General
-
Target
b4dfbb5d9b8246c2afec31a1a13d9f30_JaffaCakes118
-
Size
2.2MB
-
Sample
240616-yeqd3avbkg
-
MD5
b4dfbb5d9b8246c2afec31a1a13d9f30
-
SHA1
fcb6e6e698d0a76dcacd731f0eb179953c02c8c2
-
SHA256
23c600c78ff6b137331e87a5e76ce113c29f7e9f3f0f1daf70c200b6ba18f2dd
-
SHA512
8a90cfd3f9b06532b6c0f852439260c37f98e60e43a014287f29284b83728cf39e30ffe4049a9a4b97abc435a779e6166f75bc00ae7e0b1a81156744bac79f07
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZA:0UzeyQMS4DqodCnoe+iitjWwws
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Targets
-
-
Target
b4dfbb5d9b8246c2afec31a1a13d9f30_JaffaCakes118
-
Size
2.2MB
-
MD5
b4dfbb5d9b8246c2afec31a1a13d9f30
-
SHA1
fcb6e6e698d0a76dcacd731f0eb179953c02c8c2
-
SHA256
23c600c78ff6b137331e87a5e76ce113c29f7e9f3f0f1daf70c200b6ba18f2dd
-
SHA512
8a90cfd3f9b06532b6c0f852439260c37f98e60e43a014287f29284b83728cf39e30ffe4049a9a4b97abc435a779e6166f75bc00ae7e0b1a81156744bac79f07
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZA:0UzeyQMS4DqodCnoe+iitjWwws
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Modifies Installed Components in the registry
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1