Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

ec5d71aaab...18.exe

windows7-x64

10

ec5d71aaab...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ec5d71aaab639b829c6b2865db70ddb0_JaffaCakes118

  • Size

    88KB

  • Sample

    240919-24n43swbpg

  • MD5

    ec5d71aaab639b829c6b2865db70ddb0

  • SHA1

    82405c90dcdb1f3d5e99b0495f299a764a3c5227

  • SHA256

    a087e3f1c33b128744c132cde00f3ae8b2b08d2e85998a6fa74a533179c564f9

  • SHA512

    4f757940a54738564be64c825bd38231b381abaad7edbe874e10d02be35ed39fe168ad8e0bb8c2e7d435aa7275b0fad77fc77fb20ed789640e47fb3c948c6733

  • SSDEEP

    1536:x3V3e8KytqTZkYu5SCvaDBzgM+5zu9kS24zxAkOg8WTvMEIbkzZ3:9dOy+ubiDBzv+1H4OgYEIU3

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://bmzblog.com/default.php?4b9187PiQJb5cIxvo3AXwcP7dWXLpXzvNsfggEaV

http://brooklynpremium.com/default.php?umYCIlD44q6r3AnRvikVA9ayAIoVGPie

http://klamicro.com/default.php?VigEk177LaVWSfP7CuOrTkf4OkgeqeWuZrCuVtl

http://install-cap.com.mx/default.php?eatnvawhIsLAk7LyERhnKD2gHZFvpH6XZ

http://globalpaytech.com/default.php?ybvEPFJRIQ9qQVW1E3dn43xZhAIgL5ceFp

Targets

    • Target

      ec5d71aaab639b829c6b2865db70ddb0_JaffaCakes118

    • Size

      88KB

    • MD5

      ec5d71aaab639b829c6b2865db70ddb0

    • SHA1

      82405c90dcdb1f3d5e99b0495f299a764a3c5227

    • SHA256

      a087e3f1c33b128744c132cde00f3ae8b2b08d2e85998a6fa74a533179c564f9

    • SHA512

      4f757940a54738564be64c825bd38231b381abaad7edbe874e10d02be35ed39fe168ad8e0bb8c2e7d435aa7275b0fad77fc77fb20ed789640e47fb3c948c6733

    • SSDEEP

      1536:x3V3e8KytqTZkYu5SCvaDBzgM+5zu9kS24zxAkOg8WTvMEIbkzZ3:9dOy+ubiDBzv+1H4OgYEIU3

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks