General

  • Target

    a026df52169668712c17d4d1851b9286_JaffaCakes118

  • Size

    2.6MB

  • Sample

    240612-k6hlmsxcjp

  • MD5

    a026df52169668712c17d4d1851b9286

  • SHA1

    154d43e6f359c7593f45cf33ec51e90e9a7e0f98

  • SHA256

    cd2831fb37a832d879ae59d332c5d3d87ef6d2db68f4859e8151598d2df75c23

  • SHA512

    02beb04cb43c3ff3560feda3e81e18cd9c2dec8143c2d8874af98d8e3290224a1c91d931f2dea68fbc4568b2b4d6823c3580d291e8e1f71f8c22e59fbb83047b

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlW:86SIROiFJiwp0xlrlW

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      a026df52169668712c17d4d1851b9286_JaffaCakes118

    • Size

      2.6MB

    • MD5

      a026df52169668712c17d4d1851b9286

    • SHA1

      154d43e6f359c7593f45cf33ec51e90e9a7e0f98

    • SHA256

      cd2831fb37a832d879ae59d332c5d3d87ef6d2db68f4859e8151598d2df75c23

    • SHA512

      02beb04cb43c3ff3560feda3e81e18cd9c2dec8143c2d8874af98d8e3290224a1c91d931f2dea68fbc4568b2b4d6823c3580d291e8e1f71f8c22e59fbb83047b

    • SSDEEP

      49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlW:86SIROiFJiwp0xlrlW

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks