Extracted

• • Target

    d60b399422d923a618d217b794c03932_JaffaCakes118

  • Size

    2.6MB

  • MD5

    d60b399422d923a618d217b794c03932

  • SHA1

    d70094bbda740568a9f5a6ebfbd78df44213d2cf

  • SHA256

    fe4bf8149e976feddf007d2969a97fbf78203d5f7e93aa4101a78a021299b9ed

  • SHA512

    672831c50f6258cc2ee15c982fad1415b763f1b6e6ac6acd76e2618f8c359605f83d6eac169b5b98016db53a8d7fe6a11fe3cc3a5e6145773c61cb1630d9f98f

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlJ:86SIROiFJiwp0xlrlJ

  Score

  10^/10

  ponydiscoveryevasionpersistenceratspywarestealer

  • Modifies WinLogon for persistence

    persistence

  • Modifies visiblity of hidden/system files in Explorer

    evasion

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2