Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

67f3acb7df...18.exe

windows7-x64

10

67f3acb7df...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/10/2024, 23:57 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67f3acb7dff7ddc9801aa2844607b595_JaffaCakes118.exe

  • Size

    188KB

  • MD5

    67f3acb7dff7ddc9801aa2844607b595

  • SHA1

    a01fc1bd4e5266f7f188db3662c76b064cc5c34e

  • SHA256

    03e9afc69df9326ea87906421eb788c622f82da769082538b72ec63857df014c

  • SHA512

    66aa4af1412d120ac4567736d9548804bc312eaae618abeb13c0e4acf6c1fabc3a47541ea783afc533ec10e029e6be7a55bbfefa6660e8e5eb4f74a4e3205f50

  • SSDEEP

    3072:Ffk1Yv6deFRNfMZU3t+PW1+1W3v1QRbjTp8OVio2V:iZUMq3D1+1Qvm9xV+

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://13.carnovirious.net/ponyb/gate.php

http://13.JONEMNOMINIK.NET/ponyb/gate.php

http://13.LOMERDASTER.NET/ponyb/gate.php

http://13.ZABAKARVESTER.NET/ponyb/gate.php
Attributes
  • payload_url

    http://www.ptci-md.org/gbQ2o1H.exe

    http://www.abn-capital.com/PfH.exe

    http://cancunie.com/v2km.exe

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67f3acb7dff7ddc9801aa2844607b595_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\67f3acb7dff7ddc9801aa2844607b595_JaffaCakes118.exe"
    1⤵
    • Accesses Microsoft Outlook accounts
    • Accesses Microsoft Outlook profiles
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • outlook_win_path
    PID:2272

Network

  • flag-us
    DNS
    13.carnovirious.net
    67f3acb7dff7ddc9801aa2844607b595_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    13.carnovirious.net
    IN A
    Response
  • flag-us
    DNS
    13.JONEMNOMINIK.NET
    67f3acb7dff7ddc9801aa2844607b595_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    13.JONEMNOMINIK.NET
    IN A
    Response
  • flag-us
    DNS
    13.LOMERDASTER.NET
    67f3acb7dff7ddc9801aa2844607b595_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    13.LOMERDASTER.NET
    IN A
    Response
No results found
  • 8.8.8.8:53
    13.carnovirious.net
    dns
    67f3acb7dff7ddc9801aa2844607b595_JaffaCakes118.exe
    65 B
     138 B
     1
    1

    DNS Request

    13.carnovirious.net

  • 8.8.8.8:53
    13.JONEMNOMINIK.NET
    dns
    67f3acb7dff7ddc9801aa2844607b595_JaffaCakes118.exe
    65 B
     138 B
     1
    1

    DNS Request

    13.JONEMNOMINIK.NET

  • 8.8.8.8:53
    13.LOMERDASTER.NET
    dns
    67f3acb7dff7ddc9801aa2844607b595_JaffaCakes118.exe
    64 B
     137 B
     1
    1

    DNS Request

    13.LOMERDASTER.NET

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2272-1-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2272-0-0x0000000000440000-0x0000000000459000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2272-2-0x0000000000440000-0x0000000000459000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2272-3-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.