socks5systemz | f4953dd47a1a35b12a94ce5c4fc5af2da86882070366a1684b8896a16bf636ec

Analysis

max time kernel
143s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/01/2024, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29e3ae47c7df4b865065a3fde56483fd.exe
Size

4.7MB
MD5

29e3ae47c7df4b865065a3fde56483fd
SHA1

61fefecb5575cde7bbcffad97671f19aa53479e4
SHA256

f4953dd47a1a35b12a94ce5c4fc5af2da86882070366a1684b8896a16bf636ec
SHA512

c2fb61e9d866c2c0114066b30a923949323b8824106aab2f1c0d5ab9e33b7afd2f40bf28288f26daaaf690ef2c547a0b4d1827d7b081173b9e08c5f76a235afe
SSDEEP

98304:Z3lXv+AIYyh+rUJ6K4RXf4M73r/BfohM+DmeDMpgTV:b+44+rUJ6K4RgqoXjYpg

Score

10^/10

socks5systemz botnet discovery

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2584-79-0x0000000002BA0000-0x0000000002C42000-memory.dmp	family_socks5systemz
behavioral1/memory/2584-82-0x0000000002BA0000-0x0000000002C42000-memory.dmp	family_socks5systemz
behavioral1/memory/2584-91-0x0000000002BA0000-0x0000000002C42000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
2716	29e3ae47c7df4b865065a3fde56483fd.tmp
2736	jsbaseclasses.exe
2584	jsbaseclasses.exe

Loads dropped DLL 5 IoCs

pid	Process
1896	29e3ae47c7df4b865065a3fde56483fd.exe
2716	29e3ae47c7df4b865065a3fde56483fd.tmp
2716	29e3ae47c7df4b865065a3fde56483fd.tmp
2716	29e3ae47c7df4b865065a3fde56483fd.tmp
2716	29e3ae47c7df4b865065a3fde56483fd.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2716	29e3ae47c7df4b865065a3fde56483fd.tmp
2716	29e3ae47c7df4b865065a3fde56483fd.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2736	jsbaseclasses.exe
Token: SeSecurityPrivilege	2584	jsbaseclasses.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2716	29e3ae47c7df4b865065a3fde56483fd.tmp

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 2716	1896	29e3ae47c7df4b865065a3fde56483fd.exe	15
PID 1896 wrote to memory of 2716	1896	29e3ae47c7df4b865065a3fde56483fd.exe	15
PID 1896 wrote to memory of 2716	1896	29e3ae47c7df4b865065a3fde56483fd.exe	15
PID 1896 wrote to memory of 2716	1896	29e3ae47c7df4b865065a3fde56483fd.exe	15
PID 1896 wrote to memory of 2716	1896	29e3ae47c7df4b865065a3fde56483fd.exe	15
PID 1896 wrote to memory of 2716	1896	29e3ae47c7df4b865065a3fde56483fd.exe	15
PID 1896 wrote to memory of 2716	1896	29e3ae47c7df4b865065a3fde56483fd.exe	15
PID 2716 wrote to memory of 2844	2716	29e3ae47c7df4b865065a3fde56483fd.tmp	29
PID 2716 wrote to memory of 2844	2716	29e3ae47c7df4b865065a3fde56483fd.tmp	29
PID 2716 wrote to memory of 2844	2716	29e3ae47c7df4b865065a3fde56483fd.tmp	29
PID 2716 wrote to memory of 2844	2716	29e3ae47c7df4b865065a3fde56483fd.tmp	29
PID 2716 wrote to memory of 2736	2716	29e3ae47c7df4b865065a3fde56483fd.tmp	31
PID 2716 wrote to memory of 2736	2716	29e3ae47c7df4b865065a3fde56483fd.tmp	31
PID 2716 wrote to memory of 2736	2716	29e3ae47c7df4b865065a3fde56483fd.tmp	31
PID 2716 wrote to memory of 2736	2716	29e3ae47c7df4b865065a3fde56483fd.tmp	31
PID 2844 wrote to memory of 2668	2844	net.exe	30
PID 2844 wrote to memory of 2668	2844	net.exe	30
PID 2844 wrote to memory of 2668	2844	net.exe	30
PID 2844 wrote to memory of 2668	2844	net.exe	30
PID 2716 wrote to memory of 2584	2716	29e3ae47c7df4b865065a3fde56483fd.tmp	33
PID 2716 wrote to memory of 2584	2716	29e3ae47c7df4b865065a3fde56483fd.tmp	33
PID 2716 wrote to memory of 2584	2716	29e3ae47c7df4b865065a3fde56483fd.tmp	33
PID 2716 wrote to memory of 2584	2716	29e3ae47c7df4b865065a3fde56483fd.tmp	33

C:\Users\Admin\AppData\Local\Temp\29e3ae47c7df4b865065a3fde56483fd.exe
"C:\Users\Admin\AppData\Local\Temp\29e3ae47c7df4b865065a3fde56483fd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Users\Admin\AppData\Local\Temp\is-SF4S4.tmp\29e3ae47c7df4b865065a3fde56483fd.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-SF4S4.tmp\29e3ae47c7df4b865065a3fde56483fd.tmp" /SL5="$4010C,4678638,54272,C:\Users\Admin\AppData\Local\Temp\29e3ae47c7df4b865065a3fde56483fd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 28
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 28
      4⤵
      PID:2668
- - C:\Users\Admin\AppData\Local\JS Base Classes\jsbaseclasses.exe
    "C:\Users\Admin\AppData\Local\JS Base Classes\jsbaseclasses.exe" -i
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- - C:\Users\Admin\AppData\Local\JS Base Classes\jsbaseclasses.exe
    "C:\Users\Admin\AppData\Local\JS Base Classes\jsbaseclasses.exe" -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\JS Base Classes\jsbaseclasses.exe

Filesize
191KB

MD5
8557a68499ee848599c12dc22d966518

SHA1
2c66caa4fd8dae7b871495b6eca71d5367a04aaf

SHA256
252626b97a6c902acf06a9a10bc63363bcb9ded7e4e4a57ca29949e9d88d027a

SHA512
67a51e47a7a9d1234a0df659cd4280d58dfe5da9e37eae956d91d0df58778ff07b030b786efe7f80da6bb6abf273fe6ae9ae8df362e2a21d1540668b400e364d

Download Submit
C:\Users\Admin\AppData\Local\JS Base Classes\jsbaseclasses.exe

Filesize
165KB

MD5
f19dd671dd68b22304f3eb069ecd4374

SHA1
ca9ebe8b7cdd733ae48894bdee40922c59130a56

SHA256
4eb9d0bfaaaa60e25b59f3b492eec7db8b4a12aad0735ec0c9dbbc5aa24e2b26

SHA512
473ff87f1162ad6949c32ea870f418c541ebaba69341797205c647e2664e8f692fd2f6af5fd56c3417c5efa0f921cf0135d95eb6908f2109014f53d16cb98413

Download Submit
C:\Users\Admin\AppData\Local\JS Base Classes\jsbaseclasses.exe

Filesize
64KB

MD5
7a37871cb87cc19e41b4f95231cf80fa

SHA1
cb4c3a7e1968f36c55a646c0410fd285a6f405b2

SHA256
6787ee55e2141ea9e76329a8233b7fa39b872fc8fece2819e1ec54e92280e3fe

SHA512
038abe637baf8c738835ebcfa88cb670c2768245666e31dc5a33272a0ba080d6c9500d0c7622483cdaf7cc1c701340fe0b7c038e784ffa6673d8ccefda21fe3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SF4S4.tmp\29e3ae47c7df4b865065a3fde56483fd.tmp

Filesize
226KB

MD5
cc15d887e014673ad7eb05b9797fb3f4

SHA1
5fc826d263eeacfcfe535808e39c9e2cbe677033

SHA256
2f20715ff805cdb4bfa9ec7d378832d6c9389751006d94c9cffc95051c6edeea

SHA512
8cc73a8820710cadae9bd739ab5690ae2a264ae12d56cd71ac79ef3a5982577d0deaef5c88841f7cad355950f56e231d10ee19a1c3972a32a67cfb4f88174593

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SF4S4.tmp\29e3ae47c7df4b865065a3fde56483fd.tmp

Filesize
301KB

MD5
2b132d31965a93057662ccb2da617ed2

SHA1
4f559d13a72d7fa7e517343dcff00347f75550e7

SHA256
d4fc4b37dc2114149b145997c9740608f03ea17bffe3f21338f7c59af57a79c0

SHA512
cec1c87114fc278b83248bd778fa2c39a751a4700bc82f1a284d2531087894dc7799936895ac3d5111f0a84584b75d90ed2e45391eb441251e6bf23a2f217bd2

Download Submit
\Users\Admin\AppData\Local\JS Base Classes\jsbaseclasses.exe

Filesize
172KB

MD5
55d07d9078eac1fe61b246c993ab9940

SHA1
ba7483c1359e81ffc7ebf7404926cbe3d0705d0c

SHA256
58adf1ae0d8ab774fc528a51a4d77c1cccd5a4cbdf96f04e8c6bec1ca8df2d25

SHA512
5a8993f05e1a4c48d73f7f940e6a5813e8e56f76c0b446debe3ba40d82ea3ff863f10787be8c53de5abec086ef46adae94007de630ae0b324ac63ab932cb02a9

Download Submit
\Users\Admin\AppData\Local\Temp\is-SF4S4.tmp\29e3ae47c7df4b865065a3fde56483fd.tmp

Filesize
353KB

MD5
75c8aea0f174c56f81b2461a53a43683

SHA1
af94e41f5ae53abb882f22dc2b2635962756d96e

SHA256
4e4a9aab959638db65bb45329c7e9e3c75c61c648910fe35d8a948cd6838dc41

SHA512
5bb49980df269ce3168c813dca7cf355dd699ae491a14fb83bf4a26837f63961fa7caeee5223b484b6d236f25378202bfcb299aedc1dc4500ef93ab485935c9b

Download Submit
\Users\Admin\AppData\Local\Temp\is-TJHCE.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-TJHCE.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1896-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1896-59-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2584-61-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2584-91-0x0000000002BA0000-0x0000000002C42000-memory.dmp

Filesize
648KB

Download
memory/2584-110-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2584-56-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2584-107-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2584-103-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2584-58-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2584-100-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2584-97-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2584-94-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2584-90-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2584-87-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2584-67-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2584-66-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2584-70-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2584-73-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2584-76-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2584-79-0x0000000002BA0000-0x0000000002C42000-memory.dmp

Filesize
648KB

Download
memory/2584-82-0x0000000002BA0000-0x0000000002C42000-memory.dmp

Filesize
648KB

Download
memory/2584-81-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2716-63-0x00000000053B0000-0x0000000005753000-memory.dmp

Filesize
3.6MB

Download
memory/2716-62-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2716-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2716-60-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2716-48-0x00000000053B0000-0x0000000005753000-memory.dmp

Filesize
3.6MB

Download
memory/2736-53-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2736-49-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2736-54-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2736-50-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download