General

  • Target

    e6d62b06957b8d1dc17d9c138c996366_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240917-pt4esstcpp

  • MD5

    e6d62b06957b8d1dc17d9c138c996366

  • SHA1

    9ecf02290ed4b86f7843d99c2261f068d5c2334c

  • SHA256

    25a06ea6a457474f81f41c0d0a9361d0c741b27860557f62d053a306e1d5c615

  • SHA512

    0a43735bf8f6d19164c482fb53cdd9f835a5abb04179b24c6b1ca360d187076e041741dde5de7840d96c95e927f479f2cffbccf0db99ba1d3f059b40cc530dd5

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZC:0UzeyQMS4DqodCnoe+iitjWwwu

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      e6d62b06957b8d1dc17d9c138c996366_JaffaCakes118

    • Size

      2.2MB

    • MD5

      e6d62b06957b8d1dc17d9c138c996366

    • SHA1

      9ecf02290ed4b86f7843d99c2261f068d5c2334c

    • SHA256

      25a06ea6a457474f81f41c0d0a9361d0c741b27860557f62d053a306e1d5c615

    • SHA512

      0a43735bf8f6d19164c482fb53cdd9f835a5abb04179b24c6b1ca360d187076e041741dde5de7840d96c95e927f479f2cffbccf0db99ba1d3f059b40cc530dd5

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZC:0UzeyQMS4DqodCnoe+iitjWwwu

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.