|Command and Scripting Interpreter
|Windows Command Shell
|MoonWind can execute commands via an interactive command shell. MoonWind uses batch scripts for various purposes, including to restart and uninstall itself.
|Create or Modify System Process
|MoonWind installs itself as a new service with automatic startup to establish persistence. The service checks every 60 seconds to determine if the malware is running; if not, it will spawn a new instance.
|Local Data Staging
|MoonWind saves information from its keylogging routine as a .zip file in the present working directory.
|MoonWind encrypts C2 traffic using RC4 with a static key.
|File and Directory Discovery
|MoonWind has a command to return a directory listing for a specified directory.
|MoonWind can delete itself or specified files.
|MoonWind has a keylogger.
|Non-Application Layer Protocol
|MoonWind completes network communication via raw sockets.
|MoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports.
|Peripheral Device Discovery
|MoonWind obtains the number of removable drives from the victim.
|MoonWind has a command to return a list of running processes.
|System Information Discovery
|MoonWind can obtain the victim hostname, Windows version, RAM amount, number of drives, and screen resolution.
|System Network Configuration Discovery
|MoonWind obtains the victim IP address.
|System Owner/User Discovery
|MoonWind obtains the victim username.
|System Time Discovery
|MoonWind obtains the victim’s current time.