mrblack | bbd6839074adea734213cc5e40a0dbb31c4c36df5a5bc1040757d6baec3f8415

General

Target

47ed0c0fd311c7d7fb78bb65c066c157
Size

1.2MB
MD5

47ed0c0fd311c7d7fb78bb65c066c157
SHA1

d5359246406863690ea95f29734a7ac3f187443f
SHA256

bbd6839074adea734213cc5e40a0dbb31c4c36df5a5bc1040757d6baec3f8415
SHA512

a4929ea6f2acdb2219ede3a8c07eb21ce4504950cc1cc1be91f274915802f0a8cee63d9ff7707ba0e194300a297887e1a891baf813088af00df0a3b9934e58f3
SSDEEP

24576:e845rGHu6gVJKG75oFpA0VWeX4r2y1q2rJp0:745vRVJKGtSA0VWeoau9p0

Score

10^/10

mrblack antivm botnet persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 1 IoCs

resource	yara_rule
behavioral1/files/fstream-4.dat	family_mrblack

Executes dropped EXE 2 IoCs

ioc	pid	Process
/usr/bin/bsd-port/getty	1576	getty
/usr/bin/.sshd	1587	.sshd

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc
File opened for reading	/proc/cpuinfo

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/DbSecuritySpt

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/route

Write file to user bin folder 1 TTPs 4 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/usr/bin/bsd-port/udevd.lock	Process not Found
File opened for modification	/usr/bin/bsd-port/getty	cp
File opened for modification	/usr/bin/.sshd	cp
File opened for modification	/usr/bin/bsd-port/getty.lock	Process not Found

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/dev
File opened for reading	/proc/net/route
File opened for reading	/proc/net/arp

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/meminfo	Process not Found
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
File opened for modification	/tmp/moni.lod
File opened for modification	/tmp/bill.lock
File opened for modification	/tmp/gates.lod
File opened for modification	/tmp/notify.file
File opened for modification	/tmp/conf.n

/tmp/47ed0c0fd311c7d7fb78bb65c066c157
/tmp/47ed0c0fd311c7d7fb78bb65c066c157
1⤵
PID:1553

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt"
1⤵
PID:1558
- /bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
  2⤵
  PID:1559

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt"
1⤵
PID:1560
- /bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
  2⤵
  PID:1561

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt"
1⤵
PID:1562
- /bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
  2⤵
  PID:1563

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt"
1⤵
PID:1564
- /bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
  2⤵
  PID:1565

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt"
1⤵
PID:1566
- /bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
  2⤵
  PID:1567

/bin/sh
sh -c "mkdir -p /usr/bin/bsd-port"
1⤵
PID:1568
- /bin/mkdir
  mkdir -p /usr/bin/bsd-port
  2⤵
  - Reads runtime system information
  PID:1569

/bin/sh
sh -c "mkdir -p /usr/bin/bsd-port"
1⤵
PID:1570
- /bin/mkdir
  mkdir -p /usr/bin/bsd-port
  2⤵
  - Reads runtime system information
  PID:1571

/bin/sh
sh -c "cp -f /tmp/47ed0c0fd311c7d7fb78bb65c066c157 /usr/bin/bsd-port/getty"
1⤵
PID:1572
- /bin/cp
  cp -f /tmp/47ed0c0fd311c7d7fb78bb65c066c157 /usr/bin/bsd-port/getty
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1573

/bin/sh
sh -c /usr/bin/bsd-port/getty
1⤵
PID:1575
- /usr/bin/bsd-port/getty
  /usr/bin/bsd-port/getty
  2⤵
  - Executes dropped EXE
  PID:1576

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1579
- /bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1580

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1581
- /bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1582

/bin/sh
sh -c "cp -f /tmp/47ed0c0fd311c7d7fb78bb65c066c157 /usr/bin/.sshd"
1⤵
PID:1583
- /bin/cp
  cp -f /tmp/47ed0c0fd311c7d7fb78bb65c066c157 /usr/bin/.sshd
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1584

/bin/sh
sh -c /usr/bin/.sshd
1⤵
PID:1586
- /usr/bin/.sshd
  /usr/bin/.sshd
  2⤵
  - Executes dropped EXE
  PID:1587

/bin/sh
sh -c "insmod /tmp/xpacket.ko"
1⤵
PID:1590
- /sbin/insmod
  insmod /tmp/xpacket.ko
  2⤵
  - Reads runtime system information
  PID:1591

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Hijack Execution Flow

1

T1574

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Hijack Execution Flow

1

T1574

Defense Evasion

Hijack Execution Flow

1

T1574

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

System Network Configuration Discovery

2

T1016

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/DbSecuritySpt

Filesize
50B

MD5
a9a22a5657d264c3562f329c9c085ab8

SHA1
ea30458240c1304810681660c3add8acac715f3e

SHA256
482dee069c7399f35d1bc80641980db4a599f2d6d705635679707073f9783ff9

SHA512
ccc2fc35067de8422c7b95fda89d2e0f521dc2af7d0b52139d9d8103af852bfa6bf52e2324ed767c26e0010644a3c4b6830edb7a9f787549a7a49bb512d31084

Download Submit
/tmp/gates.lod

Filesize
4B

MD5
98986c005e5def2da341b4e0627d4712

SHA1
ba2e8aa59e4161ee5807078f7226c405fde751a6

SHA256
6fb4775fed7293b1da12333ce782e879cefce4ca3b83e12628b1a54e062606b6

SHA512
039aae6dbb53263f8868d777e1b3766bee4488c2d9812c3eb5ae692d7be4cea0314860458b3b32440627133cf4a2b1e63c5773120b90b028220db0eca878c09c

Download Submit
/tmp/moni.lod

Filesize
4B

MD5
894b77f805bd94d292574c38c5d628d5

SHA1
1784f0e37c1fdd6200c1e8b28e8caae5402e74e0

SHA256
d24eac45e69be063cc0053eb02650954eec62c314c405e564a4d11e951392e75

SHA512
605b8ee18c6bd7c9d489faa803dc4c00fed6e7a4b21a9a69ba7b429642a06d7fe42e5fd45162f72fff76f1ec518c5840399c97d4ab0f7633651d35e2b19f2e05

Download Submit
/tmp/notify.file

Filesize
37B

MD5
967903ca6b52a5aae041d1ecaf2e2af1

SHA1
f7674c027aa19e96f8532702cb59afa69cdc55e9

SHA256
03fe6651362ba6f32c2aa39121e5a5a10a3a1a0cac0af031fccfc7b433855018

SHA512
f0652ea82de89cc9749f7bf300f1d9dadede1322f49f00219d816c465935e15b6f7e1e2cb68de83c8265d6fc9f9b43e1a4e6eb83c49bed537f9b340e09eed18e

Download Submit
/usr/bin/bsd-port/getty

Filesize
1.2MB

MD5
47ed0c0fd311c7d7fb78bb65c066c157

SHA1
d5359246406863690ea95f29734a7ac3f187443f

SHA256
bbd6839074adea734213cc5e40a0dbb31c4c36df5a5bc1040757d6baec3f8415

SHA512
a4929ea6f2acdb2219ede3a8c07eb21ce4504950cc1cc1be91f274915802f0a8cee63d9ff7707ba0e194300a297887e1a891baf813088af00df0a3b9934e58f3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads