Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    fa242b0ab4a25ab86c7b7edbe1362938_JaffaCakes118

  • Size

    157KB

  • Sample

    240927-lbnpvavhjj

  • MD5

    fa242b0ab4a25ab86c7b7edbe1362938

  • SHA1

    97e171208589c9bc0e6500663a475990f6925846

  • SHA256

    b66eb4fbd5e1e91345c35b6b282d6c76e367754dfeec645b304a22e636fa4c48

  • SHA512

    d5b70fdd8aac44bcad756775f3b3ef1bc80fa9637ba310a79dcd388df962062cdaf70f5b524a93a5488bfc81cce30862aa4211c23ad12ec20827890b2370d189

  • SSDEEP

    3072:iueT6TNFCaIxBhi4cXAk6S7+MeJJooCJ:ih6TNFCaIxBhz1FSyJJy

Malware Config

Extracted

Family

pony

C2

http://67.215.225.205:8080/forum/viewtopic.php

http://66.175.215.102/forum/viewtopic.php

Attributes
  • payload_url

    http://www.chandlerbacker.com/J9K.exe

    http://bobinlaminasyonmakinalari.com/o9RYHbCx.exe

    http://broadbentcompany.wsisrdev.com/KbGb.exe

Targets

    • Target

      fa242b0ab4a25ab86c7b7edbe1362938_JaffaCakes118

    • Size

      157KB

    • MD5

      fa242b0ab4a25ab86c7b7edbe1362938

    • SHA1

      97e171208589c9bc0e6500663a475990f6925846

    • SHA256

      b66eb4fbd5e1e91345c35b6b282d6c76e367754dfeec645b304a22e636fa4c48

    • SHA512

      d5b70fdd8aac44bcad756775f3b3ef1bc80fa9637ba310a79dcd388df962062cdaf70f5b524a93a5488bfc81cce30862aa4211c23ad12ec20827890b2370d189

    • SSDEEP

      3072:iueT6TNFCaIxBhi4cXAk6S7+MeJJooCJ:ih6TNFCaIxBhz1FSyJJy

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks