systembc | f8e9770888bd3545c01053bb8031365eef2b071d0c2c5d89f7a8ead9f74da3fa

Analysis

max time kernel
143s
max time network
38s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16-07-2024 17:40

Target

4f61495744ac80a8c5e08eaaf5bd2147_JaffaCakes118.exe
Size

209KB
MD5

4f61495744ac80a8c5e08eaaf5bd2147
SHA1

f53222e9fc525c77f73318cf00743d061cd87ba8
SHA256

f8e9770888bd3545c01053bb8031365eef2b071d0c2c5d89f7a8ead9f74da3fa
SHA512

87cc87fa72f18133325d5b63e77f682636bcac9feb27b716353b402d6dcfc8c9311eeaa0e8d87e12a8fbe0d25e0bb2c58e2ea55c5fbc2f285997e75abd139445
SSDEEP

6144:YDnLgI91y1UkT57iJz/DpURWPSvHuUiYphu1Uc:cnLh9yn52rpUR5vHuRYpM+c

Score

10^/10

systembc trojan upx

Family

systembc

yan0212.com:4039

yan0212.net:4039

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Executes dropped EXE 1 IoCs

pid	Process
2724	csdc.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2364-1-0x0000000000400000-0x00000000045F0000-memory.dmp	upx
behavioral1/files/0x0009000000018ed5-9.dat	upx

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\csdc.job	4f61495744ac80a8c5e08eaaf5bd2147_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\csdc.job	4f61495744ac80a8c5e08eaaf5bd2147_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2364	4f61495744ac80a8c5e08eaaf5bd2147_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2724	2220	taskeng.exe	30
PID 2220 wrote to memory of 2724	2220	taskeng.exe	30
PID 2220 wrote to memory of 2724	2220	taskeng.exe	30
PID 2220 wrote to memory of 2724	2220	taskeng.exe	30

C:\Windows\system32\taskeng.exe
taskeng.exe {513C8923-41EB-4ADD-AC3F-33070DD31B68} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2220
- C:\ProgramData\ovqv\csdc.exe
  C:\ProgramData\ovqv\csdc.exe start
  2⤵
  - Executes dropped EXE
  PID:2724

C:\ProgramData\ovqv\csdc.exe

Filesize
209KB

MD5
4f61495744ac80a8c5e08eaaf5bd2147

SHA1
f53222e9fc525c77f73318cf00743d061cd87ba8

SHA256
f8e9770888bd3545c01053bb8031365eef2b071d0c2c5d89f7a8ead9f74da3fa

SHA512
87cc87fa72f18133325d5b63e77f682636bcac9feb27b716353b402d6dcfc8c9311eeaa0e8d87e12a8fbe0d25e0bb2c58e2ea55c5fbc2f285997e75abd139445

Download Submit
memory/2364-1-0x0000000000400000-0x00000000045F0000-memory.dmp

Filesize
65.9MB

Download
memory/2364-2-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2364-3-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2364-4-0x0000000000400000-0x00000000045F0000-memory.dmp

Filesize
65.9MB

Download
memory/2724-13-0x0000000000400000-0x00000000045F0000-memory.dmp

Filesize
65.9MB

Download