General
-
Target
ae963c876b4cf9e4c07855aa1080c438_JaffaCakes118
-
Size
2.6MB
-
Sample
240615-qhdknssakf
-
MD5
ae963c876b4cf9e4c07855aa1080c438
-
SHA1
19f804238d7d68898d0001b10577087b406f6c37
-
SHA256
0e9c92109f0da3af9b25e01dca72fab23582ea3d8e5e567605f5b69392748cbd
-
SHA512
2829046059b368bd733c7fedaacdbe253ff63dedafe631ae85b79bf25fd3142fcfa83f8d6c22dca073d60af68997008ed9fa516f1a39f998fca3f58fb35baa43
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrl9:86SIROiFJiwp0xlrl9
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Targets
-
-
Target
ae963c876b4cf9e4c07855aa1080c438_JaffaCakes118
-
Size
2.6MB
-
MD5
ae963c876b4cf9e4c07855aa1080c438
-
SHA1
19f804238d7d68898d0001b10577087b406f6c37
-
SHA256
0e9c92109f0da3af9b25e01dca72fab23582ea3d8e5e567605f5b69392748cbd
-
SHA512
2829046059b368bd733c7fedaacdbe253ff63dedafe631ae85b79bf25fd3142fcfa83f8d6c22dca073d60af68997008ed9fa516f1a39f998fca3f58fb35baa43
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrl9:86SIROiFJiwp0xlrl9
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Modifies Installed Components in the registry
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1