General

  • Target

    e70e84f1c336e6a16632e9155b8c4c01_JaffaCakes118

  • Size

    157KB

  • Sample

    240917-r5yd2aydnc

  • MD5

    e70e84f1c336e6a16632e9155b8c4c01

  • SHA1

    ab67ec30fff642cd6ee60be07bf003a70f90baa0

  • SHA256

    d2885a46bb252098f56aa60be74bd5aea0f3fed608367ab10322dbd1a9489330

  • SHA512

    c283c4c2b3e2ff7776e972ccbb7e2a512bdca5510d0232d64a731a65b25fde467d13af4df31cd32bf66414e5227714817ae8bcfaba5d2fcb5614ad1f029ceea9

  • SSDEEP

    3072:gm1dipHTNFXtxeB7PGuqFMXfYjMZvYlWJR:gm1oHTNFXWB7PGuBfYGvkWJ

Malware Config

Extracted

Family

pony

C2

http://67.215.225.205:8080/forum/viewtopic.php

http://209.59.219.88/forum/viewtopic.php

Attributes
  • payload_url

    http://acwebnet.com/cueT50r.exe

    http://whatismyrenovationcost.com/XDQV2z.exe

    http://www.fahrsicherheit-cardrive.de/ZGg.exe

Targets

    • Target

      e70e84f1c336e6a16632e9155b8c4c01_JaffaCakes118

    • Size

      157KB

    • MD5

      e70e84f1c336e6a16632e9155b8c4c01

    • SHA1

      ab67ec30fff642cd6ee60be07bf003a70f90baa0

    • SHA256

      d2885a46bb252098f56aa60be74bd5aea0f3fed608367ab10322dbd1a9489330

    • SHA512

      c283c4c2b3e2ff7776e972ccbb7e2a512bdca5510d0232d64a731a65b25fde467d13af4df31cd32bf66414e5227714817ae8bcfaba5d2fcb5614ad1f029ceea9

    • SSDEEP

      3072:gm1dipHTNFXtxeB7PGuqFMXfYjMZvYlWJR:gm1oHTNFXWB7PGuBfYGvkWJ

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks