OCJP-133 Pony Stolen Credential & Privacies

1. Zeus/Pony Injected by Hancitor PE DLL: edd954f233c0f72ecf4beb0e63177969a297c6ee8e1da2bcc90924b922da0d88
2. Ref: #OCJP-133
3.  
4. // files - creds & privacy
5.  
6. C:\DOCUME~1\GREGSC~1\LOCALS~1\Temp\HWID
7. C:\WINDOWS\wcx_ftp.ini
8. C:\Documents and Settings\...\wcx_ftp.ini
9. C:\Documents and Settings\..\Application Data\GHISLER\wcx_ftp.ini
10. C:\Documents and Settings\All Users\Application Data\GHISLER\wcx_ftp.ini
11. C:\Documents and Settings\...\Local Settings\Application Data\GHISLER\wcx_ftp.ini
12. C:\Documents and Settings\..\Application Data\GlobalSCAPE\CuteFTP\sm.dat
13. C:\Documents and Settings\..\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat
14. C:\Documents and Settings\..\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat
15. C:\Documents and Settings\..\Application Data\CuteFTP\sm.dat
16. C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\sm.dat
17. C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat
18. C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat
19. C:\Documents and Settings\All Users\Application Data\CuteFTP\sm.dat
20. C:\Documents and Settings\...\Local Settings\Application Data\GlobalSCAPE\CuteFTP\sm.dat
21. C:\Documents and Settings\...\Local Settings\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat
22. C:\Documents and Settings\...\Local Settings\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat
23. C:\Documents and Settings\...\Local Settings\Application Data\CuteFTP\sm.dat
24. C:\Program Files\GlobalSCAPE\CuteFTP\sm.dat
25. C:\Program Files\GlobalSCAPE\CuteFTP Pro\sm.dat
26. C:\Program Files\GlobalSCAPE\CuteFTP Lite\sm.dat
27. C:\Program Files\CuteFTP\sm.dat
28. C:\Documents and Settings\..\Application Data\FlashFXP\3\Sites.dat
29. C:\Documents and Settings\..\Application Data\FlashFXP\4\Sites.dat
30. C:\Documents and Settings\..\Application Data\FlashFXP\3\Quick.dat
31. C:\Documents and Settings\..\Application Data\FlashFXP\4\Quick.dat
32. C:\Documents and Settings\..\Application Data\FlashFXP\3\History.dat
33. C:\Documents and Settings\..\Application Data\FlashFXP\4\History.dat
34. C:\Documents and Settings\All Users\Application Data\FlashFXP\3\Sites.dat
35. C:\Documents and Settings\All Users\Application Data\FlashFXP\4\Sites.dat
36. C:\Documents and Settings\All Users\Application Data\FlashFXP\3\Quick.dat
37. C:\Documents and Settings\All Users\Application Data\FlashFXP\4\Quick.dat
38. C:\Documents and Settings\All Users\Application Data\FlashFXP\3\History.dat
39. C:\Documents and Settings\All Users\Application Data\FlashFXP\4\History.dat
40. C:\Documents and Settings\...\Local Settings\Application Data\FlashFXP\3\Sites.dat
41. C:\Documents and Settings\...\Local Settings\Application Data\FlashFXP\4\Sites.dat
42. C:\Documents and Settings\...\Local Settings\Application Data\FlashFXP\3\Quick.dat
43. C:\Documents and Settings\...\Local Settings\Application Data\FlashFXP\4\Quick.dat
44. C:\Documents and Settings\...\Local Settings\Application Data\FlashFXP\3\History.dat
45. C:\Documents and Settings\...\Local Settings\Application Data\FlashFXP\4\History.dat
46. C:\Documents and Settings\..\Application Data\FileZilla\sitemanager.xml
47. C:\Documents and Settings\..\Application Data\FileZilla\recentservers.xml
48. C:\Documents and Settings\..\Application Data\FileZilla\filezilla.xml
49. C:\Documents and Settings\All Users\Application Data\FileZilla\sitemanager.xml
50. C:\Documents and Settings\All Users\Application Data\FileZilla\recentservers.xml
51. C:\Documents and Settings\All Users\Application Data\FileZilla\filezilla.xml
52. C:\Documents and Settings\...\Local Settings\Application Data\FileZilla\sitemanager.xml
53. C:\Documents and Settings\...\Local Settings\Application Data\FileZilla\recentservers.xml
54. C:\Documents and Settings\...\Local Settings\Application Data\FileZilla\filezilla.xml
55. C:\Documents and Settings\..\Application Data\Mozilla\Firefox\profiles.ini
56. C:\Program Files\Common Files\Ipswitch\WS_FTP\
57. C:\Documents and Settings\..\Application Data\Ipswitch\
58. C:\Documents and Settings\All Users\Application Data\Ipswitch\
59. C:\Documents and Settings\...\Local Settings\Application Data\Ipswitch\
60. C:\Documents and Settings\..\Application Data\GlobalSCAPE\CuteFTP\
61. C:\Documents and Settings\..\Application Data\GlobalSCAPE\CuteFTP Pro\
62. C:\Documents and Settings\..\Application Data\GlobalSCAPE\CuteFTP Lite\
63. C:\Documents and Settings\..\Application Data\CuteFTP\
64. C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\
65. C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Pro\
66. C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Lite\
67. C:\Documents and Settings\All Users\Application Data\CuteFTP\
68. C:\Documents and Settings\...\Local Settings\Application Data\GlobalSCAPE\CuteFTP\
69. C:\Documents and Settings\...\Local Settings\Application Data\GlobalSCAPE\CuteFTP Pro\
70. C:\Documents and Settings\...\Local Settings\Application Data\GlobalSCAPE\CuteFTP Lite\
71. C:\Documents and Settings\...\Local Settings\Application Data\CuteFTP\
72. C:\Program Files\GlobalSCAPE\CuteFTP\
73. C:\Program Files\GlobalSCAPE\CuteFTP Pro\
74. C:\Program Files\GlobalSCAPE\CuteFTP Lite\
75. C:\Program Files\CuteFTP\
76. C:\Documents and Settings\...\Local Settings\Application Data\BulletProof Software\
77. C:\Documents and Settings\..\Application Data\BulletProof Software\
78. C:\Documents and Settings\All Users\Application Data\BulletProof Software\
79. C:\Documents and Settings\..\Application Data\SmartFTP\
80. C:\Documents and Settings\All Users\Application Data\SmartFTP\
81. C:\Documents and Settings\...\Local Settings\Application Data\SmartFTP\
82. C:\Documents and Settings\..\Application Data\VanDyke\Config\Sessions\
83. C:\Documents and Settings\All Users\Application Data\VanDyke\Config\Sessions\
84. C:\Documents and Settings\...\Local Settings\Application Data\VanDyke\Config\Sessions\
85. C:\Documents and Settings\..\Application Data\
86. C:\Documents and Settings\All Users\Application Data\
87. C:\Documents and Settings\...\Local Settings\Application Data\
88. C:\Documents and Settings\..\Application Data\Opera Software\
89. C:\Documents and Settings\...\Local Settings\Application Data\Opera Software\
90. C:\Documents and Settings\All Users\Application Data\Opera Software\
91. C:\Documents and Settings\..\Application Data\Mozilla\Firefox\Profiles\..default\
92. C:\Documents and Settings\..\Application Data\Mozilla\Firefox\Profiles\..default\bookmarkbackups\
93. C:\Documents and Settings\..\Application Data\Mozilla\Firefox\Profiles\..default\crashes\
94. C:\Documents and Settings\..\Application Data\Mozilla\Firefox\Profiles\..default\crashes\events\
95. C:\Documents and Settings\..\Application Data\Mozilla\Firefox\Profiles\..default\datareporting\
96. C:\Documents and Settings\..\Application Data\Mozilla\Firefox\Profiles\..default\healthreport\
97. C:\Documents and Settings\..\Application Data\Mozilla\Firefox\Profiles\..default\minidumps\
98. C:\Documents and Settings\..\Application Data\Mozilla\Firefox\Profiles\..default\sessionstore-backups\
99. C:\Documents and Settings\..\Application Data\Mozilla\Firefox\Profiles\..default\storage\
100. C:\Documents and Settings\..\Application Data\Mozilla\Firefox\Profiles\..default\storage\permanent\
101. C:\Documents and Settings\..\Application Data\Mozilla\Firefox\Profiles\..default\storage\permanent\moz-safe-about+home\
102. C:\Documents and Settings\..\Application Data\Mozilla\Firefox\Profiles\..default\storage\permanent\moz-safe-about+home\idb\
103. C:\Documents and Settings\..\Application Data\Mozilla\Firefox\Profiles\..default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\
104. C:\Documents and Settings\..\Application Data\Mozilla\Firefox\Profiles\..default\webapps\
105. C:\Documents and Settings\..\Application Data\Mozilla\Firefox\
106. C:\Documents and Settings\..\Application Data\Mozilla\Firefox\Crash Reports\
107. C:\Documents and Settings\..\Application Data\Mozilla\Firefox\Crash Reports\events\
108. C:\Documents and Settings\..\Application Data\Mozilla\Firefox\Profiles\
109. C:\Documents and Settings\..\Application Data\Google\Chrome\
110. C:\Documents and Settings\...\Local Settings\Application Data\Google\Chrome\
111. C:\Documents and Settings\...\Local Settings\Application Data\Google\Chrome\User Data\
112. C:\Documents and Settings\All Users\Application Data\Google\Chrome\
113. C:\Documents and Settings\..\Application Data\ChromePlus\
114. C:\Documents and Settings\...\Local Settings\Application Data\ChromePlus\
115. C:\Documents and Settings\All Users\Application Data\ChromePlus\
116. C:\Documents and Settings\...\My Documents\
117. C:\Documents and Settings\...\My Documents\My Music\
118. C:\Documents and Settings\...\My Documents\My Pictures\
119.  
120. // registry - creds & privacy
121.  
122. HKEY_USERS\Software\WinRAR
123. HKEY_USERS\Software\Ghisler\Windows Commander
124. HKEY_LOCAL_MACHINE\Software\Ghisler\Windows Commander
125. HKEY_USERS\Software\Ghisler\Total Commander
126. HKEY_LOCAL_MACHINE\Software\Ghisler\Total Commander
127. HKEY_USERS\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
128. HKEY_USERS\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
129. HKEY_USERS\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
130. HKEY_USERS\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
131. HKEY_USERS\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
132. HKEY_USERS\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
133. HKEY_USERS\Software\GlobalSCAPE\CuteFTP 9\QCToolbar
134. HKEY_USERS\Software\FlashFXP\3
135. HKEY_USERS\Software\FlashFXP
136. HKEY_USERS\Software\FlashFXP\4
137. HKEY_LOCAL_MACHINE\Software\FlashFXP\3
138. HKEY_LOCAL_MACHINE\Software\FlashFXP
139. HKEY_LOCAL_MACHINE\Software\FlashFXP\4
140. HKEY_USERS\Software\FileZilla
141. HKEY_USERS\Software\FileZilla Client
142. HKEY_LOCAL_MACHINE\Software\FileZilla
143. HKEY_LOCAL_MACHINE\Software\FileZilla Client
144. HKEY_USERS\Software\BPFTP\Bullet Proof FTP\Main
145. HKEY_USERS\Software\BulletProof Software\BulletProof FTP Client\Main
146. HKEY_USERS\Software\BPFTP\Bullet Proof FTP\Options
147. HKEY_USERS\Software\BulletProof Software\BulletProof FTP Client\Options
148. HKEY_USERS\Software\BPFTP
149. HKEY_USERS\Software\FTPWare\COREFTP\Sites
150. HKEY_USERS\Software\VanDyke\SecureFX
151. HKEY_USERS\Software\Martin Prikryl
152. HKEY_LOCAL_MACHINE\Software\Martin Prikryl
153. HKEY_USERS\Software\Opera Software
154. HKEY_USERS\Opera.HTML\shell\open\command
155. HKEY_LOCAL_MACHINE\Software\Classes\Opera.HTML\shell\open\command
156. HKEY_USERS\Software\Mozilla
157. HKEY_LOCAL_MACHINE\Software\Mozilla
158. HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox
159. HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\extensions
160. HKEY_LOCAL_MACHINE\Software\Mozilla\MaintenanceService
161. HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox
162. HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\xxx
163. HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\xxx\Main
164. HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\xxx\Uninstall
165. HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox xxx\bin
166. HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox xxx\extensions
167. HKEY_USERS\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
168. HKEY_USERS\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms\FormData
169. HKEY_USERS\Software\ChromePlus
170. HKEY_USERS\Software\Microsoft\Windows Live Mail
171. HKEY_USERS\Software\Microsoft\Windows Mail
172. HKEY_USERS\Software\IncrediMail
173. HKEY_LOCAL_MACHINE\Software\IncrediMail
174. HKEY_USERS\Software\Microsoft\Internet Account Manager\Accounts
175. HKEY_USERS\Identities
176. HKEY_USERS\Identities\xxx\Microsoft\Internet Account Manager\Accounts
177. HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager
178. HKEY_USERS\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
179. HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
180. HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
181. HKEY_USERS\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
182. HKEY_USERS\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
183.  
184. #MalwareMustDie | @unixfreaxjp