Resubmissions

14-06-2024 16:13

240614-tn93lsxgle 10

14-06-2024 16:10

240614-tmjt2a1frl 10

General

  • Target

    aa993c65a625995fd0e1a8ff413a897f_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240614-tmjt2a1frl

  • MD5

    aa993c65a625995fd0e1a8ff413a897f

  • SHA1

    cfd698364640f9f4c2551dbec2346a2e93d4d7b0

  • SHA256

    1e96f59818fde290af65c27a019c58c11066eabfbf10f437e02d2e686326fbb9

  • SHA512

    a9c56d7ee5a8984b7682fc50507e7cc3fe07bc7c323f76c9334fd501d3810582a3370c338a27da51b07f066503d5bb0c851db99b5bd77c1f1d00e2b27b75dbcc

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZI:0UzeyQMS4DqodCnoe+iitjWww8

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      aa993c65a625995fd0e1a8ff413a897f_JaffaCakes118

    • Size

      2.2MB

    • MD5

      aa993c65a625995fd0e1a8ff413a897f

    • SHA1

      cfd698364640f9f4c2551dbec2346a2e93d4d7b0

    • SHA256

      1e96f59818fde290af65c27a019c58c11066eabfbf10f437e02d2e686326fbb9

    • SHA512

      a9c56d7ee5a8984b7682fc50507e7cc3fe07bc7c323f76c9334fd501d3810582a3370c338a27da51b07f066503d5bb0c851db99b5bd77c1f1d00e2b27b75dbcc

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZI:0UzeyQMS4DqodCnoe+iitjWww8

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks