General

  • Target

    pony.zip

  • Size

    871KB

  • Sample

    250527-t1rf2axjs8

  • MD5

    9057f52334d8a8dd2c761bcf19497c7e

  • SHA1

    c5d7d5d800c55150a62f3126897478e88e96a54a

  • SHA256

    a7bdacee23bb52b8cd6c627b2b2df62749005e7e7295be745d6b4fa1b7d56484

  • SHA512

    56d00decb41f9feb42d6553743a8deac023de6f1210e6e0b9c4f1e657227e656255108cf37406526f5ba6f984e3d732ef71a1a3eb68143462c0517a96e50fe09

  • SSDEEP

    24576:PtLxo/rSgG2BMVvLthZtdcTT6SIA3AaAhq1:PtLSSgGbFdW2SIA3AaAhq1

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      106fabcf10a5c5486f09e47e794bfef6_JaffaCakes118

    • Size

      2.2MB

    • MD5

      106fabcf10a5c5486f09e47e794bfef6

    • SHA1

      0595d89d7bf50325b638e3e516b9657c9d3fb262

    • SHA256

      cb039353e255aae53e4b500a6f1d0e98e3e688c0a4bc693582dc8238250c1e39

    • SHA512

      8b0fb35471ff680bbdd9c54a40bc12a85f09d3c1c6948143b77dd8ced2eecb72a76f51dd790ac456c9b31b239cf2c18253ebb9f50b3aa90d0bd3e2d828e4040e

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ1:0UzeyQMS4DqodCnoe+iitjWwwR

    • Detects Mofksys worm

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Mofksys

      Mofksys is a worm written in VisualBasic.

    • Mofksys family

    • Pony family

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks