General
-
Target
pony.zip
-
Size
871KB
-
Sample
250527-t1rf2axjs8
-
MD5
9057f52334d8a8dd2c761bcf19497c7e
-
SHA1
c5d7d5d800c55150a62f3126897478e88e96a54a
-
SHA256
a7bdacee23bb52b8cd6c627b2b2df62749005e7e7295be745d6b4fa1b7d56484
-
SHA512
56d00decb41f9feb42d6553743a8deac023de6f1210e6e0b9c4f1e657227e656255108cf37406526f5ba6f984e3d732ef71a1a3eb68143462c0517a96e50fe09
-
SSDEEP
24576:PtLxo/rSgG2BMVvLthZtdcTT6SIA3AaAhq1:PtLSSgGbFdW2SIA3AaAhq1
Behavioral task
behavioral1
Sample
106fabcf10a5c5486f09e47e794bfef6_JaffaCakes118.exe
Resource
win11-20250502-en
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Targets
-
-
Target
106fabcf10a5c5486f09e47e794bfef6_JaffaCakes118
-
Size
2.2MB
-
MD5
106fabcf10a5c5486f09e47e794bfef6
-
SHA1
0595d89d7bf50325b638e3e516b9657c9d3fb262
-
SHA256
cb039353e255aae53e4b500a6f1d0e98e3e688c0a4bc693582dc8238250c1e39
-
SHA512
8b0fb35471ff680bbdd9c54a40bc12a85f09d3c1c6948143b77dd8ced2eecb72a76f51dd790ac456c9b31b239cf2c18253ebb9f50b3aa90d0bd3e2d828e4040e
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ1:0UzeyQMS4DqodCnoe+iitjWwwR
-
Detects Mofksys worm
-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
Mofksys family
-
Pony family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4