Overview

overview

10

Static

static

1

kmSdem1.exe

windows7-x64

7

kmSdem1.exe

windows10-2004-x64

3

readme[1].exe

windows7-x64

10

readme[1].exe

windows10-2004-x64

10

voyjy.exe

windows7-x64

1

voyjy.exe

windows10-2004-x64

3

w9ks9.exe

windows7-x64

7

w9ks9.exe

windows10-2004-x64

3

wpbt0.exe

windows7-x64

wpbt0.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8c8a043a50d754beb906215e3bba7dd3_JaffaCakes118

  • Size

    894KB

  • Sample

    241103-vhe6qazcrq

  • MD5

    8c8a043a50d754beb906215e3bba7dd3

  • SHA1

    00ba84424821a7d8a50aa4c9419ae14b48d2ba58

  • SHA256

    cb5c12b4a3fa286e1995422a88edf24b36f297395cf564bb21dd595d477626ab

  • SHA512

    01ca95f95c64ce1f79ebb85f4d14e687b4b93d92c17388c2107c0b051fa72c8c69f4ba18f61c7d48f2ba2fa1a4692f49d11bee1790f5a26cc06d6882f2080e19

  • SSDEEP

    24576:IBVZkgnnxUVPfUmbbxFyTDWs9G51nV9G51n+mbbxFyTDWS:INk+iVPsuyTrkLk+uyTP

Score
10/10
ponycredential_accessdiscoverypersistenceratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://infovega.lt:8080/pony/gate.php

http://subdatapro.com:8008/pony/gate.php
Attributes
  • payload_url

    http://www.eb3btz.com/72fTmEXk/w9ks9.exe

    http://ftp.imperiumit.com.br/gvoWhVVf/kmSdem1.exe

    http://lavanderiatingemais.com.br/F6EyS5D7/A5m.exe

Targets

    • Target

      kmSdem1.exe

    • Size

      268KB

    • MD5

      dae810ed8cf180a99a0c0572b4f8f9b5

    • SHA1

      1923b46caac111b8fa04345cbfe9861e5fca7c32

    • SHA256

      f781f7a6d12d8e7581fa4ccd6365f3026af61df4b4a1b2d27d56e8b6bf118aea

    • SHA512

      5792e317bba8c5d4ca305fd427b03dd972e1e8057190695df6aac41b705ab7e3686fedb3da54fd806e1ebb04cc7a3eac1525a5f7a0c8e20279915a830505b7e8

    • SSDEEP

      6144:SKDFWqyd3oxcdzOjcufgM7e3lSQtZ0PoOKEtq70uHRinFBqLTabu0W:lDwu+OjcufWlvQoOKEtY/xUBqLSxW

    Score
    7/10
    discoverypersistence

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      readme[1].exe

    • Size

      93KB

    • MD5

      2bbe5400ffddde10f37a972d2be79f27

    • SHA1

      11580a46f86d0dffd43fa82b20c24c62100a0d9e

    • SHA256

      a72f6c724a461af7d85df7e1403012cf6f0c539e1d335be77605b6725b47465a

    • SHA512

      675e4bcf57006543111ef9d8914723671042556a59a1f5ff81deb65f7037c27e44dd436ec5fdf45d266c2b33a013c98089dfb9eb1d2b40f9a377be3c5c522dc9

    • SSDEEP

      1536:dGbia9GTRKHeYjtOHkbvNcyMqh23Us9HMM7XPhOsyMZzXlLrixqMUtbB5Aan2c:dGOEGT0HeSkIcy9h2rLXPQTWBLrvB5Am

    Score
    10/10
    ponycredential_accessdiscoveryratspywarestealer

    • Pony family

      pony

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral3behavioral4

    • Target

      voyjy.exe

    • Size

      268KB

    • MD5

      e0609d0655cb7d4e90a13dfda6b08937

    • SHA1

      baeb5c24af288db9980f37726b52b2e91feaeabf

    • SHA256

      892133290df85529ea22ad5cc27f251687e802f82ea87eb25cf5d58391cda016

    • SHA512

      a9c5759611744e07b06d8dbe442d7b2c231566c509b09767d4f3a8da3e8380162cff8c3011c4dfd792c7adf627503869c6ea8b34dbbe51462a031f3edafcb876

    • SSDEEP

      6144:qKD/vqyd3oxcdzWjcufgM7e3lSQtb0PoOKEtq70uHRinFBqLTabu0n:9DHu+WjcufWlvmoOKEtY/xUBqLSxn

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      w9ks9.exe

    • Size

      268KB

    • MD5

      dae810ed8cf180a99a0c0572b4f8f9b5

    • SHA1

      1923b46caac111b8fa04345cbfe9861e5fca7c32

    • SHA256

      f781f7a6d12d8e7581fa4ccd6365f3026af61df4b4a1b2d27d56e8b6bf118aea

    • SHA512

      5792e317bba8c5d4ca305fd427b03dd972e1e8057190695df6aac41b705ab7e3686fedb3da54fd806e1ebb04cc7a3eac1525a5f7a0c8e20279915a830505b7e8

    • SSDEEP

      6144:SKDFWqyd3oxcdzOjcufgM7e3lSQtZ0PoOKEtq70uHRinFBqLTabu0W:lDwu+OjcufWlvQoOKEtY/xUBqLSxW

    Score
    7/10
    discoverypersistence

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      wpbt0.dll

    • Size

      93KB

    • MD5

      2bbe5400ffddde10f37a972d2be79f27

    • SHA1

      11580a46f86d0dffd43fa82b20c24c62100a0d9e

    • SHA256

      a72f6c724a461af7d85df7e1403012cf6f0c539e1d335be77605b6725b47465a

    • SHA512

      675e4bcf57006543111ef9d8914723671042556a59a1f5ff81deb65f7037c27e44dd436ec5fdf45d266c2b33a013c98089dfb9eb1d2b40f9a377be3c5c522dc9

    • SSDEEP

      1536:dGbia9GTRKHeYjtOHkbvNcyMqh23Us9HMM7XPhOsyMZzXlLrixqMUtbB5Aan2c:dGOEGT0HeSkIcy9h2rLXPQTWBLrvB5Am

    Score
    10/10
    ponycredential_accessdiscoveryratspywarestealer

    • Pony family

      pony

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral10behavioral9

MITRE ATT&CK Enterprise v15

Tasks