SYMBOLCOMMON_NAMEaka. SYNONYMS
win.systembc (Back to overview)

SystemBC


SystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC.

SystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018.

References
2019-07-31ProofpointKade Harmon, Kafeine, Dennis Schwarz, Proofpoint Threat Insight Team
@online{harmon:20190731:systembc:d98f03c, author = {Kade Harmon and Kafeine and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits}}, date = {2019-07-31}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits}, language = {English}, urldate = {2019-12-20} } SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits
SystemBC
Yara Rules
[TLP:WHITE] win_systembc_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_systembc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { aa 6a00 6a02 ffb528f4ffff ffb520f4ffff ff75d8 }
            // n = 6, score = 500
            //   aa                   | stosb               byte ptr es:[edi], al
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   ffb528f4ffff         | push                dword ptr [ebp - 0xbd8]
            //   ffb520f4ffff         | push                dword ptr [ebp - 0xbe0]
            //   ff75d8               | push                dword ptr [ebp - 0x28]

        $sequence_1 = { 397d08 7757 837d1000 740e 8b5510 8802 8a07 }
            // n = 7, score = 500
            //   397d08               | cmp                 dword ptr [ebp + 8], edi
            //   7757                 | ja                  0x59
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   740e                 | je                  0x10
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   8802                 | mov                 byte ptr [edx], al
            //   8a07                 | mov                 al, byte ptr [edi]

        $sequence_2 = { 6800020000 e8???????? 57 e8???????? 8d3c38 66b85c00 }
            // n = 6, score = 500
            //   6800020000           | push                0x200
            //   e8????????           |                     
            //   57                   | push                edi
            //   e8????????           |                     
            //   8d3c38               | lea                 edi, [eax + edi]
            //   66b85c00             | mov                 ax, 0x5c

        $sequence_3 = { 6a01 6a00 8b85bcfbffff 8b08 8b5118 50 }
            // n = 6, score = 500
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   8b85bcfbffff         | mov                 eax, dword ptr [ebp - 0x444]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8b5118               | mov                 edx, dword ptr [ecx + 0x18]
            //   50                   | push                eax

        $sequence_4 = { 8945fc c785f4feffff00000000 8d85f4feffff 50 8d45f8 }
            // n = 5, score = 500
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   c785f4feffff00000000     | mov    dword ptr [ebp - 0x10c], 0
            //   8d85f4feffff         | lea                 eax, [ebp - 0x10c]
            //   50                   | push                eax
            //   8d45f8               | lea                 eax, [ebp - 8]

        $sequence_5 = { 03ca 3bc2 762f 3bc1 772b 8bf0 8bf8 }
            // n = 7, score = 500
            //   03ca                 | add                 ecx, edx
            //   3bc2                 | cmp                 eax, edx
            //   762f                 | jbe                 0x31
            //   3bc1                 | cmp                 eax, ecx
            //   772b                 | ja                  0x2d
            //   8bf0                 | mov                 esi, eax
            //   8bf8                 | mov                 edi, eax

        $sequence_6 = { 740b 837d1000 7407 803a00 7502 }
            // n = 5, score = 500
            //   740b                 | je                  0xd
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   7407                 | je                  9
            //   803a00               | cmp                 byte ptr [edx], 0
            //   7502                 | jne                 4

        $sequence_7 = { 382411 7402 eb06 83c702 41 }
            // n = 5, score = 500
            //   382411               | cmp                 byte ptr [ecx + edx], ah
            //   7402                 | je                  4
            //   eb06                 | jmp                 8
            //   83c702               | add                 edi, 2
            //   41                   | inc                 ecx

        $sequence_8 = { 8b7508 8b8680010000 8b9e84010000 8b8e88010000 8b968c010000 8bb690010000 }
            // n = 6, score = 500
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8b8680010000         | mov                 eax, dword ptr [esi + 0x180]
            //   8b9e84010000         | mov                 ebx, dword ptr [esi + 0x184]
            //   8b8e88010000         | mov                 ecx, dword ptr [esi + 0x188]
            //   8b968c010000         | mov                 edx, dword ptr [esi + 0x18c]
            //   8bb690010000         | mov                 esi, dword ptr [esi + 0x190]

        $sequence_9 = { 50 6a00 6a00 8d4308 50 }
            // n = 5, score = 500
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8d4308               | lea                 eax, [ebx + 8]
            //   50                   | push                eax

    condition:
        7 of them and filesize < 57344
}
Download all Yara Rules