PWS/Pony slurped FTP Data...

1. // MalwareMustDie! @unixfreaxjp ~]$ date
2. // Tue Jun 4 19:41:12 JST 2013
3. // List of Pony slurped Credential Data...
4. // Information from Binary & Foresics Analysis:
5.  
6. Software\Far\Plugins\FTP\Hosts
7. Software\Far2\Plugins\FTP\Hosts
8. Software\Far Manager\Plugins\FTP\Hosts
9. Software\Far\SavedDialogHistory\FTPHost
10. Software\Far2\SavedDialogHistory\FTPHost
11. Software\Far Manager\SavedDialogHistory\FTPHost
12. Password
13. HostName
14. User
15. Line
16. wcx_ftp.ini
17. \GHISLER
18. InstallDir
19. FtpIniName
20. Software\Ghisler\Windows Commander
21. Software\Ghisler\Total Commander
22. \Ipswitch
23. Sites\
24. \Ipswitch\WS_FTP
25. \win.ini
26. .ini
27. WS_FTP
28. DIR
29. DEFDIR
30. CUTEFTP
31. QCHistory
32. Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
33. Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
34. Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
35. Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
36. Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
37. Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
38. Software\GlobalSCAPE\CuteFTP 9\QCToolbar
39. \GlobalSCAPE\CuteFTP
40. \GlobalSCAPE\CuteFTP Pro
41. \GlobalSCAPE\CuteFTP Lite
42. \CuteFTP
43. \sm.dat
44. Software\FlashFXP\3
45. Software\FlashFXP
46. Software\FlashFXP\4
47. InstallerDathPath
48. path
49. Install Path
50. DataFolder
51. \Sites.dat
52. \Quick.dat
53. \History.dat
54. \FlashFXP\3
55. \FlashFXP\4
56. \FileZilla
57. \sitemanager.xml
58. \recentservers.xml
59. \filezilla.xml
60. Software\FileZilla
61. Software\FileZilla Client
62. Install_Dir
63. Host
64. User
65. Pass
66. Port
67. Remote Dir
68. Server Type
69. Server.Host
70. Server.User
71. Server.Pass
72. Server.Port
73. Path
74. ServerType
75. Last Server Host
76. Last Server User
77. Last Server Pass
78. Last Server Port
79. Last Server Path
80. Last Server Type
81. FTP Navigator
82. FTP Commander
83. ftplist.txt
84. \BulletProof Software
85. .dat
86. .bps
87. Software\BPFTP\Bullet Proof FTP\Main
88. Software\BulletProof Software\BulletProof FTP Client\Main
89. Software\BPFTP\Bullet Proof FTP\Options
90. Software\BulletProof Software\BulletProof FTP Client\Options
91. Software\BPFTP
92. LastSessionFile
93. SitesDir
94. InstallDir1
95. .xml
96. \SmartFTP
97. Favorites.dat
98. History.dat
99. addrbk.dat
100. quick.dat
101. \TurboFTP
102. Software\TurboFTP
103. installpath
104. Software\Sota\FFFTP
105. CredentialSalt
106. CredentialCheck
107. Software\Sota\FFFTP\Options
108. Password
109. UserName
110. HostAdrs
111. RemoteDir
112. Port
113. HostName
114. Port
115. Username
116. Password
117. HostDirName
118. Software\CoffeeCup Software\Internet\Profiles
119. Software\FTPWare\COREFTP\Sites
120. Host
121. User
122. Port
123. PthR
124. SSH
125. profiles.xml
126. \FTP Explorer
127. Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
128. Buttons
129. Software\FTP Explorer\Profiles
130. Password
131. PasswordType
132. Host
133. Login
134. Port
135. InitialPath
136. FtpSite.xml
137. \Frigate3
138. .ini
139. \VanDyke\Config\Sessions
140. \Sessions
141. Software\VanDyke\SecureFX
142. Config Path
143. UltraFXP
144. \sites.xml
145. \FTPRush
146. RushSite.xml
147. Server
148. Username
149. Password
150. FtpPort
151. Software\Cryer\WebSitePublisher
152. \BitKinex
153. bitkinex.ds
154. Hostname
155. Username
156. Password
157. Port
158. Software\ExpanDrive\Sessions
159. \ExpanDrive
160. \drives.js
161. "password" : "
162. Software\ExpanDrive
163. ExpanDrive_Home
164. Server
165. UserName
166. Password
167. _Password
168. Directory
169. Software\NCH Software\ClassicFTP\FTPAccounts
170. FtpServer
171. FtpUserName
172. FtpPassword
173. _FtpPassword
174. FtpDirectory
175. SOFTWARE\NCH Software\Fling\Accounts
176. Software\FTPClient\Sites
177. Software\SoftX.org\FTPClient\Sites
178. .oxc
179. .oll
180. ftplast.osd
181. \GPSoftware\Directory Opus
182. \SharedSettings.ccs
183. \SharedSettings_1_0_5.ccs
184. \SharedSettings.sqlite
185. \SharedSettings_1_0_5.sqlite
186. \CoffeeCup Software
187. leapftp
188. unleap.exe
189. sites.dat
190. sites.ini
191. \LeapWare\LeapFTP
192. SOFTWARE\LeapWare
193. InstallPath
194. DataDir
195. Password
196. HostName
197. UserName
198. RemoteDirectory
199. PortNumber
200. FSProtocol
201. Software\Martin Prikryl
202. \32BitFtp.ini
203. NDSites.ini
204. \NetDrive
205. PassWord
206. Url
207. UserName
208. RootDirectory
209. Port
210. Software\South River Technologies\WebDrive\Connections
211. ServerType
212. FTP CONTROL
213. FTPCON
214. .prf
215. \Profiles
216. http://
217. https://
218. ftp://
219. opera
220. wand.dat
221. _Software\Opera Software
222. Last Directory3
223. Last Install Path
224. Opera.HTML\shell\open\command
225. wiseftpsrvs.bin
226. \AceBIT
227. Software\AceBIT
228. wiseftpsrvs.ini
229. wiseftp.ini
230. FTPVoyager.ftp
231. FTPVoyager.qc
232. \RhinoSoft.com
233. nss3.dll
234. NSS_Init
235. NSS_Shutdown
236. NSSBase64_DecodeBuffer
237. SECITEM_FreeItem
238. PK11_GetInternalKeySlot
239. PK11_Authenticate
240. PK11SDR_Decrypt
241. PK11_FreeSlot
242. sqlite3.dll
243. sqlite3_open
244. sqlite3_close
245. sqlite3_prepare
246. sqlite3_step
247. sqlite3_column_bytes
248. sqlite3_column_blob
249. mozsqlite3.dll
250. sqlite3_open
251. sqlite3_close
252. sqlite3_prepare
253. sqlite3_step
254. sqlite3_column_bytes
255. sqlite3_column_blob
256. profiles.ini
257. Profile
258. IsRelative
259. Path
260. PathToExe
261. prefs.js
262. signons.sqlite
263. signons.txt
264. signons2.txt
265. signons3.txt
266. SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
267. Firefox
268. \Mozilla\Firefox\
269. Software\Mozilla
270. ftp://
271. http://
272. https://
273. ftp.
274. fireFTPsites.dat
275. SeaMonkey
276. \Mozilla\SeaMonkey\
277. Flock
278. \Flock\Browser\
279. Mozilla
280. \Mozilla\Profiles\
281. Software\LeechFTP
282. AppDir
283. LocalDir
284. bookmark.dat
285. SiteInfo.QFP
286. Odin
287. Favorites.dat
288. WinFTP
289. sites.db
290. servers.xml
291. \FTPGetter
292. ESTdb2.dat
293. QData.dat
294. \Estsoft\ALFTP
295. Internet Explorer
296. WininetCacheCredentials
297. MS IE FTP Passwords
298. DPAPI:
299. Software\Microsoft\Internet Explorer\IntelliForms\Storage2
300. Microsoft_WinInet_*
301. ftp://
302. Software\Adobe\Common
303. SiteServers
304. SiteServer %d\Host
305. SiteServer %d\WebUrl
306. SiteServer %d\Remote Directory
307. SiteServer %d-User
308. SiteServer %d-User PW
309. %s\Keychain
310. SiteServer %d\SFTP
311. DeluxeFTP
312. sites.xml
313. Web Data
314. Login Data
315. SQLite format 3
316. table
317. CONSTRAINT
318. PRIMARY
319. UNIQUE
320. CHECK
321. FOREIGN
322. logins
323. origin_url
324. password_value
325. username_value
326. ftp://
327. http://
328. https://
329. \Google\Chrome
330. \Chromium
331. \ChromePlus
332. Software\ChromePlus
333. Install_Dir
334. \Bromium
335. \Nichrome
336. \Comodo
337. \RockMelt
338. K-Meleon
339. \K-Meleon
340. \Profiles
341. Epic
342. \Epic\Epic
343. Staff-FTP
344. sites.ini
345. \Sites
346. \Visicom Media
347. .ftp
348. \Global Downloader
349. SM.arch
350. FreshFTP
351. .SMF
352. BlazeFtp
353. site.dat
354. LastPassword
355. LastAddress
356. LastUser
357. LastPort
358. Software\FlashPeak\BlazeFtp\Settings
359. \BlazeFtp
360. .fpl
361. FTP++.Link\shell\open\command
362. GoFTP
363. Connections.txt
364. 3D-FTP
365. sites.ini
366. \3D-FTP
367. \SiteDesigner
368. SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
369. EasyFTP
370. \NetSarang
371. .xfp
372. .rdp
373. TERMSRV/*
374. password 51:b:
375. username:s:
376. full address:s:
377. TERMSRV/
378. FTP Now
379. FTPNow
380. sites.xml
381. SOFTWARE\Robo-FTP 3.7\Scripts
382. SOFTWARE\Robo-FTP 3.7\FTPServers
383. FTP Count
384. FTP File%d
385. Password
386. ServerName
387. UserID
388. InitialDirectory
389. PortNumber
390. ServerType
391. fMY
392. Software\LinasFTP\Site Manager
393. Host
394. User
395. Pass
396. Port
397. Remote Dir
398. \Cyberduck
399. .duck
400. user.config
401. <setting name="
402. value="
403. Software\SimonTatham\PuTTY\Sessions
404. HostName
405. UserName
406. Password
407. PortNumber
408. TerminalType
409. NppFTP.xml
410. \Notepad++
411. Software\CoffeeCup Software
412. FTP destination server
413. FTP destination user
414. FTP destination password
415. FTP destination port
416. FTP destination catalog
417. FTP profiles
418. FTPShell
419. ftpshell.fsi
420. Software\MAS-Soft\FTPInfo\Setup
421. DataDir
422. \FTPInfo
423. ServerList.xml
424. NexusFile
425. ftpsite.ini
426. FastStone Browser
427. FTPList.db
428. \MapleStudio\ChromePlus
429. Software\Nico Mak Computing\WinZip\FTP
430. Software\Nico Mak Computing\WinZip\mru\jobs
431. Site
432. UserID
433. xflags
434. Port
435. Folder
436. .wjf
437. winex="
438. \Yandex
439. My FTP
440. project.ini
441. .xml
442. {74FF1730-B1F2-4D88-926B-1568FAE61DB7}
443. NovaFTP.db
444. \INSoftware\NovaFTP
445. .oeaccount
446. Salt
447. <POP3_Password2
448. <SMTP_Password2
449. <IMAP_Password2
450. <HTTPMail_Password2
451. \Microsoft\Windows Live Mail
452. Software\Microsoft\Windows Live Mail
453. \Microsoft\Windows Mail
454. Software\Microsoft\Windows Mail
455. Software\RimArts\B2\Settings
456. DataDir
457. DataDirBak
458. Mailbox.ini
459. Software\Poco Systems Inc
460. Path
461. \PocoSystem.ini
462. Program
463. DataPath
464. accounts.ini
465. \Pocomail
466. Software\IncrediMail
467. EmailAddress
468. Technology
469. PopServer
470. PopPort
471. PopAccount
472. PopPassword
473. SmtpServer
474. SmtpPort
475. SmtpAccount
476. SmtpPassword
477. account.cfg
478. account.cfn
479. \BatMail
480. \The Bat!
481. Software\RIT\The Bat!
482. Software\RIT\The Bat!\Users depot
483. Working Directory
484. ProgramDir
485. Count
486. Default
487. Dir #%d
488. SMTP Email Address
489. SMTP Server
490. POP3 Server
491. POP3 User Name
492. SMTP User Name
493. NNTP Email Address
494. NNTP User Name
495. NNTP Server
496. IMAP Server
497. IMAP User Name
498. Email
499. HTTP User
500. HTTP Server URL
501. POP3 User
502. IMAP User
503. HTTPMail User Name
504. HTTPMail Server
505. SMTP User
506. POP3 Port
507. SMTP Port
508. IMAP Port
509. POP3 Password2
510. IMAP Password2
511. NNTP Password2
512. HTTPMail Password2
513. SMTP Password2
514. POP3 Password
515. IMAP Password
516. NNTP Password
517. HTTP Password
518. SMTP Password
519. Software\Microsoft\Internet Account Manager\Accounts
520. Identities
521. Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
522. Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
523. Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
524. Software\Microsoft\Internet Account Manager
525. Outlook
526. \Accounts
527. identification
528. identitymgr
529. inetcomm server passwords
530. outlook account manager passwords
531. identities
532. {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
533. Thunderbird
534. \Thunderbird
535. FastTrack
536. ftplist.txt
537.  
538.  
539.  
540. ---
541. MalwareMustDie!