systembc | 930c0ff32c41f73eed59507b1e7ab70cd77469406c3a0401b625f70adc6a4fcd

Analysis

max time kernel
141s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
16-07-2024 15:27

Target

4eeea01de3c07cbe3ad9cd218f16b458_JaffaCakes118.exe
Size

209KB
MD5

4eeea01de3c07cbe3ad9cd218f16b458
SHA1

e02029f8e603d712eec2b48f8a9396731b99dbb4
SHA256

930c0ff32c41f73eed59507b1e7ab70cd77469406c3a0401b625f70adc6a4fcd
SHA512

6dff35d5fe63d0dd1ec20b47d331749d3cb247380ab5e9e5c30dd2b5561891c82f541991246c9996a4be4be2fe1eeb08cb88c3a3abdd586724187d6b98ea77c3
SSDEEP

6144:YDnLgI91y1UkT57iJz/DpURWPSvHuUiYphu1UN:cnLh9yn52rpUR5vHuRYpM+N

Score

10^/10

systembc trojan upx

Family

systembc

yan0212.com:4039

yan0212.net:4039

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

pcdefg.exe

pid process

2356 pcdefg.exe

pid	process
2356	pcdefg.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/1540-1-0x0000000000400000-0x00000000045F0000-memory.dmp	upx
C:\ProgramData\jmfwpb\pcdefg.exe	upx

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
6 api.ipify.org
7 ip4.seeip.org
8 ip4.seeip.org

Drops file in Windows directory 2 IoCs

Processes:

4eeea01de3c07cbe3ad9cd218f16b458_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\Tasks\pcdefg.job	4eeea01de3c07cbe3ad9cd218f16b458_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\pcdefg.job	4eeea01de3c07cbe3ad9cd218f16b458_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4eeea01de3c07cbe3ad9cd218f16b458_JaffaCakes118.exe

pid process

1540 4eeea01de3c07cbe3ad9cd218f16b458_JaffaCakes118.exe

pid	process
1540	4eeea01de3c07cbe3ad9cd218f16b458_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 2324 wrote to memory of 2356	2324	taskeng.exe	pcdefg.exe
PID 2324 wrote to memory of 2356	2324	taskeng.exe	pcdefg.exe
PID 2324 wrote to memory of 2356	2324	taskeng.exe	pcdefg.exe
PID 2324 wrote to memory of 2356	2324	taskeng.exe	pcdefg.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {58DFC9E6-6AE8-4344-9CB9-5FD5DC9F985E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2324
- C:\ProgramData\jmfwpb\pcdefg.exe
  C:\ProgramData\jmfwpb\pcdefg.exe start
  2⤵
  - Executes dropped EXE
  PID:2356

C:\ProgramData\jmfwpb\pcdefg.exe

Filesize
209KB

MD5
4eeea01de3c07cbe3ad9cd218f16b458

SHA1
e02029f8e603d712eec2b48f8a9396731b99dbb4

SHA256
930c0ff32c41f73eed59507b1e7ab70cd77469406c3a0401b625f70adc6a4fcd

SHA512
6dff35d5fe63d0dd1ec20b47d331749d3cb247380ab5e9e5c30dd2b5561891c82f541991246c9996a4be4be2fe1eeb08cb88c3a3abdd586724187d6b98ea77c3

Download Submit
memory/1540-1-0x0000000000400000-0x00000000045F0000-memory.dmp

Filesize
65.9MB

Download
memory/1540-3-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1540-2-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/1540-4-0x0000000000400000-0x00000000045F0000-memory.dmp

Filesize
65.9MB

Download
memory/2356-13-0x0000000000400000-0x00000000045F0000-memory.dmp

Filesize
65.9MB

Download