pony | f9926543c9ffa3eb205ca43a50ae6cc19bc37220ddbcdb5a6183b6eb26403b57

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac9a80407f6f6975e1a0b365aac4d2f5_JaffaCakes118.exe
Size

349KB
MD5

ac9a80407f6f6975e1a0b365aac4d2f5
SHA1

00ed26fedba781185d97f2a60e86a0a7bb907721
SHA256

f9926543c9ffa3eb205ca43a50ae6cc19bc37220ddbcdb5a6183b6eb26403b57
SHA512

1c57fa076f1c1121473b033b0d1086a4fb72928b3f8ded82c24693534dfe8cddd192c06f913f9a7059278090463caec12661ef1efd368999931bf89f8709ed08
SSDEEP

6144:W08dxS0rwvwW+RjEgrjkfMFh5JeTB/K12QNR+ilTnShVFauEPveXG8:er7WijaAha/KNzfTShVFGD8

Score

10^/10

pony credential_access discovery rat spyware stealer upx

Malware Config

Signatures

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1384-44-0x0000000003440000-0x0000000003456000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac9a80407f6f6975e1a0b365aac4d2f5_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ac9a80407f6f6975e1a0b365aac4d2f5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ac9a80407f6f6975e1a0b365aac4d2f5_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mhh74D4.tmp

Filesize
48B

MD5
7707543930ec2fc4a232732fd392bfd3

SHA1
172d4720b9889044fe0ffe50c46b4de21f0349be

SHA256
c9250972acbeaccf7bd0f3c17b742f2f33274a83a143a8605751d5c2453b3a72

SHA512
97a6049dc3781777b51a9e4f8fa082866be2970af75531ab1f48ce01907d12ea712989e10165f8be9d0a826a44c9b36f78dc7f924889dd47e4a7660c824b9b98

Download Submit
memory/1384-10-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1384-9-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/1384-11-0x0000000000400000-0x00000000004FC200-memory.dmp

Filesize
1008KB

Download
memory/1384-44-0x0000000003440000-0x0000000003456000-memory.dmp

Filesize
88KB

Download
memory/1384-45-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1384-46-0x0000000000400000-0x00000000004FC200-memory.dmp

Filesize
1008KB

Download