General

  • Target

    02bc5fd312afe64511bc02d54a8c6d3a_JaffaCakes118

  • Size

    2.6MB

  • Sample

    240427-je38laef2v

  • MD5

    02bc5fd312afe64511bc02d54a8c6d3a

  • SHA1

    b16247ef8471403ca912bdf7a8ff6cfa7cafa694

  • SHA256

    eb560bd9a4727b2e113dc9d80f5c2e3f7262205241cb2bd51768ad2281c91267

  • SHA512

    d8d582478cc671b5067ea054ea24368e1f8d0a698de1b855c0f41b45fc959c5a86a5f0b25a69ab6631e820fd7eb009f2f546cc198ce847c5cfada663050c1673

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrl4:86SIROiFJiwp0xlrl4

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      02bc5fd312afe64511bc02d54a8c6d3a_JaffaCakes118

    • Size

      2.6MB

    • MD5

      02bc5fd312afe64511bc02d54a8c6d3a

    • SHA1

      b16247ef8471403ca912bdf7a8ff6cfa7cafa694

    • SHA256

      eb560bd9a4727b2e113dc9d80f5c2e3f7262205241cb2bd51768ad2281c91267

    • SHA512

      d8d582478cc671b5067ea054ea24368e1f8d0a698de1b855c0f41b45fc959c5a86a5f0b25a69ab6631e820fd7eb009f2f546cc198ce847c5cfada663050c1673

    • SSDEEP

      49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrl4:86SIROiFJiwp0xlrl4

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks