General

  • Target

    b3bae8a347e13cf8da345e287d2d05f5_JaffaCakes118

  • Size

    2.6MB

  • Sample

    240616-qmryvsvcqa

  • MD5

    b3bae8a347e13cf8da345e287d2d05f5

  • SHA1

    11e39c9bc1950d4d37f279fe06881c46dcb9a8a4

  • SHA256

    d36c56d583233fab0e4f0d758a90d2fa36ff9570ed28d5b3024fc78b970e449c

  • SHA512

    0bd162f6598fca7ef1181a98419df881330d3e5870babaa9444d56e669e6710a442a66f773be3b4d42650842740634182939cfca0b28f37c4b7fb6a3289312b5

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlK:86SIROiFJiwp0xlrlK

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      b3bae8a347e13cf8da345e287d2d05f5_JaffaCakes118

    • Size

      2.6MB

    • MD5

      b3bae8a347e13cf8da345e287d2d05f5

    • SHA1

      11e39c9bc1950d4d37f279fe06881c46dcb9a8a4

    • SHA256

      d36c56d583233fab0e4f0d758a90d2fa36ff9570ed28d5b3024fc78b970e449c

    • SHA512

      0bd162f6598fca7ef1181a98419df881330d3e5870babaa9444d56e669e6710a442a66f773be3b4d42650842740634182939cfca0b28f37c4b7fb6a3289312b5

    • SSDEEP

      49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlK:86SIROiFJiwp0xlrlK

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks