General
-
Target
454a16c95f12a5f5d0b69c2a38e9cd3c_JaffaCakes118
-
Size
186KB
-
Sample
241015-ch7xmaydjb
-
MD5
454a16c95f12a5f5d0b69c2a38e9cd3c
-
SHA1
0503848a1b14c43bcbeddb94af7fcd4782451dd4
-
SHA256
e6d8035eaf8c549ff6c98e9389bbbef2df38ce1a0b26816a7dd6d7c540ba5cf1
-
SHA512
8019091f45f617e96871ec2f18488be3588f1f1849575c6a682bb0c827dcede526f48950ae203169d5999f7ce9fdbe8c3b12e782d1e9d2b0b861dc0d890bae88
-
SSDEEP
3072:4FCFb7Fpl0W/tGqfRVIejjmVhPZ1W4HHrrZLPlQNM1HgvlNZnGWmAxoUr2:4oJzXtGYTIejjMNZ1hHHxPu61H+8WN2
Malware Config
Extracted
pony
http://46.165.243.157/light/dark.php
Targets
-
-
Target
454a16c95f12a5f5d0b69c2a38e9cd3c_JaffaCakes118
-
Size
186KB
-
MD5
454a16c95f12a5f5d0b69c2a38e9cd3c
-
SHA1
0503848a1b14c43bcbeddb94af7fcd4782451dd4
-
SHA256
e6d8035eaf8c549ff6c98e9389bbbef2df38ce1a0b26816a7dd6d7c540ba5cf1
-
SHA512
8019091f45f617e96871ec2f18488be3588f1f1849575c6a682bb0c827dcede526f48950ae203169d5999f7ce9fdbe8c3b12e782d1e9d2b0b861dc0d890bae88
-
SSDEEP
3072:4FCFb7Fpl0W/tGqfRVIejjmVhPZ1W4HHrrZLPlQNM1HgvlNZnGWmAxoUr2:4oJzXtGYTIejjMNZ1hHHxPu61H+8WN2
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-