Overview

overview

10

Static

static

3

JaffaCakes...c0.exe

windows7-x64

10

JaffaCakes...c0.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_4c6e47d894f898d67a6420092e8d7fc0

  • Size

    100KB

  • Sample

    250101-jd9nzs1ndk

  • MD5

    4c6e47d894f898d67a6420092e8d7fc0

  • SHA1

    aade6a01beda2700209da14bb279144666565f70

  • SHA256

    79d145976c2749d457e1e0c260010c7a88176fd5d83d85bb45d5c671d9e565fe

  • SHA512

    b3fcb2345c8cc6d2a9d309921682a229ced33861d9cb591ab89a29b1b69b43c845d52b893ccdb30a114ab76f01f4bfc2af24e9c8f4ee23982a965f9d2d0855f7

  • SSDEEP

    1536:S9RWycqOQ5DLSPxVEMsv+p6RVkkXGDbxvJNon24pNfbfUSF9/X:qRWxCu+MIhBXG/Zi24pNDB

Score
10/10
ponycollectioncredential_accessdefense_evasiondiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://mjrtgshki.info:4915/doc/black.php

http://mjrtgshki.info:888/doc/black.php
Attributes
  • payload_url

    http://hsdrgekjh.info:888/pic/Flash.exe

Targets

    • Target

      JaffaCakes118_4c6e47d894f898d67a6420092e8d7fc0

    • Size

      100KB

    • MD5

      4c6e47d894f898d67a6420092e8d7fc0

    • SHA1

      aade6a01beda2700209da14bb279144666565f70

    • SHA256

      79d145976c2749d457e1e0c260010c7a88176fd5d83d85bb45d5c671d9e565fe

    • SHA512

      b3fcb2345c8cc6d2a9d309921682a229ced33861d9cb591ab89a29b1b69b43c845d52b893ccdb30a114ab76f01f4bfc2af24e9c8f4ee23982a965f9d2d0855f7

    • SSDEEP

      1536:S9RWycqOQ5DLSPxVEMsv+p6RVkkXGDbxvJNon24pNfbfUSF9/X:qRWxCu+MIhBXG/Zi24pNDB

    Score
    10/10
    ponycollectioncredential_accessdefense_evasiondiscoveryratspywarestealer

    • Pony family

      pony

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks