SYMBOLCOMMON_NAMEaka. SYNONYMS
win.systembc (Back to overview)

SystemBC

SystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC.

SystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018.

References
2020-10-14SophosSean Gallagher
@online{gallagher:20201014:theyre:99f5d1e, author = {Sean Gallagher}, title = {{They’re back: inside a new Ryuk ransomware attack}}, date = {2020-10-14}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/}, language = {English}, urldate = {2020-10-16} } They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC
2019-07-31ProofpointKade Harmon, Kafeine, Dennis Schwarz, Proofpoint Threat Insight Team
@online{harmon:20190731:systembc:d98f03c, author = {Kade Harmon and Kafeine and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits}}, date = {2019-07-31}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits}, language = {English}, urldate = {2019-12-20} } SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits
SystemBC
Yara Rules
[TLP:WHITE] win_systembc_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_systembc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 66af 75fc 2b7d08 4f }
            // n = 4, score = 500
            //   66af                 | scasw               ax, word ptr es:[edi]
            //   75fc                 | jne                 0xfffffffe
            //   2b7d08               | sub                 edi, dword ptr [ebp + 8]
            //   4f                   | dec                 edi

        $sequence_1 = { 50 6a00 6a00 8d4308 50 }
            // n = 5, score = 500
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8d4308               | lea                 eax, [ebx + 8]
            //   50                   | push                eax

        $sequence_2 = { 81c468faffff 53 57 56 8d8568faffff 50 }
            // n = 6, score = 500
            //   81c468faffff         | add                 esp, 0xfffffa68
            //   53                   | push                ebx
            //   57                   | push                edi
            //   56                   | push                esi
            //   8d8568faffff         | lea                 eax, [ebp - 0x598]
            //   50                   | push                eax

        $sequence_3 = { 744e 8b55f0 668b045a 8b55f8 8b0482 8b55ec }
            // n = 6, score = 500
            //   744e                 | je                  0x50
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   668b045a             | mov                 ax, word ptr [edx + ebx*2]
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   8b0482               | mov                 eax, dword ptr [edx + eax*4]
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]

        $sequence_4 = { 397d08 7757 837d1000 740e 8b5510 8802 8a07 }
            // n = 7, score = 500
            //   397d08               | cmp                 dword ptr [ebp + 8], edi
            //   7757                 | ja                  0x59
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   740e                 | je                  0x10
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   8802                 | mov                 byte ptr [edx], al
            //   8a07                 | mov                 al, byte ptr [edi]

        $sequence_5 = { 8b55f8 8b0482 8b55ec 8b4de8 03d6 03c6 03ca }
            // n = 7, score = 500
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   8b0482               | mov                 eax, dword ptr [edx + eax*4]
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   03d6                 | add                 edx, esi
            //   03c6                 | add                 eax, esi
            //   03ca                 | add                 ecx, edx

        $sequence_6 = { 2b7d08 4f 4f 8bc7 5e 5f }
            // n = 6, score = 500
            //   2b7d08               | sub                 edi, dword ptr [ebp + 8]
            //   4f                   | dec                 edi
            //   4f                   | dec                 edi
            //   8bc7                 | mov                 eax, edi
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi

        $sequence_7 = { 5b c9 c20400 55 8bec 81c468faffff }
            // n = 6, score = 500
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81c468faffff         | add                 esp, 0xfffffa68

        $sequence_8 = { 8bf0 8bf8 b02e f2ae }
            // n = 4, score = 500
            //   8bf0                 | mov                 esi, eax
            //   8bf8                 | mov                 edi, eax
            //   b02e                 | mov                 al, 0x2e
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]

        $sequence_9 = { c20800 55 8bec 81c400fcffff 60 b8fcfdfeff b940000000 }
            // n = 7, score = 500
            //   c20800               | ret                 8
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81c400fcffff         | add                 esp, 0xfffffc00
            //   60                   | pushal              
            //   b8fcfdfeff           | mov                 eax, 0xfffefdfc
            //   b940000000           | mov                 ecx, 0x40

    condition:
        7 of them and filesize < 57344
}
Download all Yara Rules