General

  • Target

    a012cbcf17b36e63146f7ce8c19b83ea_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240612-km2keawfjk

  • MD5

    a012cbcf17b36e63146f7ce8c19b83ea

  • SHA1

    3c1614baf8be7362113013e32ac75c6aeed71d26

  • SHA256

    d75f92d37b280279be8291a274eb86753bfcccc073f6203c2f53b6c795fac3df

  • SHA512

    661bf8e3a81a2196d2be773973e49d026386a33d30bb084077f4b98f6af3e49c4d78795aed6f257d35f5d079dc9b0bb65a81ac86e8a9b4e7af4377825aeed13f

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZR:0UzeyQMS4DqodCnoe+iitjWwwN

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      a012cbcf17b36e63146f7ce8c19b83ea_JaffaCakes118

    • Size

      2.2MB

    • MD5

      a012cbcf17b36e63146f7ce8c19b83ea

    • SHA1

      3c1614baf8be7362113013e32ac75c6aeed71d26

    • SHA256

      d75f92d37b280279be8291a274eb86753bfcccc073f6203c2f53b6c795fac3df

    • SHA512

      661bf8e3a81a2196d2be773973e49d026386a33d30bb084077f4b98f6af3e49c4d78795aed6f257d35f5d079dc9b0bb65a81ac86e8a9b4e7af4377825aeed13f

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZR:0UzeyQMS4DqodCnoe+iitjWwwN

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks