General

  • Target

    b3b1db5584642249b041624ed525b0c1_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240616-qg2wwavbkh

  • MD5

    b3b1db5584642249b041624ed525b0c1

  • SHA1

    934dd956f6c3d08f07223019c7eecf5504cef41d

  • SHA256

    e9a707793c17d8eb6fb465771a56c3f6f907f29157d2ee6182ba0a3751b1b7a2

  • SHA512

    13869c432240ac2d335ba3b2d7cd678c9e51521fac9c836221b0e066208130f1cdb62a85a343c4878281f1372dcb0bed171d3f46243036d1cb9d0ca0f0dbc737

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZF:0UzeyQMS4DqodCnoe+iitjWwwJ

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      b3b1db5584642249b041624ed525b0c1_JaffaCakes118

    • Size

      2.2MB

    • MD5

      b3b1db5584642249b041624ed525b0c1

    • SHA1

      934dd956f6c3d08f07223019c7eecf5504cef41d

    • SHA256

      e9a707793c17d8eb6fb465771a56c3f6f907f29157d2ee6182ba0a3751b1b7a2

    • SHA512

      13869c432240ac2d335ba3b2d7cd678c9e51521fac9c836221b0e066208130f1cdb62a85a343c4878281f1372dcb0bed171d3f46243036d1cb9d0ca0f0dbc737

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZF:0UzeyQMS4DqodCnoe+iitjWwwJ

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks