General

  • Target

    a17b504d07baefed2e7d082d71ef3741_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240612-vybhgasgpc

  • MD5

    a17b504d07baefed2e7d082d71ef3741

  • SHA1

    9b79f08963d8dddc77bb6499fb03a757a1ec1bb2

  • SHA256

    596b821ca22137216ea7ab856a290abe60f9a1dfc21e961e6ee32ef59f8fe67a

  • SHA512

    eeb68b6386b437079f16ebded211249427ad5d7163dc5db842efdf45380b9e83738ca34980bf55c1940b9e1d1b0f51cad95c8800ef8afddcec51baddd049d1c5

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZe:0UzeyQMS4DqodCnoe+iitjWwwC

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      a17b504d07baefed2e7d082d71ef3741_JaffaCakes118

    • Size

      2.2MB

    • MD5

      a17b504d07baefed2e7d082d71ef3741

    • SHA1

      9b79f08963d8dddc77bb6499fb03a757a1ec1bb2

    • SHA256

      596b821ca22137216ea7ab856a290abe60f9a1dfc21e961e6ee32ef59f8fe67a

    • SHA512

      eeb68b6386b437079f16ebded211249427ad5d7163dc5db842efdf45380b9e83738ca34980bf55c1940b9e1d1b0f51cad95c8800ef8afddcec51baddd049d1c5

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZe:0UzeyQMS4DqodCnoe+iitjWwwC

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks