Overview

overview

10

Static

static

10

server.exe

windows7-x64

8

server.exe

windows10-2004-x64

8

server.out

ubuntu-18.04-amd64

7

socks.out

ubuntu-18.04-amd64

7

www/system...ip2.js

windows7-x64

1

www/system...ip2.js

windows10-2004-x64

1

www/system...x.html

windows7-x64

1

www/system...x.html

windows10-2004-x64

1

www/system...ord.js

windows7-x64

1

www/system...ord.js

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    35da946b55a7125ac91be532a686c501.zip

  • Size

    27.3MB

  • Sample

    230509-fhzg2aec72

  • MD5

    124c7d3fd6012d5e1236d66d35da9cb2

  • SHA1

    430ed90e5b2d603e43745b1a62a8d66039b1c811

  • SHA256

    d817131a06e282101d1da0a44df9b273f2c65bd0f4dd7cd9ef8e74ed49ce57e4

  • SHA512

    8554ca61eef6136efd5fbedc4c68aaaa9dca77723ed596fd5950a3f2f99f3a1d8776ef7f4ec39ccf88d9c8ebd5d0cb5a073f777aaf6ea8701869948774d2f73a

  • SSDEEP

    786432:+1HVpI/ZHgDZAgSjEcIiQKFoPIj84PLNA57cZqToX:a1emAGnbIj84PJAcZG4

Score
10/10
systembcevasionlinuxpersistence

Malware Config

Extracted

Family

systembc

C2

87.244.158.94

Targets

    • Target

      server.exe

    • Size

      22KB

    • MD5

      3e5b7dedb99563e687b56384bcd24823

    • SHA1

      17425dd4f9c65e1a5c8b4bcbef298d4dc625ae30

    • SHA256

      c154d0f2c61353e96026f7036e79e8217b078bbf1947d7a2d7753cab657022f1

    • SHA512

      ee97b1e8ab38bced198206a8b78d324c43df4eeb5bd96d484569cafe5527a55b52736708d7e38fcf2925f252e823efe894b5cae443025580c1507c0d920ad389

    • SSDEEP

      384:IMWFbYuh12fGSjkd867JswS/oyVFiGspJjHO5rf1k7SWOoD21pE3nZ6IML:I38uhkfGS8W/rVFiGspJGrq7SAspcyL

    Score
    8/10
    evasion

    • Modifies Windows Firewall

      evasion

    • Executes dropped EXE

    behavioral1behavioral2

    • Target

      server.out

    • Size

      15KB

    • MD5

      4e0a5548d669fb559fc9557c29d1300d

    • SHA1

      20c475d06b77ea4078db08814acebc6c9d8a47ca

    • SHA256

      b69738c655dee0071b1ce37ab5227018ebce01ba5e90d28bd82d63c46e9e63a4

    • SHA512

      7f128a3110bea36b22a3f784b991f0a4b44f2c01a5df837ac0badb3742f8da742f0bd971fa492829db413c9f69b6dd8c64ec6934b33da4ef11d0025522878dbb

    • SSDEEP

      192:GflaEbxJEYalA9qF9Aig5B7PNTa8EBiB6hygBCyftVm5cmF4tGEApxn:3UClA9kxg/FTyUM4gBCyftV2342px

    Score
    7/10
    persistence

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      persistence

    • Executes dropped EXE

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    behavioral3

    • Target

      socks.out

    • Size

      6KB

    • MD5

      345b602eef289ed62c556690a99038a2

    • SHA1

      7dd9def613ae3aa30f66326cb9ad724431ac69de

    • SHA256

      5da486c1d5024f144333032ffbeae9f8e6de951f6633791861055564952ee779

    • SHA512

      1066d90edecea83f1773169a0d7d6a0635904ff284c83d0ca9fc04751b967795b2e68ffb636350dc7697e05298ce0e82af0dad23e27a05843af07a094491e0b9

    • SSDEEP

      96:GRSSjU6eW+vxLCFCOE7JV4Gix/5UB/bEbZ4hrClAcrOX/YLHZHPst/8+CyA:G/+MMOEgGo/5GE99k

    Score
    7/10
    persistence

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      persistence

    • Executes dropped EXE

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    behavioral4

    • Target

      www/systembc/geoip/geoip2.phar

    • Size

      347KB

    • MD5

      71d14334860b780ee91902ea71d7518a

    • SHA1

      7316e1354447c369fd991d5a7db6b923f3c886f0

    • SHA256

      7f7a6ba15f126642ea88c6cf9354f561f6fb86948dd713ac3d8af5d169d25128

    • SHA512

      bb42ebf6e9203175cc2cc3aaa6d20b0fbe56d1dfa0545513dc55c4efd8876514b0a22d7289cebd7cc36319342eed061df801efd391e5e85bcbc9dbc0ff4dc319

    • SSDEEP

      6144:VsRsRTZMPNc5Wb7qxz7d9/UaNR6dTd4tL2b0ObTDdTDFTXjR7:VsRsRTZMPNce+1576f4tLe0ObTpNjR7

    Score
    1/10
    behavioral5behavioral6

    • Target

      www/systembc/index.html

    • Size

      16B

    • MD5

      f5a101e1a581bd03a5709b5c36f4c9c5

    • SHA1

      86548e7c6168d3d05819da7b4c4c94547bea43b5

    • SHA256

      a14b2375d7042a76207b40292ea3b5dec759b9908c566d5701493e1e6b381242

    • SHA512

      df6337bd65e4e4a01c256d55eb4cb11576e5b1da2c729c8b251a2f4752fb3128aa91667d58b938aec334651ea30b420a90459214f05cc70b8cda6b6d67564e9a

    Score
    1/10
    behavioral7behavioral8

    • Target

      www/systembc/password.php

    • Size

      27KB

    • MD5

      ce9b584da52e18399c530107c200f8bd

    • SHA1

      0d140fa337d37f918a458fea1b5a82615cdb0d9c

    • SHA256

      236cff4506f94c8c1059c8545631fa2dcd15b086c1ade4660b947b59bdf2afbd

    • SHA512

      ff913bca81b75f26302db3800c58a73d6f40bb0aa48891a3debd28c935159f3d254e0a973d0a24fbec25fc6200669f21a2e24dcad3cbeb07bfd895e645363214

    • SSDEEP

      384:MeSVqSRuqKadY/Bw5WVjg/wz/LTtwZh9N65:mVrRC/3LUh65

    Score
    1/10
    behavioral10behavioral9

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

2
T1053

Persistence

Modify Existing Service

1
T1031

Scheduled Task

2
T1053

Privilege Escalation

Scheduled Task

2
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks