General

  • Target

    b53accbef7fa8a49b400bd5b6fc7d9f7_JaffaCakes118

  • Size

    2.6MB

  • Sample

    240616-z16tlsyanh

  • MD5

    b53accbef7fa8a49b400bd5b6fc7d9f7

  • SHA1

    234ca667370e1c439847678f291f384a9816172b

  • SHA256

    e91dda0e0cdde478ce5e3919442b53f663adb7780144a7c32fec9147829a4e82

  • SHA512

    565105b0cf3f8bcf3541afa13015de3d8af391d9f17a7285a63e2e993b58f85b8c3325c8878c722fbd227900d206fb8510efdbd1c24b818db14f7f1a09e68ba7

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlS:86SIROiFJiwp0xlrlS

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      b53accbef7fa8a49b400bd5b6fc7d9f7_JaffaCakes118

    • Size

      2.6MB

    • MD5

      b53accbef7fa8a49b400bd5b6fc7d9f7

    • SHA1

      234ca667370e1c439847678f291f384a9816172b

    • SHA256

      e91dda0e0cdde478ce5e3919442b53f663adb7780144a7c32fec9147829a4e82

    • SHA512

      565105b0cf3f8bcf3541afa13015de3d8af391d9f17a7285a63e2e993b58f85b8c3325c8878c722fbd227900d206fb8510efdbd1c24b818db14f7f1a09e68ba7

    • SSDEEP

      49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlS:86SIROiFJiwp0xlrlS

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks