Extracted

• • Target

    b3e6930e7b36827198fa593ec24fc334_JaffaCakes118

  • Size

    2.2MB

  • MD5

    b3e6930e7b36827198fa593ec24fc334

  • SHA1

    67c8e3cf4d2851a3258d85f9961d2e3aa35237c8

  • SHA256

    6fbd28d41c3443f0038cb73200ce939ba1d995b72e326061003d2ae8c7a498fe

  • SHA512

    c6550d563bbbf04311d2edf917e49e64d6578745fedbf59e2174818e3506acc138385701b8df1b6ee2a509b2c976d621ea25260c9cc9a9871f676ea26847c932

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZE:0UzeyQMS4DqodCnoe+iitjWwwo

  Score

  10^/10

  ponyevasionpersistenceratspywarestealer

  • Modifies WinLogon for persistence

    persistence

  • Modifies visiblity of hidden/system files in Explorer

    evasion

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony

  • Modifies Installed Components in the registry

    persistence

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2