win.pony (Back to overview)

Pony

aka: Siplog, Fareit
URLhaus        

There is no description at this point.

References
2019-07-30 ⋅ int 0xcc blogRaashid Bhat
@online{bhat:20190730:practical:d049779, author = {Raashid Bhat}, title = {{Practical Threat Hunting and Incidence Response : A Case of A Pony Malware Infection}}, date = {2019-07-30}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection}, language = {English}, urldate = {2020-01-08} } Practical Threat Hunting and Incidence Response : A Case of A Pony Malware Infection
Pony
2017-06 ⋅ McAfeeMcAfee
@techreport{mcafee:201706:mcafee:9fb6783, author = {McAfee}, title = {{McAfee Labs Threats Report}}, date = {2017-06}, institution = {McAfee}, url = {https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf}, language = {English}, urldate = {2020-01-06} } McAfee Labs Threats Report
Pony
2016-08 ⋅ UperesiaFelix Weyne
@online{weyne:201608:analysis:10758de, author = {Felix Weyne}, title = {{Analysis of a packed Pony downloader}}, date = {2016-08}, organization = {Uperesia}, url = {https://www.uperesia.com/analysis-of-a-packed-pony-downloader}, language = {English}, urldate = {2020-01-06} } Analysis of a packed Pony downloader
Pony
2015-02-25 ⋅ Github (nyx0)nyx0
@online{nyx0:20150225:pony:17f5bd3, author = {nyx0}, title = {{Pony Sourcecode}}, date = {2015-02-25}, organization = {Github (nyx0)}, url = {https://github.com/nyx0/Pony}, language = {English}, urldate = {2020-01-09} } Pony Sourcecode
Pony
Yara Rules
[TLP:WHITE] win_pony_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_pony_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pony"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 0bd8 ff75f4 ff7508 e8???????? 23d8 ff75f8 }
            // n = 6, score = 800
            //   0bd8                 | or                  ebx, eax
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   23d8                 | and                 ebx, eax
            //   ff75f8               | push                dword ptr [ebp - 8]

        $sequence_1 = { e8???????? 8945fc c705???????????????? 8d85f7feffff }
            // n = 4, score = 800
            //   e8????????           |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   c705????????????????     |     
            //   8d85f7feffff         | lea                 eax, [ebp - 0x109]

        $sequence_2 = { e8???????? c9 c21400 55 8bec 83c4b0 56 }
            // n = 7, score = 800
            //   e8????????           |                     
            //   c9                   | leave               
            //   c21400               | ret                 0x14
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83c4b0               | add                 esp, -0x50
            //   56                   | push                esi

        $sequence_3 = { 89e5 83ec10 53 56 8b5d08 8b750c }
            // n = 6, score = 800
            //   89e5                 | mov                 ebp, esp
            //   83ec10               | sub                 esp, 0x10
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]

        $sequence_4 = { 33fb 23fa 33f9 8d8407e6cde121 }
            // n = 4, score = 800
            //   33fb                 | xor                 edi, ebx
            //   23fa                 | and                 edi, edx
            //   33f9                 | xor                 edi, ecx
            //   8d8407e6cde121       | lea                 eax, [edi + eax + 0x21e1cde6]

        $sequence_5 = { 8b5d08 8b750c 8d45f8 50 53 e8???????? 8d45f0 }
            // n = 7, score = 800
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   e8????????           |                     
            //   8d45f0               | lea                 eax, [ebp - 0x10]

        $sequence_6 = { 8bec 81c4e8feffff 53 2bdb 8d45fc 50 ff7508 }
            // n = 7, score = 800
            //   8bec                 | mov                 ebp, esp
            //   81c4e8feffff         | add                 esp, 0xfffffee8
            //   53                   | push                ebx
            //   2bdb                 | sub                 ebx, ebx
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_7 = { 81c4e0efffff 56 57 833d?????????? 7415 ff35???????? }
            // n = 6, score = 800
            //   81c4e0efffff         | add                 esp, 0xffffefe0
            //   56                   | push                esi
            //   57                   | push                edi
            //   833d??????????       |                     
            //   7415                 | je                  0x17
            //   ff35????????         |                     

        $sequence_8 = { 8d8c0f8e4379a6 034e38 c1c111 03ca 8bfa }
            // n = 5, score = 800
            //   8d8c0f8e4379a6       | lea                 ecx, [edi + ecx - 0x5986bc72]
            //   034e38               | add                 ecx, dword ptr [esi + 0x38]
            //   c1c111               | rol                 ecx, 0x11
            //   03ca                 | add                 ecx, edx
            //   8bfa                 | mov                 edi, edx

        $sequence_9 = { e8???????? ff7510 6a18 ff7508 e8???????? ff7510 }
            // n = 6, score = 800
            //   e8????????           |                     
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   6a18                 | push                0x18
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   ff7510               | push                dword ptr [ebp + 0x10]

    condition:
        7 of them
}
Download all Yara Rules