pony | b27401badf6bdffc6ea7040a152c5c62755cfdf9b21d95da797f1afccdd5a447

Analysis

max time kernel
95s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa55fac61b50d22ea6c87e4ca290dcd5_JaffaCakes118.exe
Size

129KB
MD5

fa55fac61b50d22ea6c87e4ca290dcd5
SHA1

000d152c990cacf18735be9bdaa56e9a85b24e26
SHA256

b27401badf6bdffc6ea7040a152c5c62755cfdf9b21d95da797f1afccdd5a447
SHA512

f15fd7ad276cea21203982c7cea9e2133d04c3fd82a4bd7768e43611f93e7c9f8b2b8b633b48a6abcc49383d06dce0fd3c71a25ab786494b377985a886f132ce
SSDEEP

1536:UUBiFqtXmPmgC9GcvLci0wLOQqOZD03XuCLMw+ucYmOI3JVgRYpecRmBCaOD9RMi:UOn16mg2GW9vOy+nuq4DVkK3R/jrMf

Score

10^/10

pony discovery rat spyware stealer

Malware Config

Extracted

Family

pony

http://67.215.225.205:8080/forum/viewtopic.php

http://69.194.192.222/forum/viewtopic.php

Attributes

payload_url
http://www.drachenboot-strausberg.de/rgbykPm.exe

http://realitycoaching.es/23sf.exe

http://kms-anwaelte.de/mvCo.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa55fac61b50d22ea6c87e4ca290dcd5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 4640	2636	fa55fac61b50d22ea6c87e4ca290dcd5_JaffaCakes118.exe	82
PID 2636 wrote to memory of 4640	2636	fa55fac61b50d22ea6c87e4ca290dcd5_JaffaCakes118.exe	82
PID 2636 wrote to memory of 4640	2636	fa55fac61b50d22ea6c87e4ca290dcd5_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\fa55fac61b50d22ea6c87e4ca290dcd5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa55fac61b50d22ea6c87e4ca290dcd5_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Local\Temp\fa55fac61b50d22ea6c87e4ca290dcd5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fa55fac61b50d22ea6c87e4ca290dcd5_JaffaCakes118.exe"
  2⤵
  PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2636-0-0x0000000000410000-0x0000000000434000-memory.dmp

Filesize
144KB

Download
memory/2636-1-0x0000000000410000-0x0000000000434000-memory.dmp

Filesize
144KB

Download