Overview

overview

10

Static

static

1

814125b0ce...18.exe

windows7-x64

10

814125b0ce...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    814125b0ce13c08ee19186e0d2953843_JaffaCakes118

  • Size

    159KB

  • Sample

    241031-c3rq5sxgmg

  • MD5

    814125b0ce13c08ee19186e0d2953843

  • SHA1

    3ca81a57c7388834a4d4bb4d2239c605ffa9820d

  • SHA256

    e8cfa0b355e7edf3944a092a7fcfa24fbf5c699af32e996b692ed9d956f6dec9

  • SHA512

    c815eb0974cc7de1bdbfdfc9e01f301afbfd9c8544518ff0ecc7cbcdf957e7ef7b359200a010200df5be85f41072e722eb7c711aac8b1b0842ffdf47a9f21eff

  • SSDEEP

    3072:7doAAx8vuAsNJUvRmwnQr1ycBgyXIWOZuNKtVi:2dkQJUvQe41VYWguNKtQ

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://srv.usedcrotchrockets.com/forum/viewtopic.php

http://srv.michigancrotchrockets.com/forum/viewtopic.php
Attributes
  • payload_url

    http://apasaweb.com/JMwPrNzg.exe

    http://rochanhouse.com/VMS.exe

    http://www.as-you-likeit.co.uk/STPRvE6.exe

    http://kipadanceacademy.com/crvFb.exe

    http://nesamithran.com/eBB.exe

    http://william.one2.it/s74ZVST.exe

    http://adanadakidershaneler.com/vjsL.exe

    http://www.qtsinc.net/R2o.exe

Targets

    • Target

      814125b0ce13c08ee19186e0d2953843_JaffaCakes118

    • Size

      159KB

    • MD5

      814125b0ce13c08ee19186e0d2953843

    • SHA1

      3ca81a57c7388834a4d4bb4d2239c605ffa9820d

    • SHA256

      e8cfa0b355e7edf3944a092a7fcfa24fbf5c699af32e996b692ed9d956f6dec9

    • SHA512

      c815eb0974cc7de1bdbfdfc9e01f301afbfd9c8544518ff0ecc7cbcdf957e7ef7b359200a010200df5be85f41072e722eb7c711aac8b1b0842ffdf47a9f21eff

    • SSDEEP

      3072:7doAAx8vuAsNJUvRmwnQr1ycBgyXIWOZuNKtVi:2dkQJUvQe41VYWguNKtQ

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony family

      pony

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks