General
-
Target
7912866b72307178fff8fee003bb5d3b_JaffaCakes118
-
Size
2.6MB
-
Sample
240527-n39shabf82
-
MD5
7912866b72307178fff8fee003bb5d3b
-
SHA1
dadd7948d8fc385461490181117b8034bbb70521
-
SHA256
dea95cb0a6191fddfb2c58b1271ea6354c33c6547c2d7f53f994982a8b30bf7b
-
SHA512
d1cddc43ba5d155d5b006a1c9e4e2f2395328447d6ff17d3b1351ff3226f7b46720e2192c385e0135e253d5a54bda6cb7c4b852b5f77f43a9a08cbbd0156c69c
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlL:86SIROiFJiwp0xlrlL
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Targets
-
-
Target
7912866b72307178fff8fee003bb5d3b_JaffaCakes118
-
Size
2.6MB
-
MD5
7912866b72307178fff8fee003bb5d3b
-
SHA1
dadd7948d8fc385461490181117b8034bbb70521
-
SHA256
dea95cb0a6191fddfb2c58b1271ea6354c33c6547c2d7f53f994982a8b30bf7b
-
SHA512
d1cddc43ba5d155d5b006a1c9e4e2f2395328447d6ff17d3b1351ff3226f7b46720e2192c385e0135e253d5a54bda6cb7c4b852b5f77f43a9a08cbbd0156c69c
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlL:86SIROiFJiwp0xlrlL
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Modifies Installed Components in the registry
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1