General

  • Target

    dec8805bd9783eb58d3c216bebcc4523_JaffaCakes118

  • Size

    2.6MB

  • Sample

    240913-yfk6qswala

  • MD5

    dec8805bd9783eb58d3c216bebcc4523

  • SHA1

    885b1907955e005df05c44e8ce41bee61deabf88

  • SHA256

    755dd3a3bd1ae7c0cea2db0468e9a927124dc8e5372c61a0d9c5a74aeb24d691

  • SHA512

    21948f95fa6a6f497799472f5dea49127e8a4e3553026cf24241444ff6069cef6e951fe716f90874b7693c484657cbc4abc25f45c5911dc5fc68f2210f129f4e

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlY:86SIROiFJiwp0xlrlY

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      dec8805bd9783eb58d3c216bebcc4523_JaffaCakes118

    • Size

      2.6MB

    • MD5

      dec8805bd9783eb58d3c216bebcc4523

    • SHA1

      885b1907955e005df05c44e8ce41bee61deabf88

    • SHA256

      755dd3a3bd1ae7c0cea2db0468e9a927124dc8e5372c61a0d9c5a74aeb24d691

    • SHA512

      21948f95fa6a6f497799472f5dea49127e8a4e3553026cf24241444ff6069cef6e951fe716f90874b7693c484657cbc4abc25f45c5911dc5fc68f2210f129f4e

    • SSDEEP

      49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlY:86SIROiFJiwp0xlrlY

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks