Extracted

• • Target

    aff5556f2ee3f6df4887c2a4ef98753c_JaffaCakes118

  • Size

    2.2MB

  • MD5

    aff5556f2ee3f6df4887c2a4ef98753c

  • SHA1

    16036a3d5da6b64ff0bed9bc59d9845e31307334

  • SHA256

    6d39b83ba00ed4f55dd11eb78d529c73acf62dad7e19618564a9defeddbac19d

  • SHA512

    ae35b2b78be86a1921654194583a023eebb22a3eefc7b3cd84c4eb0f02a3948ea5c004aa75481249349d204796fdd804cdc4f25ecf3fe07bf14bbd4bd41cf263

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZD:0UzeyQMS4DqodCnoe+iitjWwwv

  Score

  10^/10

  ponyevasionpersistenceratspywarestealer

  • Modifies WinLogon for persistence

    persistence

  • Modifies visiblity of hidden/system files in Explorer

    evasion

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony

  • Modifies Installed Components in the registry

    persistence

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2