systembc | a2379c7d2d9e767c1706f3c330c833bbec70f25cbfb119f0c066f57305a6bd5e

Analysis

max time kernel
146s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-10-2024 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48126ab9186274b12b830d906caa78ac_JaffaCakes118.exe
Size

201KB
MD5

48126ab9186274b12b830d906caa78ac
SHA1

ef83558edce4af8d3598db67a4d40bf629b3cfd1
SHA256

a2379c7d2d9e767c1706f3c330c833bbec70f25cbfb119f0c066f57305a6bd5e
SHA512

ab3c8542d780d2e6dcecbbae6a92ec168ac1f8fd16d24a35872043f23f952269f9bbfa53ae79f038aeeb2734e66eba9d47e5701a77e90ac0ada4e968f532bdb0
SSDEEP

1536:Nw8uOqQ5oie5XEsS7BPgnbp23kYXuPhJ5+GFg1VNJ3iK6UVkqnJd1SjkloYMIF:Nw8vqBiIuBqJ5ZkrJ3iUpnOLY

Score

10^/10

systembc discovery trojan

Malware Config

Extracted

Family

systembc

188.68.208.172

reserve-domain.com

Attributes

dns
5.132.191.104

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Executes dropped EXE 1 IoCs

pid	Process
2712	dnuomnp.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Test Task17.job	48126ab9186274b12b830d906caa78ac_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48126ab9186274b12b830d906caa78ac_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnuomnp.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2712	2948	taskeng.exe	31
PID 2948 wrote to memory of 2712	2948	taskeng.exe	31
PID 2948 wrote to memory of 2712	2948	taskeng.exe	31
PID 2948 wrote to memory of 2712	2948	taskeng.exe	31

C:\Users\Admin\AppData\Local\Temp\48126ab9186274b12b830d906caa78ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\48126ab9186274b12b830d906caa78ac_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2868

C:\Windows\system32\taskeng.exe
taskeng.exe {15F6052B-60F0-46B1-82CE-53CF4346E9E1} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2948
- C:\ProgramData\pcghxp\dnuomnp.exe
  C:\ProgramData\pcghxp\dnuomnp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pcghxp\dnuomnp.exe

Filesize
201KB

MD5
48126ab9186274b12b830d906caa78ac

SHA1
ef83558edce4af8d3598db67a4d40bf629b3cfd1

SHA256
a2379c7d2d9e767c1706f3c330c833bbec70f25cbfb119f0c066f57305a6bd5e

SHA512
ab3c8542d780d2e6dcecbbae6a92ec168ac1f8fd16d24a35872043f23f952269f9bbfa53ae79f038aeeb2734e66eba9d47e5701a77e90ac0ada4e968f532bdb0

Download Submit
C:\Windows\Tasks\Test Task17.job

Filesize
222B

MD5
5b60dcc1101775af2720e9908b66e750

SHA1
e41fd65bfde0446c7ee260c812df522bb172a256

SHA256
f45df3db1aec128f21c54d2148815b0979f6ebb5de661b8c5d43a48fd30a9d5a

SHA512
6ecea44db9dc0b8b351bc56e4eec2928a7af9cb82430091478c73ffdfb2b63c6a96db75da5a5071cec5f96ba2cceacba0e9757eb05a244a074906db48f4922b3

Download Submit
memory/2712-14-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2712-15-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2868-1-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2868-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2868-5-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2868-6-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download