socks5systemz | f4953dd47a1a35b12a94ce5c4fc5af2da86882070366a1684b8896a16bf636ec

General

Target

29e3ae47c7df4b865065a3fde56483fd.exe
Size

4.7MB
MD5

29e3ae47c7df4b865065a3fde56483fd
SHA1

61fefecb5575cde7bbcffad97671f19aa53479e4
SHA256

f4953dd47a1a35b12a94ce5c4fc5af2da86882070366a1684b8896a16bf636ec
SHA512

c2fb61e9d866c2c0114066b30a923949323b8824106aab2f1c0d5ab9e33b7afd2f40bf28288f26daaaf690ef2c547a0b4d1827d7b081173b9e08c5f76a235afe
SSDEEP

98304:Z3lXv+AIYyh+rUJ6K4RXf4M73r/BfohM+DmeDMpgTV:b+44+rUJ6K4RgqoXjYpg

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 4 IoCs

resource	yara_rule
behavioral2/memory/2296-72-0x0000000002520000-0x00000000025C2000-memory.dmp	family_socks5systemz
behavioral2/memory/2296-82-0x0000000002520000-0x00000000025C2000-memory.dmp	family_socks5systemz
behavioral2/memory/2296-96-0x0000000002520000-0x00000000025C2000-memory.dmp	family_socks5systemz
behavioral2/memory/2296-95-0x0000000002520000-0x00000000025C2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
3116	29e3ae47c7df4b865065a3fde56483fd.tmp
4408	jsbaseclasses.exe
2296	jsbaseclasses.exe

Loads dropped DLL 1 IoCs

pid	Process
3116	29e3ae47c7df4b865065a3fde56483fd.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	141.98.234.31

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3116	29e3ae47c7df4b865065a3fde56483fd.tmp
3116	29e3ae47c7df4b865065a3fde56483fd.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4408	jsbaseclasses.exe
Token: SeSecurityPrivilege	2296	jsbaseclasses.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3116	29e3ae47c7df4b865065a3fde56483fd.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 3116	3416	29e3ae47c7df4b865065a3fde56483fd.exe	84
PID 3416 wrote to memory of 3116	3416	29e3ae47c7df4b865065a3fde56483fd.exe	84
PID 3416 wrote to memory of 3116	3416	29e3ae47c7df4b865065a3fde56483fd.exe	84
PID 3116 wrote to memory of 1632	3116	29e3ae47c7df4b865065a3fde56483fd.tmp	85
PID 3116 wrote to memory of 1632	3116	29e3ae47c7df4b865065a3fde56483fd.tmp	85
PID 3116 wrote to memory of 1632	3116	29e3ae47c7df4b865065a3fde56483fd.tmp	85
PID 3116 wrote to memory of 4408	3116	29e3ae47c7df4b865065a3fde56483fd.tmp	87
PID 3116 wrote to memory of 4408	3116	29e3ae47c7df4b865065a3fde56483fd.tmp	87
PID 3116 wrote to memory of 4408	3116	29e3ae47c7df4b865065a3fde56483fd.tmp	87
PID 1632 wrote to memory of 2552	1632	net.exe	88
PID 1632 wrote to memory of 2552	1632	net.exe	88
PID 1632 wrote to memory of 2552	1632	net.exe	88
PID 3116 wrote to memory of 2296	3116	29e3ae47c7df4b865065a3fde56483fd.tmp	89
PID 3116 wrote to memory of 2296	3116	29e3ae47c7df4b865065a3fde56483fd.tmp	89
PID 3116 wrote to memory of 2296	3116	29e3ae47c7df4b865065a3fde56483fd.tmp	89

C:\Users\Admin\AppData\Local\Temp\29e3ae47c7df4b865065a3fde56483fd.exe
"C:\Users\Admin\AppData\Local\Temp\29e3ae47c7df4b865065a3fde56483fd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Users\Admin\AppData\Local\Temp\is-TASTA.tmp\29e3ae47c7df4b865065a3fde56483fd.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TASTA.tmp\29e3ae47c7df4b865065a3fde56483fd.tmp" /SL5="$70064,4678638,54272,C:\Users\Admin\AppData\Local\Temp\29e3ae47c7df4b865065a3fde56483fd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 28
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 28
      4⤵
      PID:2552
- - C:\Users\Admin\AppData\Local\JS Base Classes\jsbaseclasses.exe
    "C:\Users\Admin\AppData\Local\JS Base Classes\jsbaseclasses.exe" -i
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4408
- - C:\Users\Admin\AppData\Local\JS Base Classes\jsbaseclasses.exe
    "C:\Users\Admin\AppData\Local\JS Base Classes\jsbaseclasses.exe" -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\JS Base Classes\jsbaseclasses.exe

Filesize
1.4MB

MD5
be1fdb28405486282f3a336ff5b40275

SHA1
eb752fbe97a87d4c6981681a48e7615a13f0590e

SHA256
3ad3dc0da85a7a34215294d4c7d72e93d210d701007c721f38b8956e7b7e7c9e

SHA512
0bc557840781070dc0ccf16db3f072fc7d7f57b73b9b70812eea50de4ec9a2d66181eacf5d89e94595c834a06995731e3c947442f9a9c27103fa8e277b5eb601

Download Submit
C:\Users\Admin\AppData\Local\JS Base Classes\jsbaseclasses.exe

Filesize
1.3MB

MD5
2f8d52b1305df6f113819bdb208029f6

SHA1
f9beb9be8f7f60dd3a77528c4b14b9b51dfaef61

SHA256
7da38b0212e10e7014c253f8ef2ee66fc5ca43c37d839f43fb86af34039aaa1d

SHA512
f174ca2d177428fa7c8712789507d2954a085a20d6395f0bb0c5a91305d42a19f9164256f27e65d73fb5c8f240f2dcc21995cca4d2983d0db9b7224f0c19299e

Download Submit
C:\Users\Admin\AppData\Local\JS Base Classes\jsbaseclasses.exe

Filesize
589KB

MD5
09b32cffd4c66526951184bb9d44cdf1

SHA1
d6b0ec122286f306753f4d91e6585feaf9e279e5

SHA256
d458222c871549d74c2de3dda40a7185c9bf60182a253708d4181ed51d34d6b4

SHA512
d7fd91008865288d5c0e80c3b14accd3675a1f004285442a5ebdc1a55bd97a14602a53b387eea9740f0d84f98119111a68ad95bb3a7f778e51bc718649487b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OGDK5.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TASTA.tmp\29e3ae47c7df4b865065a3fde56483fd.tmp

Filesize
692KB

MD5
de887bada125978ded28b2b18ab84eaa

SHA1
63bad67b0120cfa82cc5c2462532853ac2b28ae0

SHA256
f6952954285b94d01481484de4d79cb2652214e4ca3fa353bf67fac05ce1586e

SHA512
c4ce206460627e9e3a4ea388f1d44c6842b1781e198eb024732b905684d502937d013b00fcb9eb8de40a5c7df7c13703197414a1f739c9e5197adc943dc49119

Download Submit
memory/2296-51-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2296-85-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2296-95-0x0000000002520000-0x00000000025C2000-memory.dmp

Filesize
648KB

Download
memory/2296-96-0x0000000002520000-0x00000000025C2000-memory.dmp

Filesize
648KB

Download
memory/2296-94-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2296-91-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2296-103-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2296-81-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2296-88-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2296-100-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2296-54-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2296-82-0x0000000002520000-0x00000000025C2000-memory.dmp

Filesize
648KB

Download
memory/2296-58-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2296-59-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2296-62-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2296-65-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2296-68-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2296-72-0x0000000002520000-0x00000000025C2000-memory.dmp

Filesize
648KB

Download
memory/2296-71-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2296-78-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/3116-55-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/3116-53-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3116-7-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/3416-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3416-52-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3416-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4408-45-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/4408-48-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/4408-47-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/4408-44-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing