General
-
Target
2c9271d717674c7c4a889892e1ec6be9_JaffaCakes118
-
Size
148KB
-
Sample
241009-hdf61ayhlk
-
MD5
2c9271d717674c7c4a889892e1ec6be9
-
SHA1
f8810345cfbc681cef05ad73f4fcfc67ff579838
-
SHA256
9ae8c59dfb3e933e7374d0c5add6bdcfb023efdecaf11b0dc1fdd987ea946cdc
-
SHA512
add31181a70da7a0ae5ea1505a1514530232253c0534dbd87233f393d023dbd63f7f5ed4113abe0f7f7a5429f2272b601772b972e43104e06649ce5d633731e5
-
SSDEEP
3072:9xW1zuXL7BmsunIucVWFaTC7PBNReAOR3p:9xW14LWIlWgTEFe1Z
Malware Config
Extracted
pony
http://cowboyonmoto.com/forum/viewtopic.php
http://cowboyonmotocycle.com/forum/viewtopic.php
-
payload_url
http://3073.a.hostable.me/Z2U.exe
http://85.18.21.252/PNV3Hbi.exe
Targets
-
-
Target
2c9271d717674c7c4a889892e1ec6be9_JaffaCakes118
-
Size
148KB
-
MD5
2c9271d717674c7c4a889892e1ec6be9
-
SHA1
f8810345cfbc681cef05ad73f4fcfc67ff579838
-
SHA256
9ae8c59dfb3e933e7374d0c5add6bdcfb023efdecaf11b0dc1fdd987ea946cdc
-
SHA512
add31181a70da7a0ae5ea1505a1514530232253c0534dbd87233f393d023dbd63f7f5ed4113abe0f7f7a5429f2272b601772b972e43104e06649ce5d633731e5
-
SSDEEP
3072:9xW1zuXL7BmsunIucVWFaTC7PBNReAOR3p:9xW14LWIlWgTEFe1Z
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-