File name: | SCAN_8986621.ace |
Full analysis: | https://app.any.run/tasks/ee1c5c67-a394-4af9-ad65-c97563b06533 |
Verdict: | Malicious activity |
Threats: | Pony is a malware with two main functions — stealing information and dropping other viruses with different tasks on infected machines. It has been around since 2011, and it still actively attacks users in Europe and America. |
Analysis date: | January 11, 2019, 09:08:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | ACE archive data version 20, from Win/32, version 20 to extract, contains AV-String (unregistered), solid |
MD5: | F7D6EA73F2427181903F2B690513539E |
SHA1: | 00C64609A37D7EEDFFCA71FC44615D51765EB982 |
SHA256: | 41314D8E9BE87AA3A658EF580E8EAB9FBF3C675E00AFA3EE0C20A099CB95DFA0 |
SSDEEP: | 6144:n7DlG8l41NEniB7EeTkge+xHKUJpvIkXK45IX8PtSl7Wm3EVH2F3olzKERT7d+XX:nfQzN3B7EFGKEIu57PtSJEVHg3gT7oH |
.ace | | | ACE compressed archive (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2940 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SCAN_8986621.ace" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2448 | "C:\Users\admin\Desktop\SCAN 8986621.scr" /S | C:\Users\admin\Desktop\SCAN 8986621.scr | explorer.exe | |
User: admin Company: yearnfulness Integrity Level: MEDIUM Description: remonstrance Exit code: 0 Version: 8.07.0004 | ||||
3828 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\subfolder\filename.vbs" | C:\Windows\System32\WScript.exe | SCAN 8986621.scr | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
4008 | "C:\Users\admin\AppData\Local\Temp\subfolder\filename.scr" /S | C:\Users\admin\AppData\Local\Temp\subfolder\filename.scr | — | SCAN 8986621.scr |
User: admin Company: yearnfulness Integrity Level: MEDIUM Description: remonstrance Exit code: 0 Version: 8.07.0004 | ||||
3496 | C:\Users\admin\AppData\Local\Temp\subfolder\filename.scr" /S | C:\Users\admin\AppData\Local\Temp\subfolder\filename.scr | filename.scr | |
User: admin Company: yearnfulness Integrity Level: MEDIUM Description: remonstrance Exit code: 0 Version: 8.07.0004 | ||||
3932 | cmd /c ""C:\Users\admin\AppData\Local\Temp\2487531.bat" "C:\Users\admin\AppData\Local\Temp\subfolder\filename.scr" " | C:\Windows\system32\cmd.exe | — | filename.scr |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3044 | "C:\Program Files\CCleaner\CCleaner.exe" | C:\Program Files\CCleaner\CCleaner.exe | — | explorer.exe |
User: admin Company: Piriform Ltd Integrity Level: MEDIUM Description: CCleaner Exit code: 0 Version: 5, 35, 0, 6210 | ||||
1412 | "C:\Program Files\CCleaner\CCleaner.exe" /uac | C:\Program Files\CCleaner\CCleaner.exe | taskeng.exe | |
User: admin Company: Piriform Ltd Integrity Level: HIGH Description: CCleaner Exit code: 0 Version: 5, 35, 0, 6210 | ||||
2988 | "C:\Program Files\CCleaner\CCleaner.exe" /monitor | C:\Program Files\CCleaner\CCleaner.exe | CCleaner.exe | |
User: admin Company: Piriform Ltd Integrity Level: HIGH Description: CCleaner Version: 5, 35, 0, 6210 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1412 | CCleaner.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | — | |
MD5:— | SHA256:— | |||
1412 | CCleaner.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\webappsstore.sqlite-shm | — | |
MD5:— | SHA256:— | |||
1412 | CCleaner.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y6XW0PXX9U0EBE0FRIUV.temp | — | |
MD5:— | SHA256:— | |||
1412 | CCleaner.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3JY64Q4KFU8P0I658V4X.temp | — | |
MD5:— | SHA256:— | |||
1412 | CCleaner.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GR5UIGKYX5ULRWMXAGHY.temp | — | |
MD5:— | SHA256:— | |||
1412 | CCleaner.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ed7a5cc3cca8d52a.customDestinations-ms | binary | |
MD5:9C3EB1A379E6C25915E1993178687D13 | SHA256:CEFCDBD5CC642924F4277231A2F33A72D0A0D173D75938233D78B91E8C17F69F | |||
1412 | CCleaner.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ed7a5cc3cca8d52a.customDestinations-ms~RF261d62.TMP | binary | |
MD5:9C3EB1A379E6C25915E1993178687D13 | SHA256:CEFCDBD5CC642924F4277231A2F33A72D0A0D173D75938233D78B91E8C17F69F | |||
4008 | filename.scr | C:\Users\admin\AppData\Local\Temp\~DF411A57D83218BD7C.TMP | binary | |
MD5:6C2E7C7B144698B5FAFFC2EE26B0D2BA | SHA256:AE9DD023606E65069FED4C17312D53CCDD73AE6AF5A413067A2075E5FCD3CAD6 | |||
1412 | CCleaner.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ed7a5cc3cca8d52a.customDestinations-ms~RF2607a8.TMP | binary | |
MD5:9C3EB1A379E6C25915E1993178687D13 | SHA256:CEFCDBD5CC642924F4277231A2F33A72D0A0D173D75938233D78B91E8C17F69F | |||
2448 | SCAN 8986621.scr | C:\Users\admin\AppData\Local\Temp\~DF906C577B358C9D41.TMP | binary | |
MD5:6C2E7C7B144698B5FAFFC2EE26B0D2BA | SHA256:AE9DD023606E65069FED4C17312D53CCDD73AE6AF5A413067A2075E5FCD3CAD6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1412 | CCleaner.exe | GET | 301 | 151.101.0.64:80 | http://www.piriform.com/auto?a=0&p=cc&v=5.35.6210&l=1033&lk=&mk=IJR6-W5SV-5KYR-QBZD-6BY4-RN5Z-WAV9-RVK2-VJCA&o=6.1W3&au=1&mx=97B7721C4994E2556FF6A439510F665DB45337A341A47E15F4997584423BF714&gu=00000000-0000-4000-8000-d6f7f2be5127 | US | — | — | whitelisted |
3496 | filename.scr | GET | 404 | 142.44.241.84:80 | http://software-updater.uk/austin/pony/shit.exe | CA | html | 337 b | malicious |
3496 | filename.scr | POST | 200 | 142.44.241.84:80 | http://software-updater.uk/austin/pony/gate.php | CA | binary | 20 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3496 | filename.scr | 142.44.241.84:80 | software-updater.uk | OVH SAS | CA | malicious |
1412 | CCleaner.exe | 151.101.0.64:443 | www.piriform.com | Fastly | US | whitelisted |
1412 | CCleaner.exe | 151.101.0.64:80 | www.piriform.com | Fastly | US | whitelisted |
1412 | CCleaner.exe | 151.101.2.202:443 | www.ccleaner.com | Fastly | US | suspicious |
Domain | IP | Reputation |
---|---|---|
software-updater.uk |
| malicious |
www.piriform.com |
| whitelisted |
www.ccleaner.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3496 | filename.scr | A Network Trojan was detected | ET TROJAN Fareit/Pony Downloader Checkin 2 |
3496 | filename.scr | Potential Corporate Privacy Violation | ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System |
3496 | filename.scr | Potential Corporate Privacy Violation | ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. |
3496 | filename.scr | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer |
3496 | filename.scr | A Network Trojan was detected | MALWARE [PTsecurity] Pony encrypted POST Data Request |
3496 | filename.scr | A Network Trojan was detected | ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98 |
3496 | filename.scr | Potentially Bad Traffic | ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) |
3496 | filename.scr | A Network Trojan was detected | MALWARE [PTsecurity] Pony encrypted C2 Response |
3496 | filename.scr | A Network Trojan was detected | MALWARE [PTsecurity] Fareit/Pony CnC Server stdResponse |
3496 | filename.scr | A Network Trojan was detected | ET TROJAN Fareit/Pony Downloader Checkin 3 |