Extracted

• • Target

    f967a2804930393bc3234957bb0d99c3_JaffaCakes118

  • Size

    2.2MB

  • MD5

    f967a2804930393bc3234957bb0d99c3

  • SHA1

    6862a6b2cac87e146888901cad620d56381f115f

  • SHA256

    d47277350e6e5c15f013c2af98ae8a51fea1ebd02acb9db40417e43c017066c6

  • SHA512

    9b8c5584c5a29b003ec877efea00e18f38e95bc27e462d33007ba2eb85663ed3dbd22ec412edadad2d28d7af8a757f2f11d2572fe1d3df893fec6224933c1bda

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZj:0UzeyQMS4DqodCnoe+iitjWwwf

  Score

  10^/10

  ponydefense_evasiondiscoveryevasionpersistenceratspywarestealer

  • Modifies WinLogon for persistence

    persistence

  • Modifies visiblity of hidden/system files in Explorer

    evasion

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Drops startup file

  • Executes dropped EXE

  • Impair Defenses: Safe Mode Boot

    defense_evasion

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unexpected DNS network traffic destination

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral1