systembc | 5c947115e5de28bf753bdf423b76cec09ab76f339c62058392b603391cbf461f

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 13:48

Target

aa00750f0df31493289bf07719cefd5e_JaffaCakes118.exe
Size

247KB
MD5

aa00750f0df31493289bf07719cefd5e
SHA1

3c5b53cea10a28b955d1224ec2d293c639874593
SHA256

5c947115e5de28bf753bdf423b76cec09ab76f339c62058392b603391cbf461f
SHA512

cc679227e4e137885cfbf475e89f5832cbb3009b2e95aba661b6f2c973bc56672480e3c695daca6acf825fafcc8bc7e667ab92eb81da2d1aeb7d66deb55d7704
SSDEEP

3072:276owQOcspP2oUK8QXAu+0l66bddxcmFEwDZo+7H8/RhxzQiHAZsHFpEWz5DwbDV:WjO1d8EAu+0lRMFmHb6pEo8s3Eg5

Score

10^/10

systembc trojan

Family

systembc

217.8.117.114:4062

213.159.213.225:4062

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Executes dropped EXE 1 IoCs

pid	Process
2644	qwjh.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\qwjh.job	aa00750f0df31493289bf07719cefd5e_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\qwjh.job	aa00750f0df31493289bf07719cefd5e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2960	aa00750f0df31493289bf07719cefd5e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2644	2240	taskeng.exe	29
PID 2240 wrote to memory of 2644	2240	taskeng.exe	29
PID 2240 wrote to memory of 2644	2240	taskeng.exe	29
PID 2240 wrote to memory of 2644	2240	taskeng.exe	29

C:\Windows\system32\taskeng.exe
taskeng.exe {B473FE4E-80F0-41AB-8158-5F8AF834C10C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2240
- C:\ProgramData\eepf\qwjh.exe
  C:\ProgramData\eepf\qwjh.exe start
  2⤵
  - Executes dropped EXE
  PID:2644

C:\ProgramData\eepf\qwjh.exe

Filesize
247KB

MD5
aa00750f0df31493289bf07719cefd5e

SHA1
3c5b53cea10a28b955d1224ec2d293c639874593

SHA256
5c947115e5de28bf753bdf423b76cec09ab76f339c62058392b603391cbf461f

SHA512
cc679227e4e137885cfbf475e89f5832cbb3009b2e95aba661b6f2c973bc56672480e3c695daca6acf825fafcc8bc7e667ab92eb81da2d1aeb7d66deb55d7704

Download Submit
memory/2644-9-0x0000000000AB0000-0x0000000000ABB000-memory.dmp

Filesize
44KB

Download
memory/2644-10-0x0000000000AB0000-0x0000000000ABB000-memory.dmp

Filesize
44KB

Download
memory/2960-0-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2960-2-0x0000000077C20000-0x0000000077CF6000-memory.dmp

Filesize
856KB

Download
memory/2960-8-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download