General

  • Target

    b3ce90dac17ec6a8b804712172a563c2_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240616-q1fgzszapq

  • MD5

    b3ce90dac17ec6a8b804712172a563c2

  • SHA1

    eb0529ff64b11a5dc5d7d3f084913a31fe521780

  • SHA256

    a3f0392e38a79a2ccfe22bedc63215cabccee0b68647f2256f3947f4753d24d0

  • SHA512

    fcb9b2cc1c981262953cc5be2dd1a63aeeaef77c38c03fbdd212c22f16329666d202bc5b0e43a6258c5a1e3100bf72a46d26b2e7084492c39386ac0a787e59e0

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ7:0UzeyQMS4DqodCnoe+iitjWwwH

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      b3ce90dac17ec6a8b804712172a563c2_JaffaCakes118

    • Size

      2.2MB

    • MD5

      b3ce90dac17ec6a8b804712172a563c2

    • SHA1

      eb0529ff64b11a5dc5d7d3f084913a31fe521780

    • SHA256

      a3f0392e38a79a2ccfe22bedc63215cabccee0b68647f2256f3947f4753d24d0

    • SHA512

      fcb9b2cc1c981262953cc5be2dd1a63aeeaef77c38c03fbdd212c22f16329666d202bc5b0e43a6258c5a1e3100bf72a46d26b2e7084492c39386ac0a787e59e0

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ7:0UzeyQMS4DqodCnoe+iitjWwwH

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks