General

  • Target

    b5512e19e4d6647d45901ed1d60dd3a6_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240616-1fkw3stakr

  • MD5

    b5512e19e4d6647d45901ed1d60dd3a6

  • SHA1

    9d6280953c4d93199988317cede17a5789312f45

  • SHA256

    719d051c75653a7db73dd872a032fd7153f1845b2f8c97d047b1c76b2bad24df

  • SHA512

    af4b7a777992b3607a5d0db252af8c7044572b220b9f92e9aac670a9c872b88331eb8036e7178b243432ece19047fea64d164b788d2301db3739f38f45428526

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZe:0UzeyQMS4DqodCnoe+iitjWwwa

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      b5512e19e4d6647d45901ed1d60dd3a6_JaffaCakes118

    • Size

      2.2MB

    • MD5

      b5512e19e4d6647d45901ed1d60dd3a6

    • SHA1

      9d6280953c4d93199988317cede17a5789312f45

    • SHA256

      719d051c75653a7db73dd872a032fd7153f1845b2f8c97d047b1c76b2bad24df

    • SHA512

      af4b7a777992b3607a5d0db252af8c7044572b220b9f92e9aac670a9c872b88331eb8036e7178b243432ece19047fea64d164b788d2301db3739f38f45428526

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZe:0UzeyQMS4DqodCnoe+iitjWwwa

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks