Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

JaffaCakes...e1.exe

windows7-x64

10

JaffaCakes...e1.exe

windows10-2004-x64

10

JaffaCakes...e1.exe

android-9-x86

JaffaCakes...e1.exe

android-10-x64

JaffaCakes...e1.exe

android-11-x64

JaffaCakes...e1.exe

macos-10.15-amd64

JaffaCakes...e1.exe

ubuntu-18.04-amd64

JaffaCakes...e1.exe

debian-9-armhf

JaffaCakes...e1.exe

debian-9-mips

JaffaCakes...e1.exe

debian-9-mipsel

Resubmissions

12/01/2025, 08:37 UTC

250112-kjmbbavmaw 10

12/01/2025, 08:20 UTC

250112-j8r3estrcw 10

Analysis

  • max time kernel
    440s
  • max time network
    442s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/01/2025, 08:37 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe

  • Size

    250KB

  • MD5

    09ee5e13bdabe339ab7428dd4904b7e1

  • SHA1

    a6f736828409507bad2aff487b2912da54378976

  • SHA256

    172f03d91fdceb5bb725b3647e71b23956dd2e0e9cf8e502f0a649083eace0d3

  • SHA512

    b4bc30725c3a8bfd7b0cbec4f39a46b036a190584d646dba0684ba1e12cebe354ab0d4a3a4dbaec4ebd1f86a2f3cb1be9f16b297f726eaf3d350828f3c067dfa

  • SSDEEP

    6144:yIv9+Hi2IjYMo1CGBIv9+Hi2IjYMo1CGJX:yIvQC287o1CiIvQC287o1CI

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://rabbitharky.com/forum/viewtopic.php

http://roboxanger.com/forum/viewtopic.php
Attributes
  • payload_url

    http://atualizacoes.issqn.net/6PrbAL.exe

    http://vasesetflacons.fr/TpEM.exe

Signatures

  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe cmd /c %TERMINATE% "KILL"
    1⤵
    • Checks computer location settings
    • Accesses Microsoft Outlook accounts
    • Accesses Microsoft Outlook profiles
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_win_path
    PID:2332
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\abcd.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:908

Network

  • flag-us
    DNS
    rabbitharky.com
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    rabbitharky.com
    IN A
    Response
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    22.89.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.89.16.2.in-addr.arpa
    IN PTR
    Response
    22.89.16.2.in-addr.arpa
    IN PTR
    a2-16-89-22deploystaticakamaitechnologiescom
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    134.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    rabbitharky.com
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    rabbitharky.com
    IN A
    Response
  • flag-us
    DNS
    rabbitharky.com
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    rabbitharky.com
    IN A
    Response
  • flag-us
    DNS
    rabbitharky.com
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    rabbitharky.com
    IN A
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    rabbitharky.com
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    rabbitharky.com
    IN A
    Response
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    rabbitharky.com
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    rabbitharky.com
    IN A
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    rabbitharky.com
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    rabbitharky.com
    IN A
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    114.218.122.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    114.218.122.92.in-addr.arpa
    IN PTR
    Response
    114.218.122.92.in-addr.arpa
    IN PTR
    a92-122-218-114deploystaticakamaitechnologiescom
  • flag-us
    DNS
    rabbitharky.com
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    rabbitharky.com
    IN A
    Response
  • flag-us
    DNS
    rabbitharky.com
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    rabbitharky.com
    IN A
    Response
  • flag-us
    DNS
    rabbitharky.com
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    rabbitharky.com
    IN A
    Response
  • flag-us
    DNS
    rabbitharky.com
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    rabbitharky.com
    IN A
    Response
  • flag-us
    DNS
    roboxanger.com
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    roboxanger.com
    IN A
    Response
  • flag-us
    DNS
    roboxanger.com
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    roboxanger.com
    IN A
    Response
  • flag-us
    DNS
    roboxanger.com
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    roboxanger.com
    IN A
    Response
  • flag-us
    DNS
    roboxanger.com
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    roboxanger.com
    IN A
    Response
  • flag-us
    DNS
    roboxanger.com
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    roboxanger.com
    IN A
    Response
  • flag-us
    DNS
    roboxanger.com
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    roboxanger.com
    IN A
    Response
  • flag-us
    DNS
    roboxanger.com
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    roboxanger.com
    IN A
    Response
  • flag-us
    DNS
    roboxanger.com
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    roboxanger.com
    IN A
    Response
  • flag-us
    DNS
    roboxanger.com
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    roboxanger.com
    IN A
    Response
  • flag-us
    DNS
    45.89.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    45.89.16.2.in-addr.arpa
    IN PTR
    Response
    45.89.16.2.in-addr.arpa
    IN PTR
    a2-16-89-45deploystaticakamaitechnologiescom
  • flag-us
    DNS
    23.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    roboxanger.com
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    roboxanger.com
    IN A
    Response
  • flag-us
    DNS
    roboxanger.com
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    roboxanger.com
    IN A
    Response
  • flag-us
    DNS
    atualizacoes.issqn.net
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    atualizacoes.issqn.net
    IN A
    Response
  • flag-us
    DNS
    vasesetflacons.fr
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    vasesetflacons.fr
    IN A
    Response
  • flag-us
    DNS
    vasesetflacons.fr
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    Remote address:
    8.8.8.8:53
    Request
    vasesetflacons.fr
    IN A
    Response
  • flag-us
    DNS
    24.73.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    24.73.42.20.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    rabbitharky.com
    dns
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    61 B
     134 B
     1
    1

    DNS Request

    rabbitharky.com

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    22.89.16.2.in-addr.arpa
    dns
    69 B
     131 B
     1
    1

    DNS Request

    22.89.16.2.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    134.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    134.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    rabbitharky.com
    dns
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    61 B
     134 B
     1
    1

    DNS Request

    rabbitharky.com

  • 8.8.8.8:53
    rabbitharky.com
    dns
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    61 B
     134 B
     1
    1

    DNS Request

    rabbitharky.com

  • 8.8.8.8:53
    rabbitharky.com
    dns
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    61 B
     134 B
     1
    1

    DNS Request

    rabbitharky.com

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    rabbitharky.com
    dns
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    61 B
     134 B
     1
    1

    DNS Request

    rabbitharky.com

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    rabbitharky.com
    dns
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    61 B
     134 B
     1
    1

    DNS Request

    rabbitharky.com

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
     160 B
     1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    rabbitharky.com
    dns
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    61 B
     134 B
     1
    1

    DNS Request

    rabbitharky.com

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    114.218.122.92.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    114.218.122.92.in-addr.arpa

  • 8.8.8.8:53
    rabbitharky.com
    dns
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    61 B
     134 B
     1
    1

    DNS Request

    rabbitharky.com

  • 8.8.8.8:53
    rabbitharky.com
    dns
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    61 B
     134 B
     1
    1

    DNS Request

    rabbitharky.com

  • 8.8.8.8:53
    rabbitharky.com
    dns
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    61 B
     134 B
     1
    1

    DNS Request

    rabbitharky.com

  • 8.8.8.8:53
    rabbitharky.com
    dns
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    61 B
     134 B
     1
    1

    DNS Request

    rabbitharky.com

  • 8.8.8.8:53
    roboxanger.com
    dns
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    60 B
     133 B
     1
    1

    DNS Request

    roboxanger.com

  • 8.8.8.8:53
    roboxanger.com
    dns
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    60 B
     133 B
     1
    1

    DNS Request

    roboxanger.com

  • 8.8.8.8:53
    roboxanger.com
    dns
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    60 B
     133 B
     1
    1

    DNS Request

    roboxanger.com

  • 8.8.8.8:53
    roboxanger.com
    dns
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    60 B
     133 B
     1
    1

    DNS Request

    roboxanger.com

  • 8.8.8.8:53
    roboxanger.com
    dns
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    60 B
     133 B
     1
    1

    DNS Request

    roboxanger.com

  • 8.8.8.8:53
    roboxanger.com
    dns
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    60 B
     133 B
     1
    1

    DNS Request

    roboxanger.com

  • 8.8.8.8:53
    roboxanger.com
    dns
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    60 B
     133 B
     1
    1

    DNS Request

    roboxanger.com

  • 8.8.8.8:53
    roboxanger.com
    dns
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    60 B
     133 B
     1
    1

    DNS Request

    roboxanger.com

  • 8.8.8.8:53
    roboxanger.com
    dns
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    60 B
     133 B
     1
    1

    DNS Request

    roboxanger.com

  • 8.8.8.8:53
    45.89.16.2.in-addr.arpa
    dns
    69 B
     131 B
     1
    1

    DNS Request

    45.89.16.2.in-addr.arpa

  • 8.8.8.8:53
    23.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    23.236.111.52.in-addr.arpa

  • 8.8.8.8:53
    roboxanger.com
    dns
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    60 B
     133 B
     1
    1

    DNS Request

    roboxanger.com

  • 8.8.8.8:53
    roboxanger.com
    dns
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    60 B
     133 B
     1
    1

    DNS Request

    roboxanger.com

  • 8.8.8.8:53
    atualizacoes.issqn.net
    dns
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    68 B
     130 B
     1
    1

    DNS Request

    atualizacoes.issqn.net

  • 8.8.8.8:53
    vasesetflacons.fr
    dns
    JaffaCakes118_09ee5e13bdabe339ab7428dd4904b7e1.exe
    126 B
     242 B
     2
    2

    DNS Request

    vasesetflacons.fr

    DNS Request

    vasesetflacons.fr

  • 8.8.8.8:53
    24.73.42.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    24.73.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\abcd.bat
    Filesize

    75B

    MD5

    0849cfe65b98ba5fcd9a9ec61a671d09

    SHA1

    9d0ccb383c32b1bc07fd9064b9324a18e1276902

    SHA256

    44f6a1e48081deccfb61075e585bcb36c6d8e8feeb6ebae50bab41677822c643

    SHA512

    afdeda8122b4cefcf7549018c40d3142985e88a6d8f13eb58e9a59aa312b73608123de5f9feebc2ce25b6ec215d23c324b9f3a9a0e97041d67d863a25e15e57a

    Download Submit

  • memory/2332-0-0x00000000021B0000-0x00000000021C9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2332-1-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2332-2-0x00000000021B0000-0x00000000021C9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2332-4-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2332-17-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.