systembc | edd63c2e25e59ceb308a2ddc556b2287a831e6aa6703586fbf9b503687048c6b

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 21:14

Target

21c024d1cc5dcac2804b22809ad28a34_JaffaCakes118.exe
Size

244KB
MD5

21c024d1cc5dcac2804b22809ad28a34
SHA1

2b10e5ceff496e7a45d270927ce38a621d269b24
SHA256

edd63c2e25e59ceb308a2ddc556b2287a831e6aa6703586fbf9b503687048c6b
SHA512

bc6096cbd39407fb71a72d8797e50503169ed0e7df914fc22b8e8d1d164b259331a2efe5044ac3516feea87268170c83b98f20a741bfea6a2bbaca590ee64d93
SSDEEP

3072:foQ24WalUNg+AMEi6Ib8G1RA1N9w/1Ma+6bhSqkIuAnJi5e9jJ5Yg/YOJ5lI+SQR:fo4J+AXfaXjVuA9j8QIXq

Score

10^/10

systembc trojan

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Executes dropped EXE 1 IoCs

pid	Process
2512	fdeiag.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\corolina17.job	21c024d1cc5dcac2804b22809ad28a34_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2196	21c024d1cc5dcac2804b22809ad28a34_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2512	2384	taskeng.exe	31
PID 2384 wrote to memory of 2512	2384	taskeng.exe	31
PID 2384 wrote to memory of 2512	2384	taskeng.exe	31
PID 2384 wrote to memory of 2512	2384	taskeng.exe	31

C:\Windows\system32\taskeng.exe
taskeng.exe {BD9B7489-2791-494F-A398-BD8C95EB3A98} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2384
- C:\ProgramData\bhvxot\fdeiag.exe
  C:\ProgramData\bhvxot\fdeiag.exe start2
  2⤵
  - Executes dropped EXE
  PID:2512

C:\ProgramData\bhvxot\fdeiag.exe

Filesize
244KB

MD5
21c024d1cc5dcac2804b22809ad28a34

SHA1
2b10e5ceff496e7a45d270927ce38a621d269b24

SHA256
edd63c2e25e59ceb308a2ddc556b2287a831e6aa6703586fbf9b503687048c6b

SHA512
bc6096cbd39407fb71a72d8797e50503169ed0e7df914fc22b8e8d1d164b259331a2efe5044ac3516feea87268170c83b98f20a741bfea6a2bbaca590ee64d93

Download Submit
memory/2196-1-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/2196-2-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2196-5-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2196-6-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/2512-13-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download