General

  • Target

    b4f84d27a995a9f38bab8a9e656580a0_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240616-yw4b9avhqc

  • MD5

    b4f84d27a995a9f38bab8a9e656580a0

  • SHA1

    e308841d7189245156c74494c0fd3f83a8d89be6

  • SHA256

    c5ef60cc2f8c6de21788828b1ab72f1630b0c445fad0f809110a10ddc415ff3b

  • SHA512

    b4efb0da570efdec79c840637ccb37cf79162bd3a1a3f58eccf6400866b0152db7c2fa95f5d637bffcc51e21513e64a57b6be0e253c85cb5c96cb9fa6c9cf954

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZC:0UzeyQMS4DqodCnoe+iitjWww2

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      b4f84d27a995a9f38bab8a9e656580a0_JaffaCakes118

    • Size

      2.2MB

    • MD5

      b4f84d27a995a9f38bab8a9e656580a0

    • SHA1

      e308841d7189245156c74494c0fd3f83a8d89be6

    • SHA256

      c5ef60cc2f8c6de21788828b1ab72f1630b0c445fad0f809110a10ddc415ff3b

    • SHA512

      b4efb0da570efdec79c840637ccb37cf79162bd3a1a3f58eccf6400866b0152db7c2fa95f5d637bffcc51e21513e64a57b6be0e253c85cb5c96cb9fa6c9cf954

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZC:0UzeyQMS4DqodCnoe+iitjWww2

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks