General

  • Target

    887680e7bd7b4bd05ffe046a31717198_JaffaCakes118

  • Size

    66KB

  • Sample

    241102-3ppbzaygjr

  • MD5

    887680e7bd7b4bd05ffe046a31717198

  • SHA1

    90a6cc6a3741085c0ee763ab7959717e3a381d26

  • SHA256

    82e3fbb73e16e1257ce7e1dc58b37536e3acd21d24793222b3cc7637683a6e58

  • SHA512

    e9ca19881ba509908a51e98d7d5df9cc7860a1e716c25f107c7b473b3f5cddccea87c4fb271968367cb54726e807636e2739d5ffdfbb02990caeeb9d41225f2c

  • SSDEEP

    768:LIJZ3K8301QQjdIBiaBac0fqdGL4LoOXP/UFGnxl1+s+qDNxjCsP80NFSf498AwP:Ia8k3IBiaB613ObksFDNJ5Su8N

Malware Config

Extracted

Family

pony

C2

http://kioggfa.info:9135/pic/fly.php

http://jmpwjhu.info:9135/pic/fly.php

Targets

    • Target

      887680e7bd7b4bd05ffe046a31717198_JaffaCakes118

    • Size

      66KB

    • MD5

      887680e7bd7b4bd05ffe046a31717198

    • SHA1

      90a6cc6a3741085c0ee763ab7959717e3a381d26

    • SHA256

      82e3fbb73e16e1257ce7e1dc58b37536e3acd21d24793222b3cc7637683a6e58

    • SHA512

      e9ca19881ba509908a51e98d7d5df9cc7860a1e716c25f107c7b473b3f5cddccea87c4fb271968367cb54726e807636e2739d5ffdfbb02990caeeb9d41225f2c

    • SSDEEP

      768:LIJZ3K8301QQjdIBiaBac0fqdGL4LoOXP/UFGnxl1+s+qDNxjCsP80NFSf498AwP:Ia8k3IBiaB613ObksFDNJ5Su8N

    • Pony family

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Drops file in Drivers directory

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Hide Artifacts: Hidden Files and Directories

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks