General

  • Target

    025c5ca522408d1e2324daa3b6304ca8_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240427-efcptaad84

  • MD5

    025c5ca522408d1e2324daa3b6304ca8

  • SHA1

    b9773a912dc84f8ce8daed7892a2be2295bb4a45

  • SHA256

    95462623fbe8352ff5aa5018ad64ab4e7206e701cf80e409fda01a61dde11b9a

  • SHA512

    dc2b8a6ad0de004539e9b1cffedd3a82c46feb7839d38728906608cfe80fcdbf524a8c2c99ff32cdb2a12a41b72a936fd7cf7dfd239e5dd9edb625a343881ca6

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZG:0UzeyQMS4DqodCnoe+iitjWwwa

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      025c5ca522408d1e2324daa3b6304ca8_JaffaCakes118

    • Size

      2.2MB

    • MD5

      025c5ca522408d1e2324daa3b6304ca8

    • SHA1

      b9773a912dc84f8ce8daed7892a2be2295bb4a45

    • SHA256

      95462623fbe8352ff5aa5018ad64ab4e7206e701cf80e409fda01a61dde11b9a

    • SHA512

      dc2b8a6ad0de004539e9b1cffedd3a82c46feb7839d38728906608cfe80fcdbf524a8c2c99ff32cdb2a12a41b72a936fd7cf7dfd239e5dd9edb625a343881ca6

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZG:0UzeyQMS4DqodCnoe+iitjWwwa

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks