General
-
Target
JaffaCakes118_06a53ee9f2e8d48a07a009c222d3360e
-
Size
2.6MB
-
Sample
250518-lzk9maan31
-
MD5
06a53ee9f2e8d48a07a009c222d3360e
-
SHA1
544a60ad85999f09b9cc5b7ad01669ad8127f437
-
SHA256
8698824cdfb28bd7e82da75cefdd013c34a64e706531bea75b727a7872dd39f4
-
SHA512
c76637c8bb94d4ccf07d3f2c73c36de9b135be645aa667a08622ad9164921bb0214ede78c53009e2a1c1728919a0a3b790001fdbafbdb95b8bd6d6e50762a0c6
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlJ:86SIROiFJiwp0xlrlJ
Behavioral task
behavioral1
Sample
JaffaCakes118_06a53ee9f2e8d48a07a009c222d3360e.exe
Resource
win10v2004-20250502-en
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Targets
-
-
Target
JaffaCakes118_06a53ee9f2e8d48a07a009c222d3360e
-
Size
2.6MB
-
MD5
06a53ee9f2e8d48a07a009c222d3360e
-
SHA1
544a60ad85999f09b9cc5b7ad01669ad8127f437
-
SHA256
8698824cdfb28bd7e82da75cefdd013c34a64e706531bea75b727a7872dd39f4
-
SHA512
c76637c8bb94d4ccf07d3f2c73c36de9b135be645aa667a08622ad9164921bb0214ede78c53009e2a1c1728919a0a3b790001fdbafbdb95b8bd6d6e50762a0c6
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlJ:86SIROiFJiwp0xlrlJ
-
Detects Mofksys worm
-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
Mofksys family
-
Pony family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4