General
-
Target
8bccc208bb1ae5536b0f3aa7fadd8763_JaffaCakes118
-
Size
131KB
-
Sample
241103-q59avswekp
-
MD5
8bccc208bb1ae5536b0f3aa7fadd8763
-
SHA1
2277ad55a0a9858556221b8949c5a9227d3ef3a4
-
SHA256
bdb838b07159c1922c856230fd6f9072f9e7c1abf7b9df60688fb064d7a7877b
-
SHA512
52bc6f27d0867d2886604df8fafb3f33796f58e9b8ffc67ec74072d933e6dcbbce89692ecee9f1ce0076636ab6b02e7812426ca32ec40d9789822835a856477d
-
SSDEEP
3072:u3Q46t/MSpDWkkUFxlrVTQEUEHF4USR9J:R4OMSpTkUFxNFFHmUAJ
Malware Config
Extracted
pony
http://91.207.6.142:8080/ponys/gate.php
http://50.116.37.86/ponys/gate.php
-
payload_url
http://drdeborahramanathan.com/8MASdZqM/CK6.exe
http://crafteria.com.np/n1xfTcS0/J3seBW.exe
http://thinksmart.us/WLYgCSq5/BeJ.exe
Targets
-
-
Target
8bccc208bb1ae5536b0f3aa7fadd8763_JaffaCakes118
-
Size
131KB
-
MD5
8bccc208bb1ae5536b0f3aa7fadd8763
-
SHA1
2277ad55a0a9858556221b8949c5a9227d3ef3a4
-
SHA256
bdb838b07159c1922c856230fd6f9072f9e7c1abf7b9df60688fb064d7a7877b
-
SHA512
52bc6f27d0867d2886604df8fafb3f33796f58e9b8ffc67ec74072d933e6dcbbce89692ecee9f1ce0076636ab6b02e7812426ca32ec40d9789822835a856477d
-
SSDEEP
3072:u3Q46t/MSpDWkkUFxlrVTQEUEHF4USR9J:R4OMSpTkUFxNFFHmUAJ
Score10/10-
Pony family
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-