General

  • Target

    a1833b1713d89b066f69f5649c8b43f1_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240612-v25kqaxbmj

  • MD5

    a1833b1713d89b066f69f5649c8b43f1

  • SHA1

    2d02d0ff300351bfa1a767fa8d41cb81e7087c0d

  • SHA256

    86bde8cdfbb93b89b494e3ab2d560c49dc576fe21d5f420ba30c25e537228dfd

  • SHA512

    39def1ea712d850a3c533198c8529da74346621c2c31dd2d9e75c16ff5231e85952624d8456e60fcc8e2d3c9519df0399bbbd091dabed4e96664f11d9b2080a9

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZl:0UzeyQMS4DqodCnoe+iitjWwwZ

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      a1833b1713d89b066f69f5649c8b43f1_JaffaCakes118

    • Size

      2.2MB

    • MD5

      a1833b1713d89b066f69f5649c8b43f1

    • SHA1

      2d02d0ff300351bfa1a767fa8d41cb81e7087c0d

    • SHA256

      86bde8cdfbb93b89b494e3ab2d560c49dc576fe21d5f420ba30c25e537228dfd

    • SHA512

      39def1ea712d850a3c533198c8529da74346621c2c31dd2d9e75c16ff5231e85952624d8456e60fcc8e2d3c9519df0399bbbd091dabed4e96664f11d9b2080a9

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZl:0UzeyQMS4DqodCnoe+iitjWwwZ

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks