Overview

overview

10

Static

static

3

a9f31e44b6...18.exe

windows7-x64

10

a9f31e44b6...18.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a9f31e44b6d1e3c9a4a1363ad76b7425_JaffaCakes118

  • Size

    110KB

  • Sample

    241127-2k9lnszmdj

  • MD5

    a9f31e44b6d1e3c9a4a1363ad76b7425

  • SHA1

    98b2480e4c3ab25851afdd8e34c30bc04a29384b

  • SHA256

    440df666e4ba3c8d14b24c9104543813c26cebb17b3230e195dcb19fc1fb4775

  • SHA512

    d3cb885572c0a180afd327130b9b3ea48782183bb6b9ff5ee393bd02d2af70d06464b1cd536719612fd8dbecdbc7748afcbaf328a93500d8f6f9b2b71ce23a3b

  • SSDEEP

    1536:BE8EMjWkKlPTk3gCP2dnMo2gDQMZGiPZzeVtgdK0Nhf+XnL+5:BE8iDXdnMHgDLZ7PzM8mb+5

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://www.bing.com/gate.php

http://pages.ebay.com/gate.php

http://ngnetworld.com/gate.php

http://wordpress.com/gate.php

http://simple-cdn-node.com/gate.php

http://www.microsoft.com/gate.php

http://ngnetworld.com/1.exe?c=4
Attributes
  • payload_url

    http://ngnetworld.com/6.exe

Targets

    • Target

      a9f31e44b6d1e3c9a4a1363ad76b7425_JaffaCakes118

    • Size

      110KB

    • MD5

      a9f31e44b6d1e3c9a4a1363ad76b7425

    • SHA1

      98b2480e4c3ab25851afdd8e34c30bc04a29384b

    • SHA256

      440df666e4ba3c8d14b24c9104543813c26cebb17b3230e195dcb19fc1fb4775

    • SHA512

      d3cb885572c0a180afd327130b9b3ea48782183bb6b9ff5ee393bd02d2af70d06464b1cd536719612fd8dbecdbc7748afcbaf328a93500d8f6f9b2b71ce23a3b

    • SSDEEP

      1536:BE8EMjWkKlPTk3gCP2dnMo2gDQMZGiPZzeVtgdK0Nhf+XnL+5:BE8iDXdnMHgDLZ7PzM8mb+5

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealerupx

    • Pony family

      pony

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks