Overview

overview

10

Static

static

3

JaffaCakes...21.exe

windows7-x64

10

JaffaCakes...21.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_30524e1ace761f2a5666e7165f664f21

  • Size

    44KB

  • Sample

    250125-2r89gssqhw

  • MD5

    30524e1ace761f2a5666e7165f664f21

  • SHA1

    20f9021c1e7dc473c4e57c420578efc313a474f4

  • SHA256

    a4e446c61b053c273254defe7101056a8627422dd62b123c464424599bb91dd8

  • SHA512

    013f19dc6d8ab8f1f200e8db1b0c556a97e16a024306fa7b213d5b0518084991859853c4bb445074dcafd83ee284cf426867683761f8f5c47576dbccac71293f

  • SSDEEP

    768:mYgPPd1WarignZzCcncubMDLMfuCb4X/e3heDPdJcEJUkzhGly0BTeWuVJVLwA2x:yHd1/ndjnEDLMmCb4m3herEOUkzh8eZK

Score
10/10
ponycredential_accessdiscoveryratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://web-notification.in/ifr/z.php?ftp=1

http://web-politician.in/ifr/z.php?ftp=1

http://web-technology.in/ifr/z.php?ftp=1

Targets

    • Target

      JaffaCakes118_30524e1ace761f2a5666e7165f664f21

    • Size

      44KB

    • MD5

      30524e1ace761f2a5666e7165f664f21

    • SHA1

      20f9021c1e7dc473c4e57c420578efc313a474f4

    • SHA256

      a4e446c61b053c273254defe7101056a8627422dd62b123c464424599bb91dd8

    • SHA512

      013f19dc6d8ab8f1f200e8db1b0c556a97e16a024306fa7b213d5b0518084991859853c4bb445074dcafd83ee284cf426867683761f8f5c47576dbccac71293f

    • SSDEEP

      768:mYgPPd1WarignZzCcncubMDLMfuCb4X/e3heDPdJcEJUkzhGly0BTeWuVJVLwA2x:yHd1/ndjnEDLMmCb4m3herEOUkzh8eZK

    Score
    10/10
    ponycredential_accessdiscoveryratspywarestealerupx

    • Pony family

      pony

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks