Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/01/2025, 09:05 UTC

General

  • Target

    JaffaCakes118_6b8eb5b2c8e8be64f013c2b2134697c0.exe

  • Size

    101KB

  • MD5

    6b8eb5b2c8e8be64f013c2b2134697c0

  • SHA1

    c467268901b763a35c1fd4e6ce8bea35c0ba8959

  • SHA256

    73765fa0101a150659997a48930ed005e7b574bea2ee41a7be7dbba425db9548

  • SHA512

    d294a50adadb848dd7fdb0f035b4a971a454008503360f40ffc5e4eefc917a6ab03d6c024a3c6b2ce6a4b1d85fc6ced4daa311317959330f99884af43d2a5cc7

  • SSDEEP

    3072:RCEGz7Yhsky7pDqD7SnHIh2cwVqiII52MWK:RCt7YTyiGnoh2cwVqiII52l

Malware Config

Extracted

Family

pony

C2

http://lyutasyu.info:4915/way/like.php

http://mashyjri.info:4915/way/like.php

Signatures

  • Pony family
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b8eb5b2c8e8be64f013c2b2134697c0.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b8eb5b2c8e8be64f013c2b2134697c0.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Accesses Microsoft Outlook accounts
    • Accesses Microsoft Outlook profiles
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_win_path
    PID:4080
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy C:\Windows\system32\drivers\etc\hosts C:\Windows\system32\drivers\etc\hosts.sam /Y && at 09:09:00 /every:M,T,W,Th,F,S,Su cmd.exe "/c attrib -H C:\Windows\system32\drivers\etc\hosts && copy C:\Users\Admin\AppData\Local\Temp\240636312aq C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts"
      2⤵
      • Drops file in Drivers directory
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\Windows\SysWOW64\at.exe
        at 09:09:00 /every:M,T,W,Th,F,S,Su cmd.exe "/c attrib -H C:\Windows\system32\drivers\etc\hosts && copy C:\Users\Admin\AppData\Local\Temp\240636312aq C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts"
        3⤵
        • Hide Artifacts: Hidden Files and Directories
        • System Location Discovery: System Language Discovery
        PID:4512

Network

  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    lyutasyu.info
    JaffaCakes118_6b8eb5b2c8e8be64f013c2b2134697c0.exe
    Remote address:
    8.8.8.8:53
    Request
    lyutasyu.info
    IN A
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    20.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    lyutasyu.info
    JaffaCakes118_6b8eb5b2c8e8be64f013c2b2134697c0.exe
    Remote address:
    8.8.8.8:53
    Request
    lyutasyu.info
    IN A
    Response
  • flag-us
    DNS
    lyutasyu.info
    JaffaCakes118_6b8eb5b2c8e8be64f013c2b2134697c0.exe
    Remote address:
    8.8.8.8:53
    Request
    lyutasyu.info
    IN A
    Response
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    lyutasyu.info
    JaffaCakes118_6b8eb5b2c8e8be64f013c2b2134697c0.exe
    Remote address:
    8.8.8.8:53
    Request
    lyutasyu.info
    IN A
    Response
  • flag-us
    DNS
    lyutasyu.info
    JaffaCakes118_6b8eb5b2c8e8be64f013c2b2134697c0.exe
    Remote address:
    8.8.8.8:53
    Request
    lyutasyu.info
    IN A
    Response
  • flag-us
    DNS
    mashyjri.info
    JaffaCakes118_6b8eb5b2c8e8be64f013c2b2134697c0.exe
    Remote address:
    8.8.8.8:53
    Request
    mashyjri.info
    IN A
    Response
  • flag-us
    DNS
    mashyjri.info
    JaffaCakes118_6b8eb5b2c8e8be64f013c2b2134697c0.exe
    Remote address:
    8.8.8.8:53
    Request
    mashyjri.info
    IN A
    Response
  • flag-us
    DNS
    mashyjri.info
    JaffaCakes118_6b8eb5b2c8e8be64f013c2b2134697c0.exe
    Remote address:
    8.8.8.8:53
    Request
    mashyjri.info
    IN A
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    134.130.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.130.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 20.42.65.94:443
  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    lyutasyu.info
    dns
    JaffaCakes118_6b8eb5b2c8e8be64f013c2b2134697c0.exe
    59 B
    138 B
    1
    1

    DNS Request

    lyutasyu.info

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    20.160.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    20.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    lyutasyu.info
    dns
    JaffaCakes118_6b8eb5b2c8e8be64f013c2b2134697c0.exe
    118 B
    276 B
    2
    2

    DNS Request

    lyutasyu.info

    DNS Request

    lyutasyu.info

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    lyutasyu.info
    dns
    JaffaCakes118_6b8eb5b2c8e8be64f013c2b2134697c0.exe
    118 B
    276 B
    2
    2

    DNS Request

    lyutasyu.info

    DNS Request

    lyutasyu.info

  • 8.8.8.8:53
    mashyjri.info
    dns
    JaffaCakes118_6b8eb5b2c8e8be64f013c2b2134697c0.exe
    59 B
    138 B
    1
    1

    DNS Request

    mashyjri.info

  • 8.8.8.8:53
    mashyjri.info
    dns
    JaffaCakes118_6b8eb5b2c8e8be64f013c2b2134697c0.exe
    59 B
    138 B
    1
    1

    DNS Request

    mashyjri.info

  • 8.8.8.8:53
    mashyjri.info
    dns
    JaffaCakes118_6b8eb5b2c8e8be64f013c2b2134697c0.exe
    59 B
    138 B
    1
    1

    DNS Request

    mashyjri.info

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    134.130.81.91.in-addr.arpa
    dns
    72 B
    147 B
    1
    1

    DNS Request

    134.130.81.91.in-addr.arpa

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4080-0-0x000000000040C000-0x0000000000411000-memory.dmp

    Filesize

    20KB

  • memory/4080-1-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4080-2-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4080-3-0x000000000040C000-0x0000000000411000-memory.dmp

    Filesize

    20KB

  • memory/4080-4-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4080-9-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.