General

  • Target

    a10703677d0e427a756bbefad450a74d_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240612-r3lx8asekr

  • MD5

    a10703677d0e427a756bbefad450a74d

  • SHA1

    68fa6212bc1c2dc3ed7c79e859cae4cc1a12257b

  • SHA256

    e2e88104cd583d83340a0cada31043d1e567aa0ea9fbeaf0f7495d2631ae99e5

  • SHA512

    d4d80eb983a687080d4c328f7415a5c71b3ee450211a9998f9e2f5166365c26d7724f802b254a3ca3f3ce9138ace7566fd5139e5f920c366a0d034606f58c516

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZR:0UzeyQMS4DqodCnoe+iitjWww1

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      a10703677d0e427a756bbefad450a74d_JaffaCakes118

    • Size

      2.2MB

    • MD5

      a10703677d0e427a756bbefad450a74d

    • SHA1

      68fa6212bc1c2dc3ed7c79e859cae4cc1a12257b

    • SHA256

      e2e88104cd583d83340a0cada31043d1e567aa0ea9fbeaf0f7495d2631ae99e5

    • SHA512

      d4d80eb983a687080d4c328f7415a5c71b3ee450211a9998f9e2f5166365c26d7724f802b254a3ca3f3ce9138ace7566fd5139e5f920c366a0d034606f58c516

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZR:0UzeyQMS4DqodCnoe+iitjWww1

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks