analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Specification.zip

Full analysis: https://app.any.run/tasks/f76a2f79-e9fe-4642-afb5-d6a5bd73d080
Verdict: Malicious activity
Threats:

Pony is a malware with two main functions — stealing information and dropping other viruses with different tasks on infected machines. It has been around since 2011, and it still actively attacks users in Europe and America.

Malware Trends Tracker     >>>
Analysis date: November 08, 2019, 16:56:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
pony
fareit
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

60F3ADC8359BDAD9884DE245058768CE

SHA1:

4346DDBCEFA0FA58F1EB12EEE73D3B9F488D99A1

SHA256:

823A79FD21226D996B4C1090D94616ACC9040C8086856C0C6DADCAFA8EAE5820

SSDEEP:

1536:FowJXaCeqTmZwbMlE/+pNHc7Y2MO2Gn/jGdEm+C45kmgWBpQD6QS2co0BbqVOk+z:FZXaCehwkEGpNH5a/jgEm0YWjQOQIo0f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Specification.exe (PID: 3968)
      • Specification.exe (PID: 2328)
      • AeLookupSvi.exe (PID: 2812)
      • takshost.exe (PID: 952)
      • ProfSvc.exe (PID: 1896)
      • ProfSvc.exe (PID: 3984)
      • takshost.exe (PID: 292)
      • AeLookupSvi.exe (PID: 4024)
      • AeLookupSvi.exe (PID: 3964)

    • Detected Pony/Fareit Trojan

      • Specification.exe (PID: 3968)

    • Changes the autorun value in the registry

      • AeLookupSvi.exe (PID: 2812)
      • AeLookupSvi.exe (PID: 3964)
      • AeLookupSvi.exe (PID: 4024)

    • Actions looks like stealing of personal data

      • ProfSvc.exe (PID: 3984)
      • Specification.exe (PID: 3968)
      • takshost.exe (PID: 292)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2508)
      • Specification.exe (PID: 2328)
      • ProfSvc.exe (PID: 1896)
      • takshost.exe (PID: 952)

    • Creates files in the user directory

      • Specification.exe (PID: 2328)

    • Application launched itself

      • Specification.exe (PID: 2328)
      • ProfSvc.exe (PID: 1896)
      • takshost.exe (PID: 952)

    • Reads Internet Cache Settings

      • Specification.exe (PID: 3968)
      • ProfSvc.exe (PID: 3984)
      • takshost.exe (PID: 292)

    • Starts itself from another location

      • Specification.exe (PID: 2328)

    • Starts CMD.EXE for commands execution

      • Specification.exe (PID: 3968)
      • takshost.exe (PID: 292)
      • ProfSvc.exe (PID: 3984)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Specification.exe
ZipUncompressedSize: 209920
ZipCompressedSize: 95159
ZipCRC: 0xf2b33c2b
ZipModifyDate: 2014:12:15 07:34:25
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
13
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start winrar.exe specification.exe #PONY specification.exe aelookupsvi.exe profsvc.exe takshost.exe cmd.exe no specs profsvc.exe takshost.exe aelookupsvi.exe aelookupsvi.exe cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2508"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Specification.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2328"C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.19866\Specification.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.19866\Specification.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Microsoft® User Profile Service
Exit code:
0
Version:
11.42
3968"C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.19866\Specification.exe"C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.19866\Specification.exe
Specification.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Microsoft® User Profile Service
Exit code:
0
Version:
11.42
2812"C:\Users\admin\AppData\Roaming\Microsoft\AeLookupSvi.exe" C:\Users\admin\AppData\Roaming\Microsoft\AeLookupSvi.exe
Specification.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Application Experience
Exit code:
0
Version:
0.0.0.0
1896"C:\Users\admin\AppData\Roaming\Microsoft\ProfSvc.exe" C:\Users\admin\AppData\Roaming\Microsoft\ProfSvc.exe
AeLookupSvi.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Microsoft® User Profile Service
Version:
11.42
952"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe" C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
Specification.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Microsoft® User Profile Service
Version:
11.42
3872cmd /c ""C:\Users\admin\AppData\Local\Temp\3816062.bat" "C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.19866\Specification.exe" "C:\Windows\system32\cmd.exeSpecification.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3984"C:\Users\admin\AppData\Roaming\Microsoft\ProfSvc.exe"C:\Users\admin\AppData\Roaming\Microsoft\ProfSvc.exe
ProfSvc.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Microsoft® User Profile Service
Exit code:
0
Version:
11.42
292"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
takshost.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Microsoft® User Profile Service
Exit code:
0
Version:
11.42
3964"C:\Users\admin\AppData\Roaming\Microsoft\AeLookupSvi.exe" C:\Users\admin\AppData\Roaming\Microsoft\AeLookupSvi.exe
ProfSvc.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Application Experience
Version:
0.0.0.0
Total events
3 016
Read events
2 969
Write events
47
Delete events
0

Modification events

(PID) Process:(2508) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2508) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2508) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2508) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Specification.zip
(PID) Process:(2508) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2508) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2508) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2508) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2508) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2508) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
6
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2328Specification.exeC:\Users\admin\AppData\Roaming\Microsoft\AeLookupSvi.exeexecutable
MD5:98614D4CCF67E962D12561A4C6A2CDCF
SHA256:B70B88028871B2E59CC49FD6192022ACFCDAF6C7B4C8AB5CA144C1F0D0035B35
952takshost.exeC:\Users\admin\AppData\Roaming\Microsoft\AeLookupSvi.exeexecutable
MD5:98614D4CCF67E962D12561A4C6A2CDCF
SHA256:B70B88028871B2E59CC49FD6192022ACFCDAF6C7B4C8AB5CA144C1F0D0035B35
2328Specification.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exeexecutable
MD5:9DF9307557E6A5E859A74CD58CE46606
SHA256:40F89B0481E0CE1CE40B06767705647FAF79446CC4DEED7AA7B57659811C70B0
2508WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2508.19866\Specification.exeexecutable
MD5:9DF9307557E6A5E859A74CD58CE46606
SHA256:40F89B0481E0CE1CE40B06767705647FAF79446CC4DEED7AA7B57659811C70B0
1896ProfSvc.exeC:\Users\admin\AppData\Roaming\Microsoft\AeLookupSvi.exeexecutable
MD5:98614D4CCF67E962D12561A4C6A2CDCF
SHA256:B70B88028871B2E59CC49FD6192022ACFCDAF6C7B4C8AB5CA144C1F0D0035B35
2328Specification.exeC:\Users\admin\AppData\Roaming\Microsoft\ProfSvc.exeexecutable
MD5:9DF9307557E6A5E859A74CD58CE46606
SHA256:40F89B0481E0CE1CE40B06767705647FAF79446CC4DEED7AA7B57659811C70B0
3968Specification.exeC:\Users\admin\AppData\Local\Temp\3816062.battext
MD5:3880EEB1C736D853EB13B44898B718AB
SHA256:936D9411D5226B7C5A150ECAF422987590A8870C8E095E1CAA072273041A86E7
3984ProfSvc.exeC:\Users\admin\AppData\Local\Temp\3830296.battext
MD5:3880EEB1C736D853EB13B44898B718AB
SHA256:936D9411D5226B7C5A150ECAF422987590A8870C8E095E1CAA072273041A86E7
292takshost.exeC:\Users\admin\AppData\Local\Temp\3830703.battext
MD5:3880EEB1C736D853EB13B44898B718AB
SHA256:936D9411D5226B7C5A150ECAF422987590A8870C8E095E1CAA072273041A86E7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
silverspoontech.co.in
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Specification.zip