General
-
Target
80c30835a4632d0ce030b7e0c60ee6db_JaffaCakes118
-
Size
2.6MB
-
Sample
240529-pvv5tafd56
-
MD5
80c30835a4632d0ce030b7e0c60ee6db
-
SHA1
acddd00e07e663569ee6172a962472e02b37d3ab
-
SHA256
aa2e6b33d91f46aac5c8a62bc64c3f4cdcaeee05ba73ebff0d91ae1183c4a180
-
SHA512
5c072d7d426efe1bab49b67b68d4d876b5e94500241486200569ed62b580876b0f6a929e73c2b6d8fb9a04960c49a57861e6b81c94ae3dce80dee9f6507c0de1
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlp:86SIROiFJiwp0xlrlp
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Targets
-
-
Target
80c30835a4632d0ce030b7e0c60ee6db_JaffaCakes118
-
Size
2.6MB
-
MD5
80c30835a4632d0ce030b7e0c60ee6db
-
SHA1
acddd00e07e663569ee6172a962472e02b37d3ab
-
SHA256
aa2e6b33d91f46aac5c8a62bc64c3f4cdcaeee05ba73ebff0d91ae1183c4a180
-
SHA512
5c072d7d426efe1bab49b67b68d4d876b5e94500241486200569ed62b580876b0f6a929e73c2b6d8fb9a04960c49a57861e6b81c94ae3dce80dee9f6507c0de1
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlp:86SIROiFJiwp0xlrlp
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Modifies Installed Components in the registry
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1