General

  • Target

    037417498974242dccc6e999273d3e6e_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240427-rr89dacb95

  • MD5

    037417498974242dccc6e999273d3e6e

  • SHA1

    1f4f3ec3c0212106e9305a3741ef07eea33b2717

  • SHA256

    1a03cead897c67ddaffbd2e05e48a8362570ba0d939398178d008a4d9274b357

  • SHA512

    37aee28a814b976155ff5f0f409e4e8b5a8ecabdac9d61690d74d75e5b4bf328f0f8b6077ac5da4eff1f1f8aae3b6ec4cf74eedc1d3d1a30e70c83a0600037a4

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZl:0UzeyQMS4DqodCnoe+iitjWwwR

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      037417498974242dccc6e999273d3e6e_JaffaCakes118

    • Size

      2.2MB

    • MD5

      037417498974242dccc6e999273d3e6e

    • SHA1

      1f4f3ec3c0212106e9305a3741ef07eea33b2717

    • SHA256

      1a03cead897c67ddaffbd2e05e48a8362570ba0d939398178d008a4d9274b357

    • SHA512

      37aee28a814b976155ff5f0f409e4e8b5a8ecabdac9d61690d74d75e5b4bf328f0f8b6077ac5da4eff1f1f8aae3b6ec4cf74eedc1d3d1a30e70c83a0600037a4

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZl:0UzeyQMS4DqodCnoe+iitjWwwR

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks