systembc | a2379c7d2d9e767c1706f3c330c833bbec70f25cbfb119f0c066f57305a6bd5e

Analysis

max time kernel
147s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48126ab9186274b12b830d906caa78ac_JaffaCakes118.exe
Size

201KB
MD5

48126ab9186274b12b830d906caa78ac
SHA1

ef83558edce4af8d3598db67a4d40bf629b3cfd1
SHA256

a2379c7d2d9e767c1706f3c330c833bbec70f25cbfb119f0c066f57305a6bd5e
SHA512

ab3c8542d780d2e6dcecbbae6a92ec168ac1f8fd16d24a35872043f23f952269f9bbfa53ae79f038aeeb2734e66eba9d47e5701a77e90ac0ada4e968f532bdb0
SSDEEP

1536:Nw8uOqQ5oie5XEsS7BPgnbp23kYXuPhJ5+GFg1VNJ3iK6UVkqnJd1SjkloYMIF:Nw8vqBiIuBqJ5ZkrJ3iUpnOLY

Score

10^/10

systembc discovery trojan

Malware Config

Extracted

Family

systembc

188.68.208.172

reserve-domain.com

Attributes

dns
5.132.191.104

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Executes dropped EXE 1 IoCs

pid	Process
4620	geefj.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Test Task17.job	48126ab9186274b12b830d906caa78ac_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2132	4212	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geefj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48126ab9186274b12b830d906caa78ac_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\48126ab9186274b12b830d906caa78ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\48126ab9186274b12b830d906caa78ac_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 388
  2⤵
  - Program crash
  PID:2132

C:\ProgramData\cdnfkm\geefj.exe
C:\ProgramData\cdnfkm\geefj.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4212 -ip 4212
1⤵
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cdnfkm\geefj.exe

Filesize
201KB

MD5
48126ab9186274b12b830d906caa78ac

SHA1
ef83558edce4af8d3598db67a4d40bf629b3cfd1

SHA256
a2379c7d2d9e767c1706f3c330c833bbec70f25cbfb119f0c066f57305a6bd5e

SHA512
ab3c8542d780d2e6dcecbbae6a92ec168ac1f8fd16d24a35872043f23f952269f9bbfa53ae79f038aeeb2734e66eba9d47e5701a77e90ac0ada4e968f532bdb0

Download Submit
C:\Windows\Tasks\Test Task17.job

Filesize
236B

MD5
bfa504d05c0908111b49334603914397

SHA1
9a63e3f3d07697c6898038c9f931116562906900

SHA256
e09d1b67df677116215206f9b9224e63d9a32a7442b363a7e68d6f97a59d6849

SHA512
5365bedb5465f26486903786350185ea2c538129dde6ca72db7f92a2043aa51326f7e98ecb2f4db691f03058b1054c5181e5ef86178315330d4f851aaa9f0d93

Download Submit
memory/4212-1-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/4212-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4212-5-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/4212-6-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4620-14-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4620-15-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download