General

  • Target

    b486d2f599d648bcceb186972c940170_JaffaCakes118

  • Size

    2.6MB

  • Sample

    240616-wyfmvsvhmj

  • MD5

    b486d2f599d648bcceb186972c940170

  • SHA1

    b3852af70e14c593ba942cde60eb779af7224063

  • SHA256

    fe058dcc96d11893f6cbe1b53c835a685accb9fd26d88d189fc1e4e787e841e8

  • SHA512

    265e216371d0d0d6a7c78f894a2601b034f1df33360339fe01e4a20bd775a9b21b50b12af79ff34b41437f812e381d3d54d7a0de2a5f2961744d0e9b2016b64f

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrl/:86SIROiFJiwp0xlrl/

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      b486d2f599d648bcceb186972c940170_JaffaCakes118

    • Size

      2.6MB

    • MD5

      b486d2f599d648bcceb186972c940170

    • SHA1

      b3852af70e14c593ba942cde60eb779af7224063

    • SHA256

      fe058dcc96d11893f6cbe1b53c835a685accb9fd26d88d189fc1e4e787e841e8

    • SHA512

      265e216371d0d0d6a7c78f894a2601b034f1df33360339fe01e4a20bd775a9b21b50b12af79ff34b41437f812e381d3d54d7a0de2a5f2961744d0e9b2016b64f

    • SSDEEP

      49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrl/:86SIROiFJiwp0xlrl/

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks