General

  • Target

    a01ff2f20d94f773ffb4374ca08f280b_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240612-k1k5ksxapr

  • MD5

    a01ff2f20d94f773ffb4374ca08f280b

  • SHA1

    a1e1b59234673e4e6e49379b540818c436c81a9e

  • SHA256

    60c959a265820a75346be986e341965565e8d9660ca218b26330d9441b6d2bcb

  • SHA512

    f391ae096a52ee7e5b39e2810e3d3ab6313b1f50baf5d0f6da3a1fe30254658d5d08aa8a702bb7e8488ce0f2acaafbaa365ba15d7a3786f61c4ab30ecd7e9180

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZA:0UzeyQMS4DqodCnoe+iitjWwwk

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      a01ff2f20d94f773ffb4374ca08f280b_JaffaCakes118

    • Size

      2.2MB

    • MD5

      a01ff2f20d94f773ffb4374ca08f280b

    • SHA1

      a1e1b59234673e4e6e49379b540818c436c81a9e

    • SHA256

      60c959a265820a75346be986e341965565e8d9660ca218b26330d9441b6d2bcb

    • SHA512

      f391ae096a52ee7e5b39e2810e3d3ab6313b1f50baf5d0f6da3a1fe30254658d5d08aa8a702bb7e8488ce0f2acaafbaa365ba15d7a3786f61c4ab30ecd7e9180

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZA:0UzeyQMS4DqodCnoe+iitjWwwk

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks