m00nd3v_logger | 1d0072a7e0d448774a0fb8ce79442eb785f4127d78f76950c26957e20c2fe480

General

Target

a9e83bcb97f41b4d4012d38070d39d55_JaffaCakes118.exe
Size

610KB
MD5

a9e83bcb97f41b4d4012d38070d39d55
SHA1

d0599a45c23609d3daf01b9f47739522bd8513d8
SHA256

1d0072a7e0d448774a0fb8ce79442eb785f4127d78f76950c26957e20c2fe480
SHA512

094f8438a29b808decbc77cf11f584bd7b8ca31bb43de885c24d0a66d79488be31e32b1983dfe8f2460ddd388224feba114622365c16001fea8e46d3657f93c2
SSDEEP

12288:uuIpsW5kLqcjz0nUHmQJ66l4hJ58qda3Gwipta/RIUS/F1Tdb0i5ZuRiK:uuqyOgOUHy6l4hJ5dda3GwzS/Fdddi

Score

10^/10

m00nd3v_logger infostealer persistence spyware stealer

Malware Config

Signatures

M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral2/memory/3280-5-0x0000000005B60000-0x0000000005BFE000-memory.dmp	m00nd3v_logger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	a9e83bcb97f41b4d4012d38070d39d55_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
3576	jhonbook.exe
2532	jhonbook.exe
1932	jhonbook.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhonbook = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\jhonbook\\jhonbook.exe"	jhonbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jhonbook = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\jhonbook\\jhonbook.exe"	jhonbook.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3576 set thread context of 1932	3576	jhonbook.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	jhonbook.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3280	a9e83bcb97f41b4d4012d38070d39d55_JaffaCakes118.exe
Token: SeDebugPrivilege	3576	jhonbook.exe
Token: SeDebugPrivilege	1932	jhonbook.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3280 wrote to memory of 3576	3280	a9e83bcb97f41b4d4012d38070d39d55_JaffaCakes118.exe	93
PID 3280 wrote to memory of 3576	3280	a9e83bcb97f41b4d4012d38070d39d55_JaffaCakes118.exe	93
PID 3280 wrote to memory of 3576	3280	a9e83bcb97f41b4d4012d38070d39d55_JaffaCakes118.exe	93
PID 3576 wrote to memory of 2532	3576	jhonbook.exe	94
PID 3576 wrote to memory of 2532	3576	jhonbook.exe	94
PID 3576 wrote to memory of 2532	3576	jhonbook.exe	94
PID 3576 wrote to memory of 1932	3576	jhonbook.exe	95
PID 3576 wrote to memory of 1932	3576	jhonbook.exe	95
PID 3576 wrote to memory of 1932	3576	jhonbook.exe	95
PID 3576 wrote to memory of 1932	3576	jhonbook.exe	95
PID 3576 wrote to memory of 1932	3576	jhonbook.exe	95
PID 3576 wrote to memory of 1932	3576	jhonbook.exe	95
PID 3576 wrote to memory of 1932	3576	jhonbook.exe	95
PID 3576 wrote to memory of 1932	3576	jhonbook.exe	95

C:\Users\Admin\AppData\Local\Temp\a9e83bcb97f41b4d4012d38070d39d55_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a9e83bcb97f41b4d4012d38070d39d55_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\jhonbook\jhonbook.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\jhonbook\jhonbook.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\jhonbook\jhonbook.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\jhonbook\jhonbook.exe"
    3⤵
    - Executes dropped EXE
    PID:2532
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\jhonbook\jhonbook.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\jhonbook\jhonbook.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:1932

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4192,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=1424 /prefetch:8
1⤵
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jhonbook.exe.log

Filesize
418B

MD5
89c8a5340eb284f551067d44e27ae8dd

SHA1
d2431ae25a1ab67762a5125574f046f4c951d297

SHA256
73ca1f27b1c153e3405856ebe8b3c6cdd23424d2ab09c0fe1eb0e2075513057b

SHA512
b101ac2e008bd3cc6f97fedb97b8253fb07fed1c334629ecbebe0f4942ccc1070491cddc4daea521164543b6f97ba9b99d2be1c50cc5a013f04e697fea9dbdac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\jhonbook\jhonbook.exe

Filesize
610KB

MD5
a9e83bcb97f41b4d4012d38070d39d55

SHA1
d0599a45c23609d3daf01b9f47739522bd8513d8

SHA256
1d0072a7e0d448774a0fb8ce79442eb785f4127d78f76950c26957e20c2fe480

SHA512
094f8438a29b808decbc77cf11f584bd7b8ca31bb43de885c24d0a66d79488be31e32b1983dfe8f2460ddd388224feba114622365c16001fea8e46d3657f93c2

Download Submit
memory/1932-24-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1932-36-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/1932-33-0x0000000006350000-0x00000000063B6000-memory.dmp

Filesize
408KB

Download
memory/1932-32-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/1932-31-0x0000000005300000-0x0000000005356000-memory.dmp

Filesize
344KB

Download
memory/1932-30-0x0000000005030000-0x000000000503A000-memory.dmp

Filesize
40KB

Download
memory/1932-29-0x00000000050F0000-0x0000000005182000-memory.dmp

Filesize
584KB

Download
memory/1932-27-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/3280-5-0x0000000005B60000-0x0000000005BFE000-memory.dmp

Filesize
632KB

Download
memory/3280-19-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/3280-6-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/3280-0-0x0000000074EFE000-0x0000000074EFF000-memory.dmp

Filesize
4KB

Download
memory/3280-4-0x00000000057E0000-0x0000000005878000-memory.dmp

Filesize
608KB

Download
memory/3280-3-0x0000000005D90000-0x0000000006334000-memory.dmp

Filesize
5.6MB

Download
memory/3280-2-0x0000000005740000-0x00000000057DC000-memory.dmp

Filesize
624KB

Download
memory/3280-1-0x0000000000D60000-0x0000000000DFE000-memory.dmp

Filesize
632KB

Download
memory/3576-22-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/3576-21-0x0000000003450000-0x00000000034E8000-memory.dmp

Filesize
608KB

Download
memory/3576-20-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/3576-28-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads