General

  • Target

    a1baef63fa00f74fbec1b1e684193eae_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240612-w2hlmayeln

  • MD5

    a1baef63fa00f74fbec1b1e684193eae

  • SHA1

    a7164291ae262162a7ae8dc9d903198245384653

  • SHA256

    63f5e390e5e7d4707b61530ed7f3435c28116390506ce4256e3fe5662be736d1

  • SHA512

    46a18b606940e8924f3a0abe072acb2e1fbfd2574892870be66bf25915e8a461d437d54a8848e16adebdcb351d2f90a25c8bc81927af31f5d266e14d7f035fec

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZE:0UzeyQMS4DqodCnoe+iitjWwwI

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      a1baef63fa00f74fbec1b1e684193eae_JaffaCakes118

    • Size

      2.2MB

    • MD5

      a1baef63fa00f74fbec1b1e684193eae

    • SHA1

      a7164291ae262162a7ae8dc9d903198245384653

    • SHA256

      63f5e390e5e7d4707b61530ed7f3435c28116390506ce4256e3fe5662be736d1

    • SHA512

      46a18b606940e8924f3a0abe072acb2e1fbfd2574892870be66bf25915e8a461d437d54a8848e16adebdcb351d2f90a25c8bc81927af31f5d266e14d7f035fec

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZE:0UzeyQMS4DqodCnoe+iitjWwwI

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks