General

  • Target

    034700d5078bf78d3a7656d4dfbedf29_JaffaCakes118

  • Size

    845KB

  • Sample

    240427-pymmvaag52

  • MD5

    034700d5078bf78d3a7656d4dfbedf29

  • SHA1

    d4aff8c1e67c7004809907028134b152688fd117

  • SHA256

    cdcf0f0f82df39128c441911fda6a5fa03a506d796182e02075cb9b06ce834f4

  • SHA512

    b5894f0c68d363841dd8cb5cebcffaae54e68e653eb1818eb5762329feaa4c877047681bb069a333ea0f604247a53c13f8e4e7cdbf373563b769d002bf682789

  • SSDEEP

    24576:0BVXsqGqLk+b4R7W/gvtprW3B5sBnh3rAIPK:QXsILLS7g2t9WR5shh3ro

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      1059-2c5a1d3a3178e03be08349fe43168df75b22586f

    • Size

      2.2MB

    • MD5

      86b26f8eef5f69f6a2369834bd6cea21

    • SHA1

      2c5a1d3a3178e03be08349fe43168df75b22586f

    • SHA256

      9448fa38a632dfeffb3d078b799aef5cbd428e7a3d9ab8b8e1820cc92245123d

    • SHA512

      c9ca31502e9c5ca21de477b3ef34971c80c338b70d951f386de695a7a8c534fbe9f81093993277c8ac4492e8842a12b6ee5980656790baeb7129939a699ede7a

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZe:0UzeyQMS4DqodCnoe+iitjWwwK

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks