General
-
Target
80ded254e29d5a936337b1a8c89f5a0f_JaffaCakes118
-
Size
2.6MB
-
Sample
240529-qjv64sge24
-
MD5
80ded254e29d5a936337b1a8c89f5a0f
-
SHA1
370c3b043d4b5acd08ef3586f194220a6b6c67ee
-
SHA256
08693f9818f25f0af5cee7397ec07b974451ebcc40e58f7f86efaf652f02c05a
-
SHA512
46b519fa3c9e822347e6af41b75196a81472a3e364c736ee912e0a5450dc650c1df76c7ec89ee3f0cf16f7e604cde1ecd8056b2ad74adbc1c3d75e91e04ef78d
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrly:86SIROiFJiwp0xlrly
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Targets
-
-
Target
80ded254e29d5a936337b1a8c89f5a0f_JaffaCakes118
-
Size
2.6MB
-
MD5
80ded254e29d5a936337b1a8c89f5a0f
-
SHA1
370c3b043d4b5acd08ef3586f194220a6b6c67ee
-
SHA256
08693f9818f25f0af5cee7397ec07b974451ebcc40e58f7f86efaf652f02c05a
-
SHA512
46b519fa3c9e822347e6af41b75196a81472a3e364c736ee912e0a5450dc650c1df76c7ec89ee3f0cf16f7e604cde1ecd8056b2ad74adbc1c3d75e91e04ef78d
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrly:86SIROiFJiwp0xlrly
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Modifies Installed Components in the registry
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1