Overview

overview

10

Static

static

3

02d2b9ea4d...18.exe

windows7-x64

10

02d2b9ea4d...18.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    02d2b9ea4dcac72e5e3c01b97789dd00_JaffaCakes118

  • Size

    135KB

  • Sample

    240930-xmpl3azhjk

  • MD5

    02d2b9ea4dcac72e5e3c01b97789dd00

  • SHA1

    e4a30a5a07f6438d10d647a5300962d52b120340

  • SHA256

    dcdaa21b9078022adc255f69b4f45bccc05e2b1a636dac5302b9593cfd5a937f

  • SHA512

    bec51f0c65eb2d7adbba8cc71d834989de31c9e51e23a963f88438014b0b1e5801dcf9a4be4bcd712c13c4a15dd1281078ff3ce5e8039d97a01bd184ec9c76d1

  • SSDEEP

    1536:DwNXTx1wr/FsfyNDLPWElv9ybWyaL+W5HUYkBSy8JjEQS1CkjtEBeUS79Aj7:UNXTTLGKE19ybfaL+WeB2jePkSE

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://googleapis.com/gate.php

http://catch-cdn.com/gate.php

http://fbstatic-a.akamaihd.net/gate.php

http://l.yimg.com/gate.php

http://simple-cdn-node.com/gate.php

http://nym1.ib.adnxs.com/gate.php

http://cloud13.browser.ovi.com/gate.php

http://catch-cdn.com/1.exe?c=3
Attributes
  • payload_url

    http://catch-cdn.com/6.exe

Targets

    • Target

      02d2b9ea4dcac72e5e3c01b97789dd00_JaffaCakes118

    • Size

      135KB

    • MD5

      02d2b9ea4dcac72e5e3c01b97789dd00

    • SHA1

      e4a30a5a07f6438d10d647a5300962d52b120340

    • SHA256

      dcdaa21b9078022adc255f69b4f45bccc05e2b1a636dac5302b9593cfd5a937f

    • SHA512

      bec51f0c65eb2d7adbba8cc71d834989de31c9e51e23a963f88438014b0b1e5801dcf9a4be4bcd712c13c4a15dd1281078ff3ce5e8039d97a01bd184ec9c76d1

    • SSDEEP

      1536:DwNXTx1wr/FsfyNDLPWElv9ybWyaL+W5HUYkBSy8JjEQS1CkjtEBeUS79Aj7:UNXTTLGKE19ybfaL+WeB2jePkSE

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealerupx

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks