General

  • Target

    a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240613-2jsa1atbja

  • MD5

    a6ec7fb68787c2147a4e951e19d3ba41

  • SHA1

    9844321e0bf3fad5ec9b99191d16bc019dfa18f4

  • SHA256

    e5712610af22299b22a75c4e4000e266f6b58bd0334dade6f666574e1054d605

  • SHA512

    764459715c00113905470b7ea3fcda1dddcaf1cfb6f01eae05b308a524b9fc57afff58b5d39e1fb7edebba8da701fd13d329d5a323e297f6f071f183cc74bacb

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZq:0UzeyQMS4DqodCnoe+iitjWwwW

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118

    • Size

      2.2MB

    • MD5

      a6ec7fb68787c2147a4e951e19d3ba41

    • SHA1

      9844321e0bf3fad5ec9b99191d16bc019dfa18f4

    • SHA256

      e5712610af22299b22a75c4e4000e266f6b58bd0334dade6f666574e1054d605

    • SHA512

      764459715c00113905470b7ea3fcda1dddcaf1cfb6f01eae05b308a524b9fc57afff58b5d39e1fb7edebba8da701fd13d329d5a323e297f6f071f183cc74bacb

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZq:0UzeyQMS4DqodCnoe+iitjWwwW

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks