General

  • Target

    a060bfe868aa5fe70bc62ace97ee6310_JaffaCakes118

  • Size

    2.6MB

  • Sample

    240612-mvgw3svgmr

  • MD5

    a060bfe868aa5fe70bc62ace97ee6310

  • SHA1

    39b28c988896e6b509a37b253ed8af9fd2129573

  • SHA256

    bf0879db4c77024ebc8e9357a5cfe6649974dbd4b0a24d3a2ed1dbf7e14f94b3

  • SHA512

    7abc9c3e3c177c0811a335b331473768f7c202d03d793737c2c0ce2971aa5a309d6bf5b6d3ecd675240637b6b443beacc80bab2b18d831bedf9ba6070fe2cd92

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlu:86SIROiFJiwp0xlrlu

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      a060bfe868aa5fe70bc62ace97ee6310_JaffaCakes118

    • Size

      2.6MB

    • MD5

      a060bfe868aa5fe70bc62ace97ee6310

    • SHA1

      39b28c988896e6b509a37b253ed8af9fd2129573

    • SHA256

      bf0879db4c77024ebc8e9357a5cfe6649974dbd4b0a24d3a2ed1dbf7e14f94b3

    • SHA512

      7abc9c3e3c177c0811a335b331473768f7c202d03d793737c2c0ce2971aa5a309d6bf5b6d3ecd675240637b6b443beacc80bab2b18d831bedf9ba6070fe2cd92

    • SSDEEP

      49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlu:86SIROiFJiwp0xlrlu

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks