m00nd3v_logger | 1d0072a7e0d448774a0fb8ce79442eb785f4127d78f76950c26957e20c2fe480

General

Target

a9e83bcb97f41b4d4012d38070d39d55_JaffaCakes118.exe
Size

610KB
MD5

a9e83bcb97f41b4d4012d38070d39d55
SHA1

d0599a45c23609d3daf01b9f47739522bd8513d8
SHA256

1d0072a7e0d448774a0fb8ce79442eb785f4127d78f76950c26957e20c2fe480
SHA512

094f8438a29b808decbc77cf11f584bd7b8ca31bb43de885c24d0a66d79488be31e32b1983dfe8f2460ddd388224feba114622365c16001fea8e46d3657f93c2
SSDEEP

12288:uuIpsW5kLqcjz0nUHmQJ66l4hJ58qda3Gwipta/RIUS/F1Tdb0i5ZuRiK:uuqyOgOUHy6l4hJ5dda3GwzS/Fdddi

Score

10^/10

m00nd3v_logger infostealer persistence spyware stealer

Malware Config

Signatures

M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral1/memory/948-3-0x0000000000B60000-0x0000000000BFE000-memory.dmp	m00nd3v_logger

Executes dropped EXE 2 IoCs

pid	Process
2292	jhonbook.exe
2820	jhonbook.exe

Loads dropped DLL 1 IoCs

pid	Process
948	a9e83bcb97f41b4d4012d38070d39d55_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jhonbook = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\jhonbook\\jhonbook.exe"	jhonbook.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhonbook = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\jhonbook\\jhonbook.exe"	jhonbook.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2292 set thread context of 2820	2292	jhonbook.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	948	a9e83bcb97f41b4d4012d38070d39d55_JaffaCakes118.exe
Token: SeDebugPrivilege	2292	jhonbook.exe
Token: SeDebugPrivilege	2820	jhonbook.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 2292	948	a9e83bcb97f41b4d4012d38070d39d55_JaffaCakes118.exe	28
PID 948 wrote to memory of 2292	948	a9e83bcb97f41b4d4012d38070d39d55_JaffaCakes118.exe	28
PID 948 wrote to memory of 2292	948	a9e83bcb97f41b4d4012d38070d39d55_JaffaCakes118.exe	28
PID 948 wrote to memory of 2292	948	a9e83bcb97f41b4d4012d38070d39d55_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2820	2292	jhonbook.exe	29
PID 2292 wrote to memory of 2820	2292	jhonbook.exe	29
PID 2292 wrote to memory of 2820	2292	jhonbook.exe	29
PID 2292 wrote to memory of 2820	2292	jhonbook.exe	29
PID 2292 wrote to memory of 2820	2292	jhonbook.exe	29
PID 2292 wrote to memory of 2820	2292	jhonbook.exe	29
PID 2292 wrote to memory of 2820	2292	jhonbook.exe	29
PID 2292 wrote to memory of 2820	2292	jhonbook.exe	29
PID 2292 wrote to memory of 2820	2292	jhonbook.exe	29

C:\Users\Admin\AppData\Local\Temp\a9e83bcb97f41b4d4012d38070d39d55_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a9e83bcb97f41b4d4012d38070d39d55_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\jhonbook\jhonbook.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\jhonbook\jhonbook.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\jhonbook\jhonbook.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\jhonbook\jhonbook.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\jhonbook\jhonbook.exe

Filesize
610KB

MD5
a9e83bcb97f41b4d4012d38070d39d55

SHA1
d0599a45c23609d3daf01b9f47739522bd8513d8

SHA256
1d0072a7e0d448774a0fb8ce79442eb785f4127d78f76950c26957e20c2fe480

SHA512
094f8438a29b808decbc77cf11f584bd7b8ca31bb43de885c24d0a66d79488be31e32b1983dfe8f2460ddd388224feba114622365c16001fea8e46d3657f93c2

Download Submit
memory/948-13-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/948-1-0x0000000000F60000-0x0000000000FFE000-memory.dmp

Filesize
632KB

Download
memory/948-2-0x00000000009B0000-0x0000000000A48000-memory.dmp

Filesize
608KB

Download
memory/948-3-0x0000000000B60000-0x0000000000BFE000-memory.dmp

Filesize
632KB

Download
memory/948-4-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/948-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/2292-12-0x0000000000FA0000-0x000000000103E000-memory.dmp

Filesize
632KB

Download
memory/2292-14-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2292-15-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2292-22-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2820-21-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2820-19-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2820-16-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads