General

  • Target

    a0686c6259a3985556192bb559b1fbc7_JaffaCakes118

  • Size

    2.6MB

  • Sample

    240612-m1j9dswalq

  • MD5

    a0686c6259a3985556192bb559b1fbc7

  • SHA1

    9f69c6943d952389d931a4d4783c6cf167eaaeee

  • SHA256

    9431f98b9e6d60ddc49dbf50d9d0328c08847ce058ae3697abc44971f6f608f6

  • SHA512

    99b05b324b480439c25c310223871f0352dc6c535f1afbc26b9436c09149b372b8c905915983bd49e8186afa5892bc8727b818d696bc03bf53dec2b9f6438609

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlM:86SIROiFJiwp0xlrlM

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      a0686c6259a3985556192bb559b1fbc7_JaffaCakes118

    • Size

      2.6MB

    • MD5

      a0686c6259a3985556192bb559b1fbc7

    • SHA1

      9f69c6943d952389d931a4d4783c6cf167eaaeee

    • SHA256

      9431f98b9e6d60ddc49dbf50d9d0328c08847ce058ae3697abc44971f6f608f6

    • SHA512

      99b05b324b480439c25c310223871f0352dc6c535f1afbc26b9436c09149b372b8c905915983bd49e8186afa5892bc8727b818d696bc03bf53dec2b9f6438609

    • SSDEEP

      49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlM:86SIROiFJiwp0xlrlM

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks