General
-
Target
JaffaCakes118_0ac496172d8410626eb21c804a95d5c5
-
Size
133KB
-
Sample
250122-f8gd5s1nem
-
MD5
0ac496172d8410626eb21c804a95d5c5
-
SHA1
3cc9432b800fcf480329e1363b1967288a48dd06
-
SHA256
8dd1387da528ceb96532203c828b82cc249388f02edf3d20b406a0e92d0477ec
-
SHA512
d95d4eea4ae81f418f1a47938dc6d679936ca4d22bcb665487504edcc23d297101883735a69a702fdee88516ba72e3524680858bc2badbaaac9c82a7fe610f79
-
SSDEEP
3072:A2GrJqB/Sd2wc/0c3Oomy2LdS9TQFUZPppppZppppppppppQppppppppZppppppT:ca/nX0pompdATQFcPppppZpppppppppk
Malware Config
Extracted
pony
http://q.databorough.com/forum/viewtopic.php
http://q.deirezzor.net/forum/viewtopic.php
-
payload_url
http://emotioncaribbean.com.do/P433n.exe
http://imecetemizlik.com/KZyKEM.exe
Targets
-
-
Target
JaffaCakes118_0ac496172d8410626eb21c804a95d5c5
-
Size
133KB
-
MD5
0ac496172d8410626eb21c804a95d5c5
-
SHA1
3cc9432b800fcf480329e1363b1967288a48dd06
-
SHA256
8dd1387da528ceb96532203c828b82cc249388f02edf3d20b406a0e92d0477ec
-
SHA512
d95d4eea4ae81f418f1a47938dc6d679936ca4d22bcb665487504edcc23d297101883735a69a702fdee88516ba72e3524680858bc2badbaaac9c82a7fe610f79
-
SSDEEP
3072:A2GrJqB/Sd2wc/0c3Oomy2LdS9TQFUZPppppZppppppppppQppppppppZppppppT:ca/nX0pompdATQFcPppppZpppppppppk
Score10/10-
Pony family
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-