General

  • Target

    b500698cdc94b8c324f353d9b842245e_JaffaCakes118

  • Size

    2.6MB

  • Sample

    240616-y1tcvazckn

  • MD5

    b500698cdc94b8c324f353d9b842245e

  • SHA1

    056d0f737620209854f574946d6eac085196145d

  • SHA256

    fe8d80c6ab184ad43c0a982b0e4b86386d60d5dd2ec2e3e144081049a49ed6aa

  • SHA512

    def0698b13299cd8b0935e306f4413435a48b18c1847233b21ba44fcbeedab54abe7c4c8eefee3c85e989998b3c336138dadc333a6f03ccdf4118782c8dbd5b0

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrl+:86SIROiFJiwp0xlrl+

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      b500698cdc94b8c324f353d9b842245e_JaffaCakes118

    • Size

      2.6MB

    • MD5

      b500698cdc94b8c324f353d9b842245e

    • SHA1

      056d0f737620209854f574946d6eac085196145d

    • SHA256

      fe8d80c6ab184ad43c0a982b0e4b86386d60d5dd2ec2e3e144081049a49ed6aa

    • SHA512

      def0698b13299cd8b0935e306f4413435a48b18c1847233b21ba44fcbeedab54abe7c4c8eefee3c85e989998b3c336138dadc333a6f03ccdf4118782c8dbd5b0

    • SSDEEP

      49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrl+:86SIROiFJiwp0xlrl+

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks