General

  • Target

    a11a98063914c64a0a27dc8d412ae2d8_JaffaCakes118

  • Size

    2.6MB

  • Sample

    240612-sj4jlazbnb

  • MD5

    a11a98063914c64a0a27dc8d412ae2d8

  • SHA1

    0e84e981c5d9b820a6c2819cf9e9cbf19f449fa9

  • SHA256

    686d44ddbc8a856017c8d7f1d1159a0e3827e276eaf97609b00d17c002d4d8b6

  • SHA512

    9bd50fb5f9a4d373fc64acb9937be8091a3370ecb08e10fdce8e38f1af8c95f6028bcb01e52653df621236b2172607e39299c809af18a83304eb09ca2099ba32

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrl8:86SIROiFJiwp0xlrl8

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      a11a98063914c64a0a27dc8d412ae2d8_JaffaCakes118

    • Size

      2.6MB

    • MD5

      a11a98063914c64a0a27dc8d412ae2d8

    • SHA1

      0e84e981c5d9b820a6c2819cf9e9cbf19f449fa9

    • SHA256

      686d44ddbc8a856017c8d7f1d1159a0e3827e276eaf97609b00d17c002d4d8b6

    • SHA512

      9bd50fb5f9a4d373fc64acb9937be8091a3370ecb08e10fdce8e38f1af8c95f6028bcb01e52653df621236b2172607e39299c809af18a83304eb09ca2099ba32

    • SSDEEP

      49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrl8:86SIROiFJiwp0xlrl8

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks