General

  • Target

    JaffaCakes118_0d3fbdf3c146bb42aefe8475a5db5eb9

  • Size

    2.2MB

  • Sample

    250604-gwdyxs1qx8

  • MD5

    0d3fbdf3c146bb42aefe8475a5db5eb9

  • SHA1

    d198c855f1d227e5f2bf79f3eac0e1f415261dd9

  • SHA256

    cfd4ead519889e0213f3a16d6014d2d4c3225a81386022d3706dbde71d7b0b47

  • SHA512

    307fffea73a97dc53d2f67e2646cc603e054cb8a42b7c9b027ce014d39197685a9e219f244da3e350d82d4d66e00f79154512590a47bf6406e6be25ecb33a426

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZD:0UzeyQMS4DqodCnoe+iitjWwwH

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      JaffaCakes118_0d3fbdf3c146bb42aefe8475a5db5eb9

    • Size

      2.2MB

    • MD5

      0d3fbdf3c146bb42aefe8475a5db5eb9

    • SHA1

      d198c855f1d227e5f2bf79f3eac0e1f415261dd9

    • SHA256

      cfd4ead519889e0213f3a16d6014d2d4c3225a81386022d3706dbde71d7b0b47

    • SHA512

      307fffea73a97dc53d2f67e2646cc603e054cb8a42b7c9b027ce014d39197685a9e219f244da3e350d82d4d66e00f79154512590a47bf6406e6be25ecb33a426

    • SSDEEP

      24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZD:0UzeyQMS4DqodCnoe+iitjWwwH

    • Detects Mofksys worm

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Mofksys

      Mofksys is a worm written in VisualBasic.

    • Mofksys family

    • Pony family

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks