General

  • Target

    a1cf2d836da5b964b05032ccde25d049_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240612-xdzexawakg

  • MD5

    a1cf2d836da5b964b05032ccde25d049

  • SHA1

    5a194a572b68301187c8fa733f6afaf9727a8494

  • SHA256

    e918b46636f4bdf2f82ea5638d1b86c99c6ff7b9de89075a068135b1742717f0

  • SHA512

    94ce12141ba3f7b691da3c0088be99e24df839f91ec61e9fc24210f6f0ee56bd4ad06a39ff0c6b2c4e02841da3e3582e6d888e308392c0157447f82d05d41c24

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZo:0UzeyQMS4DqodCnoe+iitjWwwE

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      a1cf2d836da5b964b05032ccde25d049_JaffaCakes118

    • Size

      2.2MB

    • MD5

      a1cf2d836da5b964b05032ccde25d049

    • SHA1

      5a194a572b68301187c8fa733f6afaf9727a8494

    • SHA256

      e918b46636f4bdf2f82ea5638d1b86c99c6ff7b9de89075a068135b1742717f0

    • SHA512

      94ce12141ba3f7b691da3c0088be99e24df839f91ec61e9fc24210f6f0ee56bd4ad06a39ff0c6b2c4e02841da3e3582e6d888e308392c0157447f82d05d41c24

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZo:0UzeyQMS4DqodCnoe+iitjWwwE

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks