MoonWind
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
MoonWind installs itself as a new service with automatic startup to establish persistence. The service checks every 60 seconds to determine if the malware is running; if not, it will spawn a new instance.[1] |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
MoonWind encrypts C2 traffic using RC4 with a static key.[1] |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
MoonWind can execute commands via an interactive command shell.[1] MoonWind uses batch scripts for various purposes, including to restart and uninstall itself.[1] |
| Enterprise | T1120 | 外围设备发现 |
MoonWind obtains the number of removable drives from the victim.[1] |
|
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
MoonWind saves information from its keylogging routine as a .zip file in the present working directory.[1] |
| Enterprise | T1083 | 文件和目录发现 |
MoonWind has a command to return a directory listing for a specified directory.[1] |
|
| Enterprise | T1070 | .004 | 移除指标: File Deletion | |
| Enterprise | T1082 | 系统信息发现 |
MoonWind can obtain the victim hostname, Windows version, RAM amount, number of drives, and screen resolution.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 | ||
| Enterprise | T1124 | 系统时间发现 | ||
| Enterprise | T1016 | 系统网络配置发现 | ||
| Enterprise | T1056 | .001 | 输入捕获: Keylogging | |
| Enterprise | T1057 | 进程发现 |
MoonWind has a command to return a list of running processes.[1] |
|
| Enterprise | T1095 | 非应用层协议 |
MoonWind completes network communication via raw sockets.[1] |
|
| Enterprise | T1571 | 非标准端口 |
MoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports.[1] |
|