General

  • Target

    a05e385f2439f2dd910cc4493e49287d_JaffaCakes118

  • Size

    2.6MB

  • Sample

    240612-msd3eavfqr

  • MD5

    a05e385f2439f2dd910cc4493e49287d

  • SHA1

    76e6a1c16044051e9375205efb8f77bc78f77e95

  • SHA256

    af7adc4ebe323d9f6b7356afad08d523b363bd240800b0a125d99be49826df16

  • SHA512

    050cf055d3a62336c81c2844457486569de3e0bc3c0d87156a764a90463cc184b781bcebdbebf846089c6ebb890bf097ef44ce316dfc0d87ab0e2b43a4709a30

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlC:86SIROiFJiwp0xlrlC

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      a05e385f2439f2dd910cc4493e49287d_JaffaCakes118

    • Size

      2.6MB

    • MD5

      a05e385f2439f2dd910cc4493e49287d

    • SHA1

      76e6a1c16044051e9375205efb8f77bc78f77e95

    • SHA256

      af7adc4ebe323d9f6b7356afad08d523b363bd240800b0a125d99be49826df16

    • SHA512

      050cf055d3a62336c81c2844457486569de3e0bc3c0d87156a764a90463cc184b781bcebdbebf846089c6ebb890bf097ef44ce316dfc0d87ab0e2b43a4709a30

    • SSDEEP

      49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlC:86SIROiFJiwp0xlrlC

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks