General

  • Target

    a16b10bc88fae3ddf8b7862fab6cb8bc_JaffaCakes118

  • Size

    2.6MB

  • Sample

    240612-vgk1ksscnb

  • MD5

    a16b10bc88fae3ddf8b7862fab6cb8bc

  • SHA1

    9076ce5ff54eed4fbb73b607168fe470778d9f2b

  • SHA256

    c1d643463fad70b6b49588a841728097ed90beda875c34b751bb9325797d11f5

  • SHA512

    b4a87ed0f9fd578b3a5ebeab18152fcbc2adc703f5c7ae6fb10757cd5607629f84ae741fd0267092817f6eaa5f97a243b5d303e18f5ec982687f0f58e206b959

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlL:86SIROiFJiwp0xlrlL

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      a16b10bc88fae3ddf8b7862fab6cb8bc_JaffaCakes118

    • Size

      2.6MB

    • MD5

      a16b10bc88fae3ddf8b7862fab6cb8bc

    • SHA1

      9076ce5ff54eed4fbb73b607168fe470778d9f2b

    • SHA256

      c1d643463fad70b6b49588a841728097ed90beda875c34b751bb9325797d11f5

    • SHA512

      b4a87ed0f9fd578b3a5ebeab18152fcbc2adc703f5c7ae6fb10757cd5607629f84ae741fd0267092817f6eaa5f97a243b5d303e18f5ec982687f0f58e206b959

    • SSDEEP

      49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlL:86SIROiFJiwp0xlrlL

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks