General

  • Target

    a0a0e9c33e9ca091af46e6165565f972_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240612-pdgwvsxhpk

  • MD5

    a0a0e9c33e9ca091af46e6165565f972

  • SHA1

    343306ffab39073bde6446d5f016ad95006d3503

  • SHA256

    2392b4d97d70da71be32abd123f1ece619754601fce7efdc54563c2431cfa175

  • SHA512

    c2093a59d335815f9e4fa8f952056393c06b353f8e4b902b869a0ca9a7b3220d8a0c13b1dba92ebd9103ebe39043a86524675a3a28977bebe2402dd5b1456a1c

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZc:0UzeyQMS4DqodCnoe+iitjWwwA

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      a0a0e9c33e9ca091af46e6165565f972_JaffaCakes118

    • Size

      2.2MB

    • MD5

      a0a0e9c33e9ca091af46e6165565f972

    • SHA1

      343306ffab39073bde6446d5f016ad95006d3503

    • SHA256

      2392b4d97d70da71be32abd123f1ece619754601fce7efdc54563c2431cfa175

    • SHA512

      c2093a59d335815f9e4fa8f952056393c06b353f8e4b902b869a0ca9a7b3220d8a0c13b1dba92ebd9103ebe39043a86524675a3a28977bebe2402dd5b1456a1c

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZc:0UzeyQMS4DqodCnoe+iitjWwwA

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks