General

  • Target

    ebc06baf5350b51101987ce9185e7d64_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240919-t5lrcayekb

  • MD5

    ebc06baf5350b51101987ce9185e7d64

  • SHA1

    77b424834a1fb260e0ca9e9cc0e16afa57d674ce

  • SHA256

    a80a712b06cdcee855db7ef3c6f6ca47245591357f8464e26c4f2e3ce9ae3916

  • SHA512

    7c921b569eadae08492ee125fc3bd5ed4c8e6bebf0bce7eab2d4f136a956b440ac22839e897aade4975126ec646e498d068bb66fa9651d9e648fd024f78d9709

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZO:0UzeyQMS4DqodCnoe+iitjWwwK

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      ebc06baf5350b51101987ce9185e7d64_JaffaCakes118

    • Size

      2.2MB

    • MD5

      ebc06baf5350b51101987ce9185e7d64

    • SHA1

      77b424834a1fb260e0ca9e9cc0e16afa57d674ce

    • SHA256

      a80a712b06cdcee855db7ef3c6f6ca47245591357f8464e26c4f2e3ce9ae3916

    • SHA512

      7c921b569eadae08492ee125fc3bd5ed4c8e6bebf0bce7eab2d4f136a956b440ac22839e897aade4975126ec646e498d068bb66fa9651d9e648fd024f78d9709

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZO:0UzeyQMS4DqodCnoe+iitjWwwK

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.