General

  • Target

    027f298a0b05438072787a745cb4631f_JaffaCakes118

  • Size

    2.6MB

  • Sample

    240427-ft5s7abg47

  • MD5

    027f298a0b05438072787a745cb4631f

  • SHA1

    9642c03b30a5c9a0b45063b0285c4cadd6b08e26

  • SHA256

    42f89aa4bd9da1d07529e57f057bb9a4fbf30e91419efcd1325570aa94ba4f31

  • SHA512

    66997022549168f60e1adaae6eb3f44767d555973b6b0118f53e73794612da0070eaab08f458e3044797a382747f1f6b878b9195d0944a2ca8e36ceef22345a4

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrly:86SIROiFJiwp0xlrly

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      027f298a0b05438072787a745cb4631f_JaffaCakes118

    • Size

      2.6MB

    • MD5

      027f298a0b05438072787a745cb4631f

    • SHA1

      9642c03b30a5c9a0b45063b0285c4cadd6b08e26

    • SHA256

      42f89aa4bd9da1d07529e57f057bb9a4fbf30e91419efcd1325570aa94ba4f31

    • SHA512

      66997022549168f60e1adaae6eb3f44767d555973b6b0118f53e73794612da0070eaab08f458e3044797a382747f1f6b878b9195d0944a2ca8e36ceef22345a4

    • SSDEEP

      49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrly:86SIROiFJiwp0xlrly

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks