General

  • Target

    03f02b8e8536afa1a89c82488a673469_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240428-aes8ysbg9z

  • MD5

    03f02b8e8536afa1a89c82488a673469

  • SHA1

    03d8750f9ff31e788e3e3b81750118355d5289f4

  • SHA256

    6a18c99794801433dbf0ad44bf5714b9e7fa09e477750c8c5052fd7eefc05e8f

  • SHA512

    67fdbfb8d71f9db1ed2d4b9ef829921e8b64cec8cdae7f92fc0d20f733894429b74c3d3468683cbfd620bedf71afd3e189654ac843edf280aa246198e6481222

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZb:0UzeyQMS4DqodCnoe+iitjWwwP

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      03f02b8e8536afa1a89c82488a673469_JaffaCakes118

    • Size

      2.2MB

    • MD5

      03f02b8e8536afa1a89c82488a673469

    • SHA1

      03d8750f9ff31e788e3e3b81750118355d5289f4

    • SHA256

      6a18c99794801433dbf0ad44bf5714b9e7fa09e477750c8c5052fd7eefc05e8f

    • SHA512

      67fdbfb8d71f9db1ed2d4b9ef829921e8b64cec8cdae7f92fc0d20f733894429b74c3d3468683cbfd620bedf71afd3e189654ac843edf280aa246198e6481222

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZb:0UzeyQMS4DqodCnoe+iitjWwwP

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks