General

  • Target

    a010e0820cf805e4c1e6a1388519b344_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240612-klfxbawdrb

  • MD5

    a010e0820cf805e4c1e6a1388519b344

  • SHA1

    7b7f5d56deba0ea466f3189adb06fe09a049a76e

  • SHA256

    cfe5af0e9fedfd979a3760e0fa677ed8679e221c5a7041216cc5b99e36495c9c

  • SHA512

    e22b408054e301c3abae841989941d1609cc94ef932ed2186aceaa99ce0471d813fed1f2052ce5d52f848d7eefa848af95dd914d233da1e5125aef7a16011f2c

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZe:0UzeyQMS4DqodCnoe+iitjWwwC

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      a010e0820cf805e4c1e6a1388519b344_JaffaCakes118

    • Size

      2.2MB

    • MD5

      a010e0820cf805e4c1e6a1388519b344

    • SHA1

      7b7f5d56deba0ea466f3189adb06fe09a049a76e

    • SHA256

      cfe5af0e9fedfd979a3760e0fa677ed8679e221c5a7041216cc5b99e36495c9c

    • SHA512

      e22b408054e301c3abae841989941d1609cc94ef932ed2186aceaa99ce0471d813fed1f2052ce5d52f848d7eefa848af95dd914d233da1e5125aef7a16011f2c

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZe:0UzeyQMS4DqodCnoe+iitjWwwC

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks