Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    JaffaCakes118_bfd8596161f9d0982f873f5d7aa76821

  • Size

    161KB

  • Sample

    250119-g69tcayqhk

  • MD5

    bfd8596161f9d0982f873f5d7aa76821

  • SHA1

    981b0409afe663ad1a2bc1725ac00107235feef9

  • SHA256

    bc78c71d007466adde44f61436a5ee222496670c687380de901cb6385a5d6979

  • SHA512

    1f3d5dc89f5bff92efbcba50cb90ece3697ccfba2ed5cb2c01b6f3172bed0c163745eba7e6d0ae7769917785016813f638440be1030d7f6fd27a4fb4856031e0

  • SSDEEP

    3072:7VNtd/bF9sl6xAUsmrT8b8ESUp8yLMBTJS0iy20g:7VNtdZyl6+XmGS5Vrzg

Malware Config

Extracted

Family

pony

C2

http://tunningdisel.net/forum/viewtopic.php

http://turbodiselvrx.net/forum/viewtopic.php

Attributes
  • payload_url

    http://3073.a.hostable.me/Z2U.exe

    http://85.18.21.252/PNV3Hbi.exe

Targets

    • Target

      JaffaCakes118_bfd8596161f9d0982f873f5d7aa76821

    • Size

      161KB

    • MD5

      bfd8596161f9d0982f873f5d7aa76821

    • SHA1

      981b0409afe663ad1a2bc1725ac00107235feef9

    • SHA256

      bc78c71d007466adde44f61436a5ee222496670c687380de901cb6385a5d6979

    • SHA512

      1f3d5dc89f5bff92efbcba50cb90ece3697ccfba2ed5cb2c01b6f3172bed0c163745eba7e6d0ae7769917785016813f638440be1030d7f6fd27a4fb4856031e0

    • SSDEEP

      3072:7VNtd/bF9sl6xAUsmrT8b8ESUp8yLMBTJS0iy20g:7VNtdZyl6+XmGS5Vrzg

    • Pony family

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks