General
-
Target
d4a6b86185bf118509d4e399db7d0cd7_JaffaCakes118
-
Size
2.2MB
-
Sample
240908-snnnyavgmb
-
MD5
d4a6b86185bf118509d4e399db7d0cd7
-
SHA1
fdf4e02d134f94aede85b5788b8238317a86e747
-
SHA256
663bf293b66b07de55fdee3ffddbc0c06df608ca782f5ba212730a8045bde485
-
SHA512
f92ccfb977ba007edc92b4ace0ffbb8c5ae7e78a8a5866c4b032d9dff4376bd80bbc9f6efcd4374193e7080d007071f98b07ec0bdfaf81f12c4bec4a3853ba13
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZY:0UzeyQMS4DqodCnoe+iitjWwwE
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Targets
-
-
Target
d4a6b86185bf118509d4e399db7d0cd7_JaffaCakes118
-
Size
2.2MB
-
MD5
d4a6b86185bf118509d4e399db7d0cd7
-
SHA1
fdf4e02d134f94aede85b5788b8238317a86e747
-
SHA256
663bf293b66b07de55fdee3ffddbc0c06df608ca782f5ba212730a8045bde485
-
SHA512
f92ccfb977ba007edc92b4ace0ffbb8c5ae7e78a8a5866c4b032d9dff4376bd80bbc9f6efcd4374193e7080d007071f98b07ec0bdfaf81f12c4bec4a3853ba13
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZY:0UzeyQMS4DqodCnoe+iitjWwwE
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4