Overview

overview

10

Static

static

3

JaffaCakes...ed.exe

windows7-x64

10

JaffaCakes...ed.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_3ad2a621a6800c5d51e18b284f75f4ed

  • Size

    112KB

  • Sample

    250127-bw1vssvlep

  • MD5

    3ad2a621a6800c5d51e18b284f75f4ed

  • SHA1

    3f03f8da55703d4ccfd626584564946c9f4e0406

  • SHA256

    233843e1de254fd67aae7ef1030b8ed1da4634f277b65fed229d138d113c4063

  • SHA512

    2698c32bcc68d3826bd168af0b6fa14a19d0048c59945777203496a6ac9b387747056958f86112506c504655508624d34c1e651d31924217cc3133d865e78911

  • SSDEEP

    1536:2IDKGDSzKLlROIcc3WmvnTV7rJpBVgvgxZTqMWDttp7L65CLJ:XDKGDSzKLlROHc5vTV7rrHBZFWv3J

Score
10/10
ponycollectioncredential_accessdiscoverypersistenceratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://jaymad.net/stats/spqr.php

http://smoked1337.co.uk/stats/spqr.php

http://smokedoutuk.co.uk/stats/spqr.php
Attributes
  • payload_url

    http://threekidswithpower.net/asp/uploads/srcll.exe

    http://threekidswithpower.net/asp/uploads/taskhost.exe

    http://threekidswithpower.net/asp/uploads/trskes.exe

Targets

    • Target

      JaffaCakes118_3ad2a621a6800c5d51e18b284f75f4ed

    • Size

      112KB

    • MD5

      3ad2a621a6800c5d51e18b284f75f4ed

    • SHA1

      3f03f8da55703d4ccfd626584564946c9f4e0406

    • SHA256

      233843e1de254fd67aae7ef1030b8ed1da4634f277b65fed229d138d113c4063

    • SHA512

      2698c32bcc68d3826bd168af0b6fa14a19d0048c59945777203496a6ac9b387747056958f86112506c504655508624d34c1e651d31924217cc3133d865e78911

    • SSDEEP

      1536:2IDKGDSzKLlROIcc3WmvnTV7rJpBVgvgxZTqMWDttp7L65CLJ:XDKGDSzKLlROHc5vTV7rrHBZFWv3J

    Score
    10/10
    ponycollectioncredential_accessdiscoverypersistenceratspywarestealerupx

    • Pony family

      pony

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks