General

  • Target

    JaffaCakes118_093d9e72aa8ea53a785291c3df1d99af

  • Size

    2.2MB

  • Sample

    250525-3sr72axpt9

  • MD5

    093d9e72aa8ea53a785291c3df1d99af

  • SHA1

    e4a4de5cebd73d00e383ffe3a5f58a5f5380da4e

  • SHA256

    fff8f3c1f036baba47baedb65be9c6abb0d581637c6f253010a5a8339b77f6c7

  • SHA512

    3ecbf1bf36ceca8be435591e80df97503eb1bda9bc71d68ccf8b1ae275f9f2c5b7ae6c0d45308d6c6795e7adf3bef1e2218a863beada37c01f1b75d68df44598

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZt:0UzeyQMS4DqodCnoe+iitjWwwJ

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      JaffaCakes118_093d9e72aa8ea53a785291c3df1d99af

    • Size

      2.2MB

    • MD5

      093d9e72aa8ea53a785291c3df1d99af

    • SHA1

      e4a4de5cebd73d00e383ffe3a5f58a5f5380da4e

    • SHA256

      fff8f3c1f036baba47baedb65be9c6abb0d581637c6f253010a5a8339b77f6c7

    • SHA512

      3ecbf1bf36ceca8be435591e80df97503eb1bda9bc71d68ccf8b1ae275f9f2c5b7ae6c0d45308d6c6795e7adf3bef1e2218a863beada37c01f1b75d68df44598

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZt:0UzeyQMS4DqodCnoe+iitjWwwJ

    • Detects Mofksys worm

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Mofksys

      Mofksys is a worm written in VisualBasic.

    • Mofksys family

    • Pony family

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks