General

  • Target

    a06492990431c2fe36f08f3c0ed27608_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240612-mx3xbsvhmp

  • MD5

    a06492990431c2fe36f08f3c0ed27608

  • SHA1

    825d96a17c67da489b28bfa4d94c54d0d9daf927

  • SHA256

    76de626c5c3dff0ad104890393d15098828afd434d6363356b1b63b2fde54427

  • SHA512

    0f227f120ae3a6b849a018b8e209c3747b1ad403cb72ab7354655f20d6bc9834ee8cddc65b9f08967726ed38e8f0b414439f26146475473e44454b799a062a58

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ0:0UzeyQMS4DqodCnoe+iitjWwwo

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      a06492990431c2fe36f08f3c0ed27608_JaffaCakes118

    • Size

      2.2MB

    • MD5

      a06492990431c2fe36f08f3c0ed27608

    • SHA1

      825d96a17c67da489b28bfa4d94c54d0d9daf927

    • SHA256

      76de626c5c3dff0ad104890393d15098828afd434d6363356b1b63b2fde54427

    • SHA512

      0f227f120ae3a6b849a018b8e209c3747b1ad403cb72ab7354655f20d6bc9834ee8cddc65b9f08967726ed38e8f0b414439f26146475473e44454b799a062a58

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ0:0UzeyQMS4DqodCnoe+iitjWwwo

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks