General
-
Target
d3ab724ccadf76cd039d6d7ea98bb8bd_JaffaCakes118
-
Size
2.6MB
-
Sample
240908-gcplba1hrg
-
MD5
d3ab724ccadf76cd039d6d7ea98bb8bd
-
SHA1
8662fe31c6791eac8dacdb9f963ca7398d1a266c
-
SHA256
da2d1ab789afdf12468b83a83fa86898632e6d9c3b6aaf13fcda771dee1ee6d6
-
SHA512
691f6edfd5fc17fd30009e54b626d7070f691b7557f8e5975df4f5a2a057c656008188cab1dba5880c1f74fbcf42113a6cdcce5533f7184b19de43dbe06002ab
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlC:86SIROiFJiwp0xlrlC
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Targets
-
-
Target
d3ab724ccadf76cd039d6d7ea98bb8bd_JaffaCakes118
-
Size
2.6MB
-
MD5
d3ab724ccadf76cd039d6d7ea98bb8bd
-
SHA1
8662fe31c6791eac8dacdb9f963ca7398d1a266c
-
SHA256
da2d1ab789afdf12468b83a83fa86898632e6d9c3b6aaf13fcda771dee1ee6d6
-
SHA512
691f6edfd5fc17fd30009e54b626d7070f691b7557f8e5975df4f5a2a057c656008188cab1dba5880c1f74fbcf42113a6cdcce5533f7184b19de43dbe06002ab
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlC:86SIROiFJiwp0xlrlC
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4