General

  • Target

    b3e296f966f07b7d91d4bb107208c415_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240616-rcmrtswbrg

  • MD5

    b3e296f966f07b7d91d4bb107208c415

  • SHA1

    0ea4940546c28aba3319cd676ebc2b894a7c93ea

  • SHA256

    69bd93ad9527d1cfa14d5959cfac9fae26ecd12bb14ac7065c4707900b5cc590

  • SHA512

    33015d0889dcf38a87cca0ba6bf866752e35fb6e07dd460cfede780b3c8172878c01c34c22c8377e6b8a56f401b114bc5cdca7c7f21148ff133f883010ec28e4

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZl:0UzeyQMS4DqodCnoe+iitjWwwp

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      b3e296f966f07b7d91d4bb107208c415_JaffaCakes118

    • Size

      2.2MB

    • MD5

      b3e296f966f07b7d91d4bb107208c415

    • SHA1

      0ea4940546c28aba3319cd676ebc2b894a7c93ea

    • SHA256

      69bd93ad9527d1cfa14d5959cfac9fae26ecd12bb14ac7065c4707900b5cc590

    • SHA512

      33015d0889dcf38a87cca0ba6bf866752e35fb6e07dd460cfede780b3c8172878c01c34c22c8377e6b8a56f401b114bc5cdca7c7f21148ff133f883010ec28e4

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZl:0UzeyQMS4DqodCnoe+iitjWwwp

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks