General
-
Target
JaffaCakes118_04370e369cc6448272975ffd10dd469b
-
Size
122KB
-
Sample
241231-evtxmsxkdw
-
MD5
04370e369cc6448272975ffd10dd469b
-
SHA1
1be79ffa0f4d7b84bc65666c41f19c866c8f8869
-
SHA256
e299d5629ad87feafadd5aa75690f06b23a4c8f8b370c33682b0d2af16378fa1
-
SHA512
4bfdb19c65edec1cf19406644c11aa69160baaaf7d4cfbb67e274d4c5be5a49713597d9d079e8ce2251169353151588cee3b56749b16df122f9e173e4bd9b617
-
SSDEEP
3072:+sPDhBK0wdzRM5ODQLwTNvfwojARgQxJSuYW:+sNMJdz4OpvfwywgQ/3
Malware Config
Extracted
pony
http://volwsak.pw:681/fix/update.php
http://volekas.pw:681/fix/update.php
Targets
-
-
Target
JaffaCakes118_04370e369cc6448272975ffd10dd469b
-
Size
122KB
-
MD5
04370e369cc6448272975ffd10dd469b
-
SHA1
1be79ffa0f4d7b84bc65666c41f19c866c8f8869
-
SHA256
e299d5629ad87feafadd5aa75690f06b23a4c8f8b370c33682b0d2af16378fa1
-
SHA512
4bfdb19c65edec1cf19406644c11aa69160baaaf7d4cfbb67e274d4c5be5a49713597d9d079e8ce2251169353151588cee3b56749b16df122f9e173e4bd9b617
-
SSDEEP
3072:+sPDhBK0wdzRM5ODQLwTNvfwojARgQxJSuYW:+sNMJdz4OpvfwywgQ/3
Score10/10-
Pony family
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Deletes itself
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4