General

  • Target

    b3e8ca7b0e888db462df99ed731b0f65_JaffaCakes118

  • Size

    2.6MB

  • Sample

    240616-rfq9eszeqp

  • MD5

    b3e8ca7b0e888db462df99ed731b0f65

  • SHA1

    550126f34a37ef16835fb53404763e480abb4fe7

  • SHA256

    a0222d3bb8bb0528f6e973f13f5fee76c91646fb3dfde93ed4a1271038dc6e18

  • SHA512

    0f93910eb68b4657bc6beb2ab28fe5ffed2cd9ee305d5b71dda528165fcb23f6d07864bc3c8094d96b8eec843b7e9d469d42c05854321377821c4a62dfff3e4e

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlU:86SIROiFJiwp0xlrlU

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      b3e8ca7b0e888db462df99ed731b0f65_JaffaCakes118

    • Size

      2.6MB

    • MD5

      b3e8ca7b0e888db462df99ed731b0f65

    • SHA1

      550126f34a37ef16835fb53404763e480abb4fe7

    • SHA256

      a0222d3bb8bb0528f6e973f13f5fee76c91646fb3dfde93ed4a1271038dc6e18

    • SHA512

      0f93910eb68b4657bc6beb2ab28fe5ffed2cd9ee305d5b71dda528165fcb23f6d07864bc3c8094d96b8eec843b7e9d469d42c05854321377821c4a62dfff3e4e

    • SSDEEP

      49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlU:86SIROiFJiwp0xlrlU

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks