General

  • Target

    e9cfed8e275276feeae07ae725c5808c_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240918-x2d4wayhmm

  • MD5

    e9cfed8e275276feeae07ae725c5808c

  • SHA1

    0d9b55933204a168bf30c7bc0f42fc503d84d678

  • SHA256

    9cdf6a077c45f50c855682ac48ed47124af90553dd15420441d43b6542f29dc3

  • SHA512

    55c138ba8ded5f12567dcc54c3f025029eb19e15aeaf0080d74049829fb84352e430d51750a2b1049af402ed3343ca2e7405960fabdc7713ba7c41ffe8ef7a3a

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZc:0UzeyQMS4DqodCnoe+iitjWwww

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      e9cfed8e275276feeae07ae725c5808c_JaffaCakes118

    • Size

      2.2MB

    • MD5

      e9cfed8e275276feeae07ae725c5808c

    • SHA1

      0d9b55933204a168bf30c7bc0f42fc503d84d678

    • SHA256

      9cdf6a077c45f50c855682ac48ed47124af90553dd15420441d43b6542f29dc3

    • SHA512

      55c138ba8ded5f12567dcc54c3f025029eb19e15aeaf0080d74049829fb84352e430d51750a2b1049af402ed3343ca2e7405960fabdc7713ba7c41ffe8ef7a3a

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZc:0UzeyQMS4DqodCnoe+iitjWwww

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.