General

  • Target

    b54694611f3ad9f6f7407e5053f44b49_JaffaCakes118

  • Size

    2.6MB

  • Sample

    240616-z81bsssfkq

  • MD5

    b54694611f3ad9f6f7407e5053f44b49

  • SHA1

    3aff5e9ba30b95f784f180f7abae268009096649

  • SHA256

    09eaa67842a05f47461e91bd91c63764b16b2050f0824b4d44d5cc94db57d0e4

  • SHA512

    6acae0db88fb3d539ef7ecc8a5a0c154cbae3d620841cb1223de7e1b702b885c2887ae0414d7a25775b40745c8bdc4b1247f54bc3f65ede47816e4d4489d2fd6

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlZ:86SIROiFJiwp0xlrlZ

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      b54694611f3ad9f6f7407e5053f44b49_JaffaCakes118

    • Size

      2.6MB

    • MD5

      b54694611f3ad9f6f7407e5053f44b49

    • SHA1

      3aff5e9ba30b95f784f180f7abae268009096649

    • SHA256

      09eaa67842a05f47461e91bd91c63764b16b2050f0824b4d44d5cc94db57d0e4

    • SHA512

      6acae0db88fb3d539ef7ecc8a5a0c154cbae3d620841cb1223de7e1b702b885c2887ae0414d7a25775b40745c8bdc4b1247f54bc3f65ede47816e4d4489d2fd6

    • SSDEEP

      49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlZ:86SIROiFJiwp0xlrlZ

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks