5d97

SHA512
a90af6395d239c49cbbe57db1e032bb075c9856804649547c31ba0f494cfe1397c36ccd8372e1bca9808c262cb0a0bb70d943fc8c638b8ca24622a51b363b444

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1bdzd25\s1bdzd25.pdb

Filesize
19KB

MD5
9adcfd54782eb07f19cf4c34cf206563

SHA1
8e4b49941442daec4ce3b72c90f39155bfe8eb37

SHA256
820f33303219cdd182f374bfd7678f9631e9172c6b212e19b6f6539fdeb82bca

SHA512
907c58e6d7fdbfcadd74b3ff57562afcc6948734a1b1e394b39ecca2b1d118a5e72133933b06aa976a1f05e7febfbec45afd6a11b6bba7deafc089baa6d4324a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s1bdzd25\CSC96CD459A66234D85AACE152242242143.TMP

Filesize
1KB

MD5
34b67b8ddf798f325bcb745b220f27af

SHA1
591e26f6eabf6531e4191c9a5f57a055c9b34f3f

SHA256
faf1dfc52c964cec20ff3165d91fac64e3239d0c452c225e518170d1b354fc94

SHA512
8c7186abcd57657f68637b715b3dae3403df9e17b78ecce89475889b688414c27074bf1ac798bd9acadd19182b8a72a54d33f79caa2865386531c85349ea7049

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s1bdzd25\s1bdzd25.0.cs

Filesize
6KB

MD5
be3ee94e0df736f6079cf3f82039b9b9

SHA1
b1e5a6f2cf3790dd17e19dbe9d4f881b7922c817

SHA256
44b89526f2f795feff6e5c6762e55466699f8e6b09f74aff7968b94c1249e1fd

SHA512
655b49fcd792823219e5381e2e232606e86296d46e8b6b37c1c2656eb98927bce532aca4179584a595b00c612c569ee870da00a5f8684cb461d2a29d948aedb7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s1bdzd25\s1bdzd25.cmdline

Filesize
312B

MD5
85ee4517aa6f2a2f81c8110b2570b1cb

SHA1
8eab910352cdb0dc12c50ce71de5f58b55cab8dc

SHA256
e63695b62e14071397bfde7482bba58698ef63dbf821ea14a52a0aaf8f872bbd

SHA512
f28aceddb899374de037643b1f1f1fb4360fb3f0c3961a06939fc18d15d24b39e846db536dc98ffd2ef4ca2fc96b062e24311ef2f03713d7f80c124c6fb14903

Download Submit
memory/1064-27-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1064-36-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1064-35-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/1064-30-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2516-3-0x0000000002DD0000-0x0000000002DD8000-memory.dmp

Filesize
32KB

Download
memory/2516-21-0x00000000053F0000-0x0000000005416000-memory.dmp

Filesize
152KB

Download
memory/2516-22-0x0000000005420000-0x000000000542C000-memory.dmp

Filesize
48KB

Download
memory/2516-25-0x0000000005550000-0x0000000005569000-memory.dmp

Filesize
100KB

Download
memory/2516-26-0x0000000005AD0000-0x0000000005B6C000-memory.dmp

Filesize
624KB

Download
memory/2516-2-0x00000000052E0000-0x0000000005372000-memory.dmp

Filesize
584KB

Download
memory/2516-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

Filesize
4KB

Download
memory/2516-31-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/2516-19-0x0000000002DE0000-0x0000000002DE8000-memory.dmp

Filesize
32KB

Download
memory/2516-4-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/2516-1-0x00000000008E0000-0x000000000093E000-memory.dmp

Filesize
376KB

Download