General

  • Target

    a1658d1fc60724d64210d898de0bd824_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240612-vbtqjawbqn

  • MD5

    a1658d1fc60724d64210d898de0bd824

  • SHA1

    0291c411275dd5064271a46444ab9d6622282f1e

  • SHA256

    b874d4c4aa4ea1cc9dd95c5e6498744f3925cd35994d3c51f0a1b621f69a47b0

  • SHA512

    2e83ba3bfa4c6a27b13fa687b6ed7359696d02308c26331372239e62ff5f47293d96615b52a7a67dcd56b4a1f775e3c1ac50662c997d6944951864b9ce0eea33

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZM:0UzeyQMS4DqodCnoe+iitjWwwg

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      a1658d1fc60724d64210d898de0bd824_JaffaCakes118

    • Size

      2.2MB

    • MD5

      a1658d1fc60724d64210d898de0bd824

    • SHA1

      0291c411275dd5064271a46444ab9d6622282f1e

    • SHA256

      b874d4c4aa4ea1cc9dd95c5e6498744f3925cd35994d3c51f0a1b621f69a47b0

    • SHA512

      2e83ba3bfa4c6a27b13fa687b6ed7359696d02308c26331372239e62ff5f47293d96615b52a7a67dcd56b4a1f775e3c1ac50662c997d6944951864b9ce0eea33

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZM:0UzeyQMS4DqodCnoe+iitjWwwg

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks