General

  • Target

    f6fb923848c026c2bbc5e848ca73f435_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240925-2faa1svbmg

  • MD5

    f6fb923848c026c2bbc5e848ca73f435

  • SHA1

    48962add4a532acb9b70da9eb5c1da37f81e8cd3

  • SHA256

    5bd87389c11f8773a10b6fce8d1929e9c1b754c4552b134df1557db17cc21cbc

  • SHA512

    9be69e9f5502cdfb6045e07ae720fb4e0598b255d5107ccd61ee1228c27db47d88c13bff0a0c8080aafaa2b133d27b66a4d764b9671197f1a7f3dee2821672b2

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ5:0UzeyQMS4DqodCnoe+iitjWwwN

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      f6fb923848c026c2bbc5e848ca73f435_JaffaCakes118

    • Size

      2.2MB

    • MD5

      f6fb923848c026c2bbc5e848ca73f435

    • SHA1

      48962add4a532acb9b70da9eb5c1da37f81e8cd3

    • SHA256

      5bd87389c11f8773a10b6fce8d1929e9c1b754c4552b134df1557db17cc21cbc

    • SHA512

      9be69e9f5502cdfb6045e07ae720fb4e0598b255d5107ccd61ee1228c27db47d88c13bff0a0c8080aafaa2b133d27b66a4d764b9671197f1a7f3dee2821672b2

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ5:0UzeyQMS4DqodCnoe+iitjWwwN

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks