General

  • Target

    JaffaCakes118_06a53ee9f2e8d48a07a009c222d3360e

  • Size

    2.6MB

  • Sample

    250518-lzk9maan31

  • MD5

    06a53ee9f2e8d48a07a009c222d3360e

  • SHA1

    544a60ad85999f09b9cc5b7ad01669ad8127f437

  • SHA256

    8698824cdfb28bd7e82da75cefdd013c34a64e706531bea75b727a7872dd39f4

  • SHA512

    c76637c8bb94d4ccf07d3f2c73c36de9b135be645aa667a08622ad9164921bb0214ede78c53009e2a1c1728919a0a3b790001fdbafbdb95b8bd6d6e50762a0c6

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlJ:86SIROiFJiwp0xlrlJ

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      JaffaCakes118_06a53ee9f2e8d48a07a009c222d3360e

    • Size

      2.6MB

    • MD5

      06a53ee9f2e8d48a07a009c222d3360e

    • SHA1

      544a60ad85999f09b9cc5b7ad01669ad8127f437

    • SHA256

      8698824cdfb28bd7e82da75cefdd013c34a64e706531bea75b727a7872dd39f4

    • SHA512

      c76637c8bb94d4ccf07d3f2c73c36de9b135be645aa667a08622ad9164921bb0214ede78c53009e2a1c1728919a0a3b790001fdbafbdb95b8bd6d6e50762a0c6

    • SSDEEP

      49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlJ:86SIROiFJiwp0xlrlJ

    • Detects Mofksys worm

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Mofksys

      Mofksys is a worm written in VisualBasic.

    • Mofksys family

    • Pony family

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks