systembc | 365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08

Resubmissions

17-04-2024 09:29

240417-lf1vzaah95 10

17-04-2024 09:29

17-04-2024 09:29

17-04-2024 09:28

17-04-2024 09:28

16-04-2024 13:46

Analysis

max time kernel
300s
max time network
304s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe
Size

30KB
MD5

2ad2c7b5700f4246447b90f07ec5359b
SHA1

e9bf283f6dba0c0707a748fbd4a7c6f0c330f7d7
SHA256

365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08
SHA512

625090c4b634c6d95b08bc8965d7445307c242ca9d6fb9e17cf402e82de317c33b21a3a894ec9ff12fbffa2c4fd17d7647c5db3414b81c6f48f565dd2257214c
SSDEEP

768:j4Fd5REMkNoYKNen9OztmVWj9n52yoJImwJcaP:+1EMkNoxMgYVen0yoif

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

gmstar23.xyz:4044

scgsdstat14tp.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

jrimaur.exe

pid process

1296 jrimaur.exe
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 88.216.223.5
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.ipify.org
7 ip4.seeip.org
8 ip4.seeip.org
5 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

pid	process
1296	jrimaur.exe

description	ioc
Destination IP	88.216.223.5

flow	ioc
6	api.ipify.org
7	ip4.seeip.org
8	ip4.seeip.org
5	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe

description	ioc	process
File created	C:\Windows\Tasks\jrimaur.job	365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe
File opened for modification	C:\Windows\Tasks\jrimaur.job	365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe

pid process

2032 365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe

pid	process
2032	365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 2060 wrote to memory of 1296	2060	taskeng.exe	jrimaur.exe
PID 2060 wrote to memory of 1296	2060	taskeng.exe	jrimaur.exe
PID 2060 wrote to memory of 1296	2060	taskeng.exe	jrimaur.exe
PID 2060 wrote to memory of 1296	2060	taskeng.exe	jrimaur.exe

C:\Users\Admin\AppData\Local\Temp\365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe
"C:\Users\Admin\AppData\Local\Temp\365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2032

C:\Windows\system32\taskeng.exe
taskeng.exe {FE298BB0-D7BD-4530-A342-EC7D7AA51693} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2060

C:\ProgramData\mjxgj\jrimaur.exe
C:\ProgramData\mjxgj\jrimaur.exe start
2⤵
- Executes dropped EXE
PID:1296

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Proxy

T1090

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mjxgj\jrimaur.exe
Filesize
30KB

MD5
2ad2c7b5700f4246447b90f07ec5359b

SHA1
e9bf283f6dba0c0707a748fbd4a7c6f0c330f7d7

SHA256
365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08

SHA512
625090c4b634c6d95b08bc8965d7445307c242ca9d6fb9e17cf402e82de317c33b21a3a894ec9ff12fbffa2c4fd17d7647c5db3414b81c6f48f565dd2257214c

Download Submit