Overview

overview

10

Static

static

3

137c573dc8...18.exe

windows7-x64

10

137c573dc8...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    137c573dc84f50fc37a93c78c1c7571b_JaffaCakes118

  • Size

    122KB

  • Sample

    241004-qe5jzswarm

  • MD5

    137c573dc84f50fc37a93c78c1c7571b

  • SHA1

    8a938a9993505b49a3baa8fc5a9d8ac1a65b85e8

  • SHA256

    aa00e6977ffea2039f8e87fd8836a861fe862fc8d74bf2fc0757ca722c689120

  • SHA512

    f4e1e62c9d29775b30003fccd86cd5d7033bde2b495db87b2f246dfe75fa3efba1fc94ccec90fe312c89305b030a16ac5a8389b9f9f95ef022ca2f6a5279f962

  • SSDEEP

    1536:MtjWHsL2LalqXz3cDYX5tZg98h1Zit9F4d0HjQvN6Dmg7j/ehcrZbdLg14bL8lxf:ALZlqXjc0X5Yh92GQFwBLklD1nRt

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://2.cmisdfoundation.com/forum/viewtopic.php

http://2.williams-farm.com/forum/viewtopic.php
Attributes
  • payload_url

    http://vetriautoroma.com/1JFHgp.exe

    http://onewaytransportproducts.com/e1Vemf.exe

    http://jonwatkins.com/5aN.exe

    http://jiva-voda.com/qoRHC.exe

Targets

    • Target

      137c573dc84f50fc37a93c78c1c7571b_JaffaCakes118

    • Size

      122KB

    • MD5

      137c573dc84f50fc37a93c78c1c7571b

    • SHA1

      8a938a9993505b49a3baa8fc5a9d8ac1a65b85e8

    • SHA256

      aa00e6977ffea2039f8e87fd8836a861fe862fc8d74bf2fc0757ca722c689120

    • SHA512

      f4e1e62c9d29775b30003fccd86cd5d7033bde2b495db87b2f246dfe75fa3efba1fc94ccec90fe312c89305b030a16ac5a8389b9f9f95ef022ca2f6a5279f962

    • SSDEEP

      1536:MtjWHsL2LalqXz3cDYX5tZg98h1Zit9F4d0HjQvN6Dmg7j/ehcrZbdLg14bL8lxf:ALZlqXjc0X5Yh92GQFwBLklD1nRt

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks