Overview

overview

10

Static

static

3

033b555a32...18.exe

windows7-x64

10

033b555a32...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    033b555a32f4bcd2ab45bbb13bac6589_JaffaCakes118

  • Size

    134KB

  • Sample

    240930-zqtfjayenh

  • MD5

    033b555a32f4bcd2ab45bbb13bac6589

  • SHA1

    1ae2b723bbed2f8af180538a602c18f433eb249b

  • SHA256

    d93519cee3402660914d04db1ef70f5eb58291e5d36b39746afe0297ef40b0f0

  • SHA512

    9a388228744dbc6f9c5d064968c369bc590cadb32a98c30a318bd378d84b7b6411fc882de41408b80f1acdfb6c755f3c81ee046d6f31f8a62078e10713fb0202

  • SSDEEP

    1536:TEEUYRD1sny4WC+rIIRXxywxXKfvXVhqyAFX3aedaKTpMs9LXitZ3nd6sgevqwQ:TEERDEcIMs46fvWDBJR9LytFndBnZQ

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://rolex21.serverthuis.nl/po2/gate.php

http://rolex22.serverthuis.nl/po2/gate.php

http://rolex23.serverthuis.nl/po2/gate.php

http://rolex24.serverthuis.nl/po2/gate.php

http://rolex25.serverthuis.nl/po2/gate.php
Attributes
  • payload_url

    http://kangaz.pl/pub/11.exe

    http://kangaz.pl/pub/22.exe

    http://kangaz.pl/pub/33.exe

    http://bicelive.com/photos/include/11.exe

    http://bicelive.com/photos/include/22.exe

    http://bicelive.com/photos/include/33.exe

    http://www.meskellil-marina.com/slideshow/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/11.exe

    http://www.meskellil-marina.com/slideshow/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/22.exe

    http://www.meskellil-marina.com/slideshow/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/33.exe

Targets

    • Target

      033b555a32f4bcd2ab45bbb13bac6589_JaffaCakes118

    • Size

      134KB

    • MD5

      033b555a32f4bcd2ab45bbb13bac6589

    • SHA1

      1ae2b723bbed2f8af180538a602c18f433eb249b

    • SHA256

      d93519cee3402660914d04db1ef70f5eb58291e5d36b39746afe0297ef40b0f0

    • SHA512

      9a388228744dbc6f9c5d064968c369bc590cadb32a98c30a318bd378d84b7b6411fc882de41408b80f1acdfb6c755f3c81ee046d6f31f8a62078e10713fb0202

    • SSDEEP

      1536:TEEUYRD1sny4WC+rIIRXxywxXKfvXVhqyAFX3aedaKTpMs9LXitZ3nd6sgevqwQ:TEERDEcIMs46fvWDBJR9LytFndBnZQ

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks