General

  • Target

    b4f091e2d0a89cd312e695adc970c8d5_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240616-yq98lsvfnh

  • MD5

    b4f091e2d0a89cd312e695adc970c8d5

  • SHA1

    f2e802d3e3f249426504fc1cbc862e94da5c06fe

  • SHA256

    d46de65f08658b4ec5cce1d096c5a68ea386db13da90a64af33d18f4e8b1be32

  • SHA512

    d493d1f3e25e50f3f89affd3a6df4283e5213ea1632e2461a94ae1b813f9c59b839ce329e827940ed3b163bc312e9e0f2bd91cfe3c030e3a966a11d3831c2f1d

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZD:0UzeyQMS4DqodCnoe+iitjWwwf

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      b4f091e2d0a89cd312e695adc970c8d5_JaffaCakes118

    • Size

      2.2MB

    • MD5

      b4f091e2d0a89cd312e695adc970c8d5

    • SHA1

      f2e802d3e3f249426504fc1cbc862e94da5c06fe

    • SHA256

      d46de65f08658b4ec5cce1d096c5a68ea386db13da90a64af33d18f4e8b1be32

    • SHA512

      d493d1f3e25e50f3f89affd3a6df4283e5213ea1632e2461a94ae1b813f9c59b839ce329e827940ed3b163bc312e9e0f2bd91cfe3c030e3a966a11d3831c2f1d

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZD:0UzeyQMS4DqodCnoe+iitjWwwf

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks