General

  • Target

    a1816c956e7bde9e4fcf5b4d98c479cd_JaffaCakes118

  • Size

    2.6MB

  • Sample

    240612-v18kzsxbjl

  • MD5

    a1816c956e7bde9e4fcf5b4d98c479cd

  • SHA1

    e001e007d212fb6f75239cdf2e5c7d8aff47a9c4

  • SHA256

    d6f04d8269d92b16581159950c1d17717cd7f9d9768ea7dc39135633581ae76c

  • SHA512

    e88b45372ed1bb49eb92b21cfb2cbbf961735bea63ee1d9827c8cb541344cf1414ec84e460cee039f706b13c8cb313a65788d960e82530ab7b8616572ffb7110

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrl/:86SIROiFJiwp0xlrl/

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      a1816c956e7bde9e4fcf5b4d98c479cd_JaffaCakes118

    • Size

      2.6MB

    • MD5

      a1816c956e7bde9e4fcf5b4d98c479cd

    • SHA1

      e001e007d212fb6f75239cdf2e5c7d8aff47a9c4

    • SHA256

      d6f04d8269d92b16581159950c1d17717cd7f9d9768ea7dc39135633581ae76c

    • SHA512

      e88b45372ed1bb49eb92b21cfb2cbbf961735bea63ee1d9827c8cb541344cf1414ec84e460cee039f706b13c8cb313a65788d960e82530ab7b8616572ffb7110

    • SSDEEP

      49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrl/:86SIROiFJiwp0xlrl/

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks