General

  • Target

    fc387b4d6ec8e8bcfb627877b666a395_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240928-nqx8yatepj

  • MD5

    fc387b4d6ec8e8bcfb627877b666a395

  • SHA1

    5e93a148502dc9816e8a772668348c6067af18ad

  • SHA256

    d56a9cf670f5d528f7f93f05a721398c83ac772f4f9a914f4d9af6e0b9e8518a

  • SHA512

    12477b79e8243f250e00c3b394078557165574d73730e16cb9f21144dab30d12798dd064fd68708e6d5cccdb41ac4d7306561f7a7115b3082dc496d206bd7823

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ/:0UzeyQMS4DqodCnoe+iitjWwwL

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      fc387b4d6ec8e8bcfb627877b666a395_JaffaCakes118

    • Size

      2.2MB

    • MD5

      fc387b4d6ec8e8bcfb627877b666a395

    • SHA1

      5e93a148502dc9816e8a772668348c6067af18ad

    • SHA256

      d56a9cf670f5d528f7f93f05a721398c83ac772f4f9a914f4d9af6e0b9e8518a

    • SHA512

      12477b79e8243f250e00c3b394078557165574d73730e16cb9f21144dab30d12798dd064fd68708e6d5cccdb41ac4d7306561f7a7115b3082dc496d206bd7823

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ/:0UzeyQMS4DqodCnoe+iitjWwwL

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.