General

  • Target

    ec23873acdb43fa8ec68cb21463ef3e1_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240919-y9gemszajk

  • MD5

    ec23873acdb43fa8ec68cb21463ef3e1

  • SHA1

    6fd64007a3d7bed7d0ddf4d034a19546c7694d44

  • SHA256

    13f24cd4fd983310459f2bca1a257c835da40cdb498fe4e08c9dd44fc9c98001

  • SHA512

    a41497cfb43f086fee2d1b49c0ed0ac928518bc68e19d8c578da14181946f3532eb4fc7c270ecb99c48d72eb183a02e7c1e70d149002b43e05202c3aac2dbba3

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZo:0UzeyQMS4DqodCnoe+iitjWww0

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      ec23873acdb43fa8ec68cb21463ef3e1_JaffaCakes118

    • Size

      2.2MB

    • MD5

      ec23873acdb43fa8ec68cb21463ef3e1

    • SHA1

      6fd64007a3d7bed7d0ddf4d034a19546c7694d44

    • SHA256

      13f24cd4fd983310459f2bca1a257c835da40cdb498fe4e08c9dd44fc9c98001

    • SHA512

      a41497cfb43f086fee2d1b49c0ed0ac928518bc68e19d8c578da14181946f3532eb4fc7c270ecb99c48d72eb183a02e7c1e70d149002b43e05202c3aac2dbba3

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZo:0UzeyQMS4DqodCnoe+iitjWww0

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.