pony | f50d19de03a8eb83ce9dd7faaa5ddb04d490d0227dd67a65ab78bf4764b10b13 | Triage

Sharing

General

Target

fe5dd1ba072846c2235e834f17fd50f4_JaffaCakes118
Size

2.2MB
Sample

240929-mwmtqa1ckq
MD5

fe5dd1ba072846c2235e834f17fd50f4
SHA1

6f1a895635fd9f8627cedc63c3152c16917eac3a
SHA256

f50d19de03a8eb83ce9dd7faaa5ddb04d490d0227dd67a65ab78bf4764b10b13
SHA512

90548b0716f3761eadc0e2c179b2c16efc10b18348e635ceec0f8844a2e5aca8ab316543a8982cfd231597d286846762875b6eb8927a9c0fdceff9b80928a8a7
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZC:0UzeyQMS4DqodCnoe+iitjWwwW

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Targets

- Target
  
  fe5dd1ba072846c2235e834f17fd50f4_JaffaCakes118
- Size
  
  2.2MB
- MD5
  
  fe5dd1ba072846c2235e834f17fd50f4
- SHA1
  
  6f1a895635fd9f8627cedc63c3152c16917eac3a
- SHA256
  
  f50d19de03a8eb83ce9dd7faaa5ddb04d490d0227dd67a65ab78bf4764b10b13
- SHA512
  
  90548b0716f3761eadc0e2c179b2c16efc10b18348e635ceec0f8844a2e5aca8ab316543a8982cfd231597d286846762875b6eb8927a9c0fdceff9b80928a8a7
- SSDEEP
  
  24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZC:0UzeyQMS4DqodCnoe+iitjWwwW
Score

10^/10

pony discovery evasion persistence rat spyware stealer
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ponydiscoveryevasionpersistenceratspywarestealer

behavioral2

ponydiscoveryevasionpersistenceratspywarestealer