Overview

overview

10

Static

static

3

f042c3d91c...18.exe

windows7-x64

10

f042c3d91c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-12-2024 19:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f042c3d91cb5dfc15af65b34b8aabf83_JaffaCakes118.exe

  • Size

    112KB

  • MD5

    f042c3d91cb5dfc15af65b34b8aabf83

  • SHA1

    9687da5e942c82321eedcdf829613d7a59164c45

  • SHA256

    e720cfc376f2fbfddd818bc907038a3a9246aedc08fc92a866b0fc4e9e186498

  • SHA512

    eb8c1475526b64b3fd75cf204ad8780ab7923b32adae7c75efe39d61c842e2878ed1488e6a97c9ee94e9cc2a816cec2df761614125fc7b991276bb2df6428cda

  • SSDEEP

    1536:F7XGnNa7IodZuIe8GugLa+AtTrcC42/ljWpwNklkLHT2jCgW9XQfNjU:FDGQHFsaV3ljD3HT2EYNo

Score
10/10
ponycollectioncredential_accessdefense_evasiondiscoverypersistenceratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://ozonehost.co.uk/gate.php

Signatures

  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f042c3d91cb5dfc15af65b34b8aabf83_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f042c3d91cb5dfc15af65b34b8aabf83_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • Accesses Microsoft Outlook accounts
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_win_path
      PID:404
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240616343.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:836
    • C:\Windows\SysWOW64\cmd.exe
      "cmd"
      2⤵
      • Subvert Trust Controls: Mark-of-the-Web Bypass
      • System Location Discovery: System Language Discovery
      • NTFS ADS
      PID:3568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\240616343.bat
    Filesize

    94B

    MD5

    3880eeb1c736d853eb13b44898b718ab

    SHA1

    4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

    SHA256

    936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

    SHA512

    3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Pony\tfHdpE.exe:ZONE.identifier
    Filesize

    27B

    MD5

    130a75a932a2fe57bfea6a65b88da8f6

    SHA1

    b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c

    SHA256

    f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e

    SHA512

    6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed

    Download Submit

  • memory/404-3-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/404-5-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/404-7-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/404-17-0x0000000000470000-0x0000000000539000-memory.dmp

    Filesize

    804KB

    Download

  • memory/404-19-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2380-0-0x0000000075142000-0x0000000075143000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2380-1-0x0000000075140000-0x00000000756F1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2380-2-0x0000000075140000-0x00000000756F1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2380-11-0x0000000001600000-0x0000000001610000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2380-13-0x0000000075140000-0x00000000756F1000-memory.dmp

    Filesize

    5.7MB

    Download