General
-
Target
053298dd49a8952b53e13823dc46c181_JaffaCakes118
-
Size
2.6MB
-
Sample
240428-pqn6psfg98
-
MD5
053298dd49a8952b53e13823dc46c181
-
SHA1
678b46bfff69d097eb5b21b51d838881fdcf63e7
-
SHA256
34320d9d04c1818d2b89e0afbca76e76346ebf54f4d9dab1ca4e3201972c7b46
-
SHA512
ddef5c28e25bfe8e9f79085f109193d7cd94315a553561c6dcf558bf339b6867b611b9bca98d65f35a6fd691366d11f33fce394198f2e046e44e295233c88f13
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlO:86SIROiFJiwp0xlrlO
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Targets
-
-
Target
053298dd49a8952b53e13823dc46c181_JaffaCakes118
-
Size
2.6MB
-
MD5
053298dd49a8952b53e13823dc46c181
-
SHA1
678b46bfff69d097eb5b21b51d838881fdcf63e7
-
SHA256
34320d9d04c1818d2b89e0afbca76e76346ebf54f4d9dab1ca4e3201972c7b46
-
SHA512
ddef5c28e25bfe8e9f79085f109193d7cd94315a553561c6dcf558bf339b6867b611b9bca98d65f35a6fd691366d11f33fce394198f2e046e44e295233c88f13
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlO:86SIROiFJiwp0xlrlO
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Modifies Installed Components in the registry
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1