General
-
Target
ae0fb89e463b805d5dbbd236c75c3077_JaffaCakes118
-
Size
2.6MB
-
Sample
240615-mvqtzsxfkc
-
MD5
ae0fb89e463b805d5dbbd236c75c3077
-
SHA1
b9e6490c285024576942b24bede5d46fa0bb23a6
-
SHA256
ba05e0b7fe2dec75f68836c492221e58d0ec15a0e196c1606f7299ceb9be227a
-
SHA512
3a577638efbeba70133f77379e3ae28256d57d67d1dc40a4a828bfa69dec170fae353c9dd0f0cc8d153e898a3903c8d538f06d6a184deee0f51465bbd432b07e
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlZ:86SIROiFJiwp0xlrlZ
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Targets
-
-
Target
ae0fb89e463b805d5dbbd236c75c3077_JaffaCakes118
-
Size
2.6MB
-
MD5
ae0fb89e463b805d5dbbd236c75c3077
-
SHA1
b9e6490c285024576942b24bede5d46fa0bb23a6
-
SHA256
ba05e0b7fe2dec75f68836c492221e58d0ec15a0e196c1606f7299ceb9be227a
-
SHA512
3a577638efbeba70133f77379e3ae28256d57d67d1dc40a4a828bfa69dec170fae353c9dd0f0cc8d153e898a3903c8d538f06d6a184deee0f51465bbd432b07e
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlZ:86SIROiFJiwp0xlrlZ
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Modifies Installed Components in the registry
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1