General
-
Target
78d954f450dbe1deab7ca0a16222c699_JaffaCakes118
-
Size
2.6MB
-
Sample
240527-mj478shd76
-
MD5
78d954f450dbe1deab7ca0a16222c699
-
SHA1
70875be8883345db402e6fc6556728502e5e428e
-
SHA256
0d81467902d228d8812cfa9917dce05d8bdd9e2cd36bd6c911499c6380688218
-
SHA512
e65453c9de6af93a340639b495bc33fd17e0525d01c1f3753c92cb6eabb31bf2af232ea96a2bbb6bbdd0e41881ee50b26739727dcd1fb73169b529e56c444678
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrl5:86SIROiFJiwp0xlrl5
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Targets
-
-
Target
78d954f450dbe1deab7ca0a16222c699_JaffaCakes118
-
Size
2.6MB
-
MD5
78d954f450dbe1deab7ca0a16222c699
-
SHA1
70875be8883345db402e6fc6556728502e5e428e
-
SHA256
0d81467902d228d8812cfa9917dce05d8bdd9e2cd36bd6c911499c6380688218
-
SHA512
e65453c9de6af93a340639b495bc33fd17e0525d01c1f3753c92cb6eabb31bf2af232ea96a2bbb6bbdd0e41881ee50b26739727dcd1fb73169b529e56c444678
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrl5:86SIROiFJiwp0xlrl5
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Modifies Installed Components in the registry
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1