Overview

overview

10

Static

static

3

16625f5ee3...18.exe

windows7-x64

10

16625f5ee3...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    16625f5ee30ba33945b807fb0b8b2f9e_JaffaCakes118

  • Size

    80KB

  • Sample

    241005-gd99eaydjl

  • MD5

    16625f5ee30ba33945b807fb0b8b2f9e

  • SHA1

    a9759e9000a04fe090b4f7cfa9dde9b2c0947c54

  • SHA256

    755d3ccd26b99ae2ccae8483847a2e42f8756884e1f11eb05d637d383d90362f

  • SHA512

    ca0e2000e00843555c7917ee08f8910ffd1f319e4c206fb8dac28663186b02b0113e435b9e03e4e4e8ac64966d71130a922abcec16c224f0841196fa1be059c7

  • SSDEEP

    1536:7MCEZ7wJSFfiaUflrb55qm4M5NUFdKMMM06LJyTHGvRkaoV/H7JAbh9Cuo3ZI:787w8jMt5qm4M5NUHM16ayRg/H1AtBoq

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://ser.foryourcatonly.com/forum/viewtopic.php

http://ser.luckypetspetsitting.com/forum/viewtopic.php
Attributes
  • payload_url

    http://dechotheband.gr/5Wjm3iV2.exe

    http://barisdogalurunler.com/9BMu2.exe

    http://alpertarimurunleri.com/rRq.exe

    http://oneglobalexchange.com/19J.exe

    http://rumanas.org/1vAWoxz3.exe

    http://www.10130138.wavelearn.de/4pxp.exe

    http://visiosofttechnologies.com/iDm9vs.exe

    http://sgisolution.com.br/jq5.exe

    http://plusloinart.be/Ue7cHNm.exe

    http://marengoit.pl/ZBrBpBh2.exe

Targets

    • Target

      16625f5ee30ba33945b807fb0b8b2f9e_JaffaCakes118

    • Size

      80KB

    • MD5

      16625f5ee30ba33945b807fb0b8b2f9e

    • SHA1

      a9759e9000a04fe090b4f7cfa9dde9b2c0947c54

    • SHA256

      755d3ccd26b99ae2ccae8483847a2e42f8756884e1f11eb05d637d383d90362f

    • SHA512

      ca0e2000e00843555c7917ee08f8910ffd1f319e4c206fb8dac28663186b02b0113e435b9e03e4e4e8ac64966d71130a922abcec16c224f0841196fa1be059c7

    • SSDEEP

      1536:7MCEZ7wJSFfiaUflrb55qm4M5NUFdKMMM06LJyTHGvRkaoV/H7JAbh9Cuo3ZI:787w8jMt5qm4M5NUHM16ayRg/H1AtBoq

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks