General

  • Target

    a1d1cc8597482b3e9573af17f9602fce_JaffaCakes118

  • Size

    2.6MB

  • Sample

    240612-xe7snszbkp

  • MD5

    a1d1cc8597482b3e9573af17f9602fce

  • SHA1

    aadc3cbc30a4ee196ea182dda493a764cb338bc9

  • SHA256

    e9c1ef1640a6120929f8c8923950b1da47a404122996001e7d2e86abf7bfe2ae

  • SHA512

    bd41857e80cbc70c55244abcc93017c0389edc1014c3aa0667c4379cd748bb3b770d824eb0c026f60dc7c2f78a203d0cf1a065fd208d88231e434d8b073e6250

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlH:86SIROiFJiwp0xlrlH

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      a1d1cc8597482b3e9573af17f9602fce_JaffaCakes118

    • Size

      2.6MB

    • MD5

      a1d1cc8597482b3e9573af17f9602fce

    • SHA1

      aadc3cbc30a4ee196ea182dda493a764cb338bc9

    • SHA256

      e9c1ef1640a6120929f8c8923950b1da47a404122996001e7d2e86abf7bfe2ae

    • SHA512

      bd41857e80cbc70c55244abcc93017c0389edc1014c3aa0667c4379cd748bb3b770d824eb0c026f60dc7c2f78a203d0cf1a065fd208d88231e434d8b073e6250

    • SSDEEP

      49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlH:86SIROiFJiwp0xlrlH

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks