Overview

overview

10

Static

static

3

3f0fb4ca6f...18.exe

windows7-x64

10

3f0fb4ca6f...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3f0fb4ca6f6ef62bed660baf9a000cd1_JaffaCakes118

  • Size

    138KB

  • Sample

    241013-ld9ebstfjp

  • MD5

    3f0fb4ca6f6ef62bed660baf9a000cd1

  • SHA1

    c36eb7db544e1158b51fb88f64d7e97ffdce217c

  • SHA256

    dfa09ad7670c0f9a2200a35fa9260ead17d0b5ac22058cc3c2638e4398745320

  • SHA512

    e2b086e26bf48763420994ce59b7e914732e069b715aba522481e9d9a077a10ae16aaef108d2107ce10d9cb401fefc20a38eb5a423e8c0ef28a1c52f9d9addea

  • SSDEEP

    3072:i2jlHxKbQiVdXGqSp5QzPNkHinNE4G/iI9rwxc:i0lHxKbQ672Q+Hiq45Ihs

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://175.118.124.53:8080/ponyd/gate.php

http://midwdermatology.com:8080/ponyd/gate.php

http://www.bobadamsinc.com:8080/ponyd/gate.php

http://www.richadamsinc.com:8080/ponyd/gate.php
Attributes
  • payload_url

    http://cmonline.co.nz/WMfUsN.exe

    http://sportscutsofaugusta.com/jaU0gSf.exe

    http://109.228.14.232/NTG8.exe

    http://yamaha-stamatakis.gr/bar.exe

    http://e-chrono.gr/eSoBLYi.exe

    http://s175432170.onlinehome.us/YLi7yZLN.exe

Targets

    • Target

      3f0fb4ca6f6ef62bed660baf9a000cd1_JaffaCakes118

    • Size

      138KB

    • MD5

      3f0fb4ca6f6ef62bed660baf9a000cd1

    • SHA1

      c36eb7db544e1158b51fb88f64d7e97ffdce217c

    • SHA256

      dfa09ad7670c0f9a2200a35fa9260ead17d0b5ac22058cc3c2638e4398745320

    • SHA512

      e2b086e26bf48763420994ce59b7e914732e069b715aba522481e9d9a077a10ae16aaef108d2107ce10d9cb401fefc20a38eb5a423e8c0ef28a1c52f9d9addea

    • SSDEEP

      3072:i2jlHxKbQiVdXGqSp5QzPNkHinNE4G/iI9rwxc:i0lHxKbQ672Q+Hiq45Ihs

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks