Malware Analysis Report

2025-08-11 04:37

Sample ID 250119-n7x99sxkbm
Target JaffaCakes118_c731dcecf223e70b090a382243fb1673
SHA256 2893414729b99df78bfbed0b2f77cce9a24188034dc1ba13b509521fb8300d77
Tags
pony credential_access discovery rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2893414729b99df78bfbed0b2f77cce9a24188034dc1ba13b509521fb8300d77

Threat Level: Known bad

The file JaffaCakes118_c731dcecf223e70b090a382243fb1673 was found to be: Known bad.

Malicious Activity Summary

pony credential_access discovery rat spyware stealer

Pony family

Pony,Fareit

Deletes itself

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Checks computer location settings

Reads data files stored by FTP clients

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-19 12:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-19 12:02

Reported

2025-01-19 12:05

Platform

win7-20240903-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe"

Signatures

Pony family

pony

Pony,Fareit

rat spyware stealer pony

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ytk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 curcamel.com udp
US 8.8.8.8:53 curcandy.com udp
US 8.8.8.8:53 curcharge.com udp
US 34.205.242.146:80 curcharge.com tcp
US 8.8.8.8:53 sadropped.com udp
US 8.8.8.8:53 extrarot.eu udp
US 8.8.8.8:53 www.o365.gr udp
DE 167.235.94.172:80 www.o365.gr tcp
US 8.8.8.8:53 www.top59serv.ro udp
RO 45.153.88.156:80 www.top59serv.ro tcp
RO 45.153.88.156:443 www.top59serv.ro tcp
US 8.8.8.8:53 minus18degrees.com udp

Files

memory/1728-1-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1728-0-0x0000000001D20000-0x0000000001E20000-memory.dmp

memory/1728-2-0x0000000001D20000-0x0000000001E20000-memory.dmp

memory/1728-3-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1728-4-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ytk.bat

MD5 e6b031b9b7d40fa332ebc6f38b2f9f64
SHA1 d6dbffcfcc6a26188fd8d2e5b6257af4821fb48f
SHA256 66a04ff993916bce61351e4c3b94ea079c806efb1723c7cd79bd32aaf6847e0b
SHA512 7d17655334fcda4c3326110d340fd91cd23ee284dec99c3a8bbc8408342fda5f51e27aaba75fba4cccd513c342c22f07ad2cf6e2326ba575e3cc0eba4ea91948

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-19 12:02

Reported

2025-01-19 12:05

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe"

Signatures

Pony family

pony

Pony,Fareit

rat spyware stealer pony

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 curcamel.com udp
US 8.8.8.8:53 curcandy.com udp
US 8.8.8.8:53 curcharge.com udp
US 3.18.7.81:80 curcharge.com tcp
US 8.8.8.8:53 sadropped.com udp
US 8.8.8.8:53 extrarot.eu udp
US 8.8.8.8:53 www.o365.gr udp
DE 167.235.94.172:80 www.o365.gr tcp
US 8.8.8.8:53 www.top59serv.ro udp
RO 45.153.88.156:80 www.top59serv.ro tcp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 81.7.18.3.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 7.98.22.2.in-addr.arpa udp
US 8.8.8.8:53 172.94.235.167.in-addr.arpa udp
US 8.8.8.8:53 156.88.153.45.in-addr.arpa udp
RO 45.153.88.156:443 www.top59serv.ro tcp
US 8.8.8.8:53 minus18degrees.com udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

memory/968-0-0x00000000021E0000-0x00000000022E0000-memory.dmp

memory/968-1-0x0000000000400000-0x0000000000415000-memory.dmp

memory/968-6-0x0000000000400000-0x0000000000415000-memory.dmp

memory/968-5-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ytk.bat

MD5 e6b031b9b7d40fa332ebc6f38b2f9f64
SHA1 d6dbffcfcc6a26188fd8d2e5b6257af4821fb48f
SHA256 66a04ff993916bce61351e4c3b94ea079c806efb1723c7cd79bd32aaf6847e0b
SHA512 7d17655334fcda4c3326110d340fd91cd23ee284dec99c3a8bbc8408342fda5f51e27aaba75fba4cccd513c342c22f07ad2cf6e2326ba575e3cc0eba4ea91948