General
-
Target
JaffaCakes118_4489609a68d6f097d52080850253d806
-
Size
113KB
-
Sample
250127-25ea9symgw
-
MD5
4489609a68d6f097d52080850253d806
-
SHA1
c7dbbe7a8a01d0467b062fe66f6d5ca4597c288b
-
SHA256
20f04818b6e649602c754b27bf62169a8548ba41dfaa3204f5d9d04e0e709a54
-
SHA512
48fa967de18034bbb2d455612cd46045b847e56ca5f49e5eb1f7bf31101129376555774054312903899f3b4ec566d1efdd2d5040ec323dbccca5485007851864
-
SSDEEP
3072:kTY7VKne5pGXIvDbKfn4YO6P6morL3Atm3TJ7:sgVH5NbbKfTHtm3TJ7
Malware Config
Extracted
pony
http://sam-latrilogie.com:8080/pony/gate.php
http://loceanic.fr:8080/pony/gate.php
-
payload_url
http://propasmanagement.com/qTNc.exe
http://toffanoseventos.com.br/EFcT.exe
http://www.graficasalli.com.br/AqnAaH.exe
Targets
-
-
Target
JaffaCakes118_4489609a68d6f097d52080850253d806
-
Size
113KB
-
MD5
4489609a68d6f097d52080850253d806
-
SHA1
c7dbbe7a8a01d0467b062fe66f6d5ca4597c288b
-
SHA256
20f04818b6e649602c754b27bf62169a8548ba41dfaa3204f5d9d04e0e709a54
-
SHA512
48fa967de18034bbb2d455612cd46045b847e56ca5f49e5eb1f7bf31101129376555774054312903899f3b4ec566d1efdd2d5040ec323dbccca5485007851864
-
SSDEEP
3072:kTY7VKne5pGXIvDbKfn4YO6P6morL3Atm3TJ7:sgVH5NbbKfTHtm3TJ7
Score10/10-
Pony family
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-