General

  • Target

    a104c1191a89b58259e77808a9a210ea_JaffaCakes118

  • Size

    2.6MB

  • Sample

    240612-rz9j4sydma

  • MD5

    a104c1191a89b58259e77808a9a210ea

  • SHA1

    c1f3b1c81188cce7b6734d8c712af11547517f17

  • SHA256

    eeb258f2b845e42a76e0d3193dcadb93f5b3beda620648d8a7166c02d197bf69

  • SHA512

    75cfa5a73ede4b4b594235452c1c0d9d76c19f95b9d827e5584ab2748c521bd053b4dfda5da37a2c7b24bb07c818b6137452ef04af6ef5fec473967ff2a9f835

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrl/:86SIROiFJiwp0xlrl/

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      a104c1191a89b58259e77808a9a210ea_JaffaCakes118

    • Size

      2.6MB

    • MD5

      a104c1191a89b58259e77808a9a210ea

    • SHA1

      c1f3b1c81188cce7b6734d8c712af11547517f17

    • SHA256

      eeb258f2b845e42a76e0d3193dcadb93f5b3beda620648d8a7166c02d197bf69

    • SHA512

      75cfa5a73ede4b4b594235452c1c0d9d76c19f95b9d827e5584ab2748c521bd053b4dfda5da37a2c7b24bb07c818b6137452ef04af6ef5fec473967ff2a9f835

    • SSDEEP

      49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrl/:86SIROiFJiwp0xlrl/

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks