Overview

overview

10

Static

static

1

JaffaCakes...0d.exe

windows7-x64

10

JaffaCakes...0d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_627621c28b1f34c8d9389cd0b8f91d0d

  • Size

    201KB

  • Sample

    250130-n3gfyszpf1

  • MD5

    627621c28b1f34c8d9389cd0b8f91d0d

  • SHA1

    1250855cd6f042b64dcdad11c60b8f0d6ce542b9

  • SHA256

    2c7e2706fbecae1b16aa947be68e5b9b1053cbf57ad8447e57ed922dcc22ee67

  • SHA512

    2a8daf8205a5de94cff2bf639ab541bc53edc1e1fb8d1d704db83ad42f353374ab0edac197d49f50bd71b8435c30e13bd7f976dc2b3576d2a64c2a7d219e2373

  • SSDEEP

    3072:/f5+d4KAdOu6zbahkfyQRF9Tqa1pLXmbq5EWhd+:/x+RxuoUkrH9z5E5

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://rst-dassow.info/logs/r.php

http://chelny-wingchun.ru/logs/r.php
Attributes
  • payload_url

    http://ledcenter.ee/logs/sti.exe

    http://gegenterrorundgewalt.de/logs/sti.exe

    http://ledcenter.ee/logs/pir.exe

    http://gegenterrorundgewalt.de/logs/pir.exe

    http://ledcenter.ee/logs/firsale.exe

    http://gegenterrorundgewalt.de/logs/firsale.exe

Targets

    • Target

      JaffaCakes118_627621c28b1f34c8d9389cd0b8f91d0d

    • Size

      201KB

    • MD5

      627621c28b1f34c8d9389cd0b8f91d0d

    • SHA1

      1250855cd6f042b64dcdad11c60b8f0d6ce542b9

    • SHA256

      2c7e2706fbecae1b16aa947be68e5b9b1053cbf57ad8447e57ed922dcc22ee67

    • SHA512

      2a8daf8205a5de94cff2bf639ab541bc53edc1e1fb8d1d704db83ad42f353374ab0edac197d49f50bd71b8435c30e13bd7f976dc2b3576d2a64c2a7d219e2373

    • SSDEEP

      3072:/f5+d4KAdOu6zbahkfyQRF9Tqa1pLXmbq5EWhd+:/x+RxuoUkrH9z5E5

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony family

      pony

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks