General

  • Target

    b43e72c1dfb6a3f747b934f36fa6e1a7_JaffaCakes118

  • Size

    2.6MB

  • Sample

    240616-syj4hasgkm

  • MD5

    b43e72c1dfb6a3f747b934f36fa6e1a7

  • SHA1

    04799b07c2669b4d3cb1143efa92b8b48a68df50

  • SHA256

    ba8967a474786ee4e6856f8091eefe25a3624444a0de4be4728002ee12173988

  • SHA512

    dd1f35af8f91d75e68d0f95f98f8e50d1faeee492c21efd4bbf31abb90deb2111e9334c98ce6f1c12163f2a944a048d94d2f47d0aae5e62dba31568efe8d671a

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlP:86SIROiFJiwp0xlrlP

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      b43e72c1dfb6a3f747b934f36fa6e1a7_JaffaCakes118

    • Size

      2.6MB

    • MD5

      b43e72c1dfb6a3f747b934f36fa6e1a7

    • SHA1

      04799b07c2669b4d3cb1143efa92b8b48a68df50

    • SHA256

      ba8967a474786ee4e6856f8091eefe25a3624444a0de4be4728002ee12173988

    • SHA512

      dd1f35af8f91d75e68d0f95f98f8e50d1faeee492c21efd4bbf31abb90deb2111e9334c98ce6f1c12163f2a944a048d94d2f47d0aae5e62dba31568efe8d671a

    • SSDEEP

      49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlP:86SIROiFJiwp0xlrlP

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks