General

  • Target

    b40ff019ab6ad23cb71d2cf77e347511_JaffaCakes118

  • Size

    2.6MB

  • Sample

    240616-r6phhsxcre

  • MD5

    b40ff019ab6ad23cb71d2cf77e347511

  • SHA1

    949b5a7732ac4337e496d4dbb5127b5fa577b7f2

  • SHA256

    1639a4b3acea8bdcbe23ad1cb2629dde273130f1ac1541a76f0dbf813dc439e2

  • SHA512

    d9a224a75218d1a5f1e8d2de6c01b1461d55c3923456f09394ca9f18e3dc0b97baa1418a42c10b7c84f4b0c9d92246fa693657fc68548b01ef073be4d8bd2241

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrl9:86SIROiFJiwp0xlrl9

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      b40ff019ab6ad23cb71d2cf77e347511_JaffaCakes118

    • Size

      2.6MB

    • MD5

      b40ff019ab6ad23cb71d2cf77e347511

    • SHA1

      949b5a7732ac4337e496d4dbb5127b5fa577b7f2

    • SHA256

      1639a4b3acea8bdcbe23ad1cb2629dde273130f1ac1541a76f0dbf813dc439e2

    • SHA512

      d9a224a75218d1a5f1e8d2de6c01b1461d55c3923456f09394ca9f18e3dc0b97baa1418a42c10b7c84f4b0c9d92246fa693657fc68548b01ef073be4d8bd2241

    • SSDEEP

      49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrl9:86SIROiFJiwp0xlrl9

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks