General

  • Target

    aaa7c91c49b1217f6ee975aa643e32ef_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240614-tt2cna1hrj

  • MD5

    aaa7c91c49b1217f6ee975aa643e32ef

  • SHA1

    85b676c7efe425236382b2cb0ca4b08329c5dc96

  • SHA256

    fb03de5893332f5a1d6d157c3e2e7a529d761845d358aa4158b129e2ce47cedd

  • SHA512

    abaaf05de429dd13854a246c31cc8f096ee9f01bffc9023af59ac70bc885faca1ae60330460bfb6c348606024dfcab22b29c6ae9f66e96c17db28dae2b96eac3

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZx:0UzeyQMS4DqodCnoe+iitjWwwF

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      aaa7c91c49b1217f6ee975aa643e32ef_JaffaCakes118

    • Size

      2.2MB

    • MD5

      aaa7c91c49b1217f6ee975aa643e32ef

    • SHA1

      85b676c7efe425236382b2cb0ca4b08329c5dc96

    • SHA256

      fb03de5893332f5a1d6d157c3e2e7a529d761845d358aa4158b129e2ce47cedd

    • SHA512

      abaaf05de429dd13854a246c31cc8f096ee9f01bffc9023af59ac70bc885faca1ae60330460bfb6c348606024dfcab22b29c6ae9f66e96c17db28dae2b96eac3

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZx:0UzeyQMS4DqodCnoe+iitjWwwF

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks