mrblack | 4fb50087fd3ecf8590b34a6ef40bdc227caee4314f480a4b01abab01c3e805ea

General

Target

0c2fced6cd1b58dc85669dae1736a19e
Size

1.1MB
MD5

0c2fced6cd1b58dc85669dae1736a19e
SHA1

775a3e0e4c5e0b53c7adf2e81ab13b0994338e0a
SHA256

4fb50087fd3ecf8590b34a6ef40bdc227caee4314f480a4b01abab01c3e805ea
SHA512

cfcf9d27b21c157a250f3fbc6b359f100293218422225ae6203f96b535a897cef84046abbf44c429aeade4e4123bee1c805a7903fcd4a08cff5cba34c6d569a4
SSDEEP

24576:4vRE7caCfKGPqVEDNLFxKsfaoI+gIGYuuCol7r:4vREKfPqVE5jKsfaoRHGVo7r

Score

10^/10

mrblack antivm botnet persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 1 IoCs

resource	yara_rule
behavioral1/files/fstream-4.dat	family_mrblack

Executes dropped EXE 2 IoCs

ioc	pid	Process
/usr/bin/bsd-port/agent	1582	agent
/usr/bin/acpid	1590	acpid

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc
File opened for reading	/proc/cpuinfo

Modifies init.d 1 TTPs 2 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/DbSecurityMdt
File opened for modification	/etc/init.d/selinux

Write file to user bin folder 1 TTPs 7 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/usr/bin/bsd-port/agent	cp
File opened for modification	/usr/bin/acpid	cp
File opened for modification	/usr/bin/dpkgd/ps	cp
File opened for modification	/usr/bin/dpkgd/lsof	cp
File opened for modification	/usr/bin/lsof	cp
File opened for modification	/usr/bin/bsd-port/agent.conf	Process not Found
File opened for modification	/usr/bin/bsd-port/udevd.conf	Process not Found

Writes file to system bin folder 1 TTPs 1 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/bin/ps	cp

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/dev

Reads runtime system information 15 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/meminfo	Process not Found
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
File opened for modification	/tmp/moni.note
File opened for modification	/tmp/bill.note
File opened for modification	/tmp/gates.note
File opened for modification	/tmp/notify.file

/tmp/0c2fced6cd1b58dc85669dae1736a19e
/tmp/0c2fced6cd1b58dc85669dae1736a19e
1⤵
PID:1560

/bin/sh
sh -c "ln -s /etc/init.d/DbSecurityMdt /etc/rc1.d/S97DbSecurityMdt"
1⤵
PID:1566
- /bin/ln
  ln -s /etc/init.d/DbSecurityMdt /etc/rc1.d/S97DbSecurityMdt
  2⤵
  PID:1567

/bin/sh
sh -c "ln -s /etc/init.d/DbSecurityMdt /etc/rc2.d/S97DbSecurityMdt"
1⤵
PID:1568
- /bin/ln
  ln -s /etc/init.d/DbSecurityMdt /etc/rc2.d/S97DbSecurityMdt
  2⤵
  PID:1569

/bin/sh
sh -c "ln -s /etc/init.d/DbSecurityMdt /etc/rc3.d/S97DbSecurityMdt"
1⤵
PID:1570
- /bin/ln
  ln -s /etc/init.d/DbSecurityMdt /etc/rc3.d/S97DbSecurityMdt
  2⤵
  PID:1571

/bin/sh
sh -c "ln -s /etc/init.d/DbSecurityMdt /etc/rc4.d/S97DbSecurityMdt"
1⤵
PID:1572
- /bin/ln
  ln -s /etc/init.d/DbSecurityMdt /etc/rc4.d/S97DbSecurityMdt
  2⤵
  PID:1573

/bin/sh
sh -c "ln -s /etc/init.d/DbSecurityMdt /etc/rc5.d/S97DbSecurityMdt"
1⤵
PID:1574
- /bin/ln
  ln -s /etc/init.d/DbSecurityMdt /etc/rc5.d/S97DbSecurityMdt
  2⤵
  PID:1575

/bin/sh
sh -c "mkdir -p /usr/bin/bsd-port"
1⤵
PID:1576
- /bin/mkdir
  mkdir -p /usr/bin/bsd-port
  2⤵
  - Reads runtime system information
  PID:1577

/bin/sh
sh -c "cp -f /tmp/0c2fced6cd1b58dc85669dae1736a19e /usr/bin/bsd-port/agent"
1⤵
PID:1578
- /bin/cp
  cp -f /tmp/0c2fced6cd1b58dc85669dae1736a19e /usr/bin/bsd-port/agent
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1579

/bin/sh
sh -c /usr/bin/bsd-port/agent
1⤵
PID:1581
- /usr/bin/bsd-port/agent
  /usr/bin/bsd-port/agent
  2⤵
  - Executes dropped EXE
  PID:1582

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1584
- /bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1585

/bin/sh
sh -c "cp -f /tmp/0c2fced6cd1b58dc85669dae1736a19e /usr/bin/acpid"
1⤵
PID:1586
- /bin/cp
  cp -f /tmp/0c2fced6cd1b58dc85669dae1736a19e /usr/bin/acpid
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1587

/bin/sh
sh -c /usr/bin/acpid
1⤵
PID:1589
- /usr/bin/acpid
  /usr/bin/acpid
  2⤵
  - Executes dropped EXE
  PID:1590

/bin/sh
sh -c "insmod /usr/lib/xpacket.ko"
1⤵
PID:1592
- /sbin/insmod
  insmod /usr/lib/xpacket.ko
  2⤵
  - Reads runtime system information
  PID:1593

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"
1⤵
PID:1601
- /bin/ln
  ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
  2⤵
  PID:1602

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"
1⤵
PID:1603
- /bin/ln
  ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
  2⤵
  PID:1604

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"
1⤵
PID:1605
- /bin/ln
  ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
  2⤵
  PID:1606

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"
1⤵
PID:1607
- /bin/ln
  ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
  2⤵
  PID:1608

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"
1⤵
PID:1609
- /bin/ln
  ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
  2⤵
  PID:1610

/bin/sh
sh -c "mkdir -p /usr/bin/dpkgd"
1⤵
PID:1611
- /bin/mkdir
  mkdir -p /usr/bin/dpkgd
  2⤵
  - Reads runtime system information
  PID:1612

/bin/sh
sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"
1⤵
PID:1613
- /bin/cp
  cp -f /bin/ps /usr/bin/dpkgd/ps
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1614

/bin/sh
sh -c "mkdir -p /bin"
1⤵
PID:1615
- /bin/mkdir
  mkdir -p /bin
  2⤵
  - Reads runtime system information
  PID:1616

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/agent /bin/ps"
1⤵
PID:1617
- /bin/cp
  cp -f /usr/bin/bsd-port/agent /bin/ps
  2⤵
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1619

/bin/sh
sh -c "chmod 0755 /bin/ps"
1⤵
PID:1620
- /bin/chmod
  chmod 0755 /bin/ps
  2⤵
  PID:1621

/bin/sh
sh -c "cp -f /usr/bin/lsof /usr/bin/dpkgd/lsof"
1⤵
PID:1622
- /bin/cp
  cp -f /usr/bin/lsof /usr/bin/dpkgd/lsof
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1623

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1624
- /bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1625

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/agent /usr/bin/lsof"
1⤵
PID:1626
- /bin/cp
  cp -f /usr/bin/bsd-port/agent /usr/bin/lsof
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1627

/bin/sh
sh -c "chmod 0755 /usr/bin/lsof"
1⤵
PID:1628
- /bin/chmod
  chmod 0755 /usr/bin/lsof
  2⤵
  PID:1629

/bin/sh
sh -c "insmod /usr/lib/xpacket.ko"
1⤵
PID:1630
- /sbin/insmod
  insmod /usr/lib/xpacket.ko
  2⤵
  - Reads runtime system information
  PID:1631

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Hijack Execution Flow

2

T1574

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Hijack Execution Flow

2

T1574

Defense Evasion

Hijack Execution Flow

2

T1574

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

System Network Configuration Discovery

1

T1016

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/DbSecurityMdt

Filesize
50B

MD5
028b0c435a58487bdb0e80c98aacbc65

SHA1
e0735c2c61060c3b87056b53ac733cef4b351489

SHA256
b9004744eb7a97399b3c004839f784c9696895d54edfa4f034b85b5c507088d9

SHA512
6b0a1309bbee800bb966b70147049ff3760706f8da32358b86ae6a82512d067b8e5bada07ac2f6e2c107c373dd07b743ad5a0681f651f8efca9e6385014d6270

Download Submit
/etc/init.d/selinux

Filesize
36B

MD5
c6a80f08539a4c3176762f514976dd24

SHA1
bbc5826b01d20f5c4d315ff5dbc3f216760c64ef

SHA256
ea47e885ae227059ce55d020335f7869c565ec6d85f484497e83cd4998149d5d

SHA512
9a1e3b0142876305fe389e07880bd586e97bf709273a66299d9128ff2861459104054d4e5d836aecdf73f2c11886fa3a2a8498741adb3211b96116658b856175

Download Submit
/tmp/gates.note

Filesize
4B

MD5
b132ecc1609bfcf302615847c1caa69a

SHA1
0310477142171b7d67f2a1cd85c90a3b66be9c57

SHA256
8bcefa497af26e688b555d1c4c8cc97365522b5a1416ceb099a98b4c2ed80585

SHA512
816f74839aff001255a4e3fdbc354fd23aeaada1bbd44148e4fad015650143c818f741024cac050b6a4e22ce4d8d64b9591078a1d46d4776a6c51077b937bed0

Download Submit
/tmp/moni.note

Filesize
4B

MD5
5129a5ddcd0dcd755232baa04c231698

SHA1
b2a3625de074749ed626d2c2fdf5342d7757a850

SHA256
e52522a505f68250e81747aa5386c5c60196c1680f1c89762ab1ab0fbaae39b8

SHA512
27f36a56ba7f81569a7edcada4b457648cef41168a85cadf11c6e649295b110569e060047c624376a3dd8372edf153ae15c954cce7e308e8f826884a707d12c9

Download Submit
/tmp/notify.file

Filesize
37B

MD5
fa80d5e84cd380b13aa09333a926c92f

SHA1
4c1e42932b58cfe7fdfb937971efd7213390110a

SHA256
42f9262f441f109ed3a2ef0b0055aeb85031297456ff0d0c2611af4ff0b88faa

SHA512
451de42cf234137527060e9da0c4f73b24ddf90427c2c3f834266ec53866bb76b33816c2e85988875be901aa248cafe1af897e49cd2c6ded1f5414790727ead8

Download Submit
/usr/bin/bsd-port/agent

Filesize
1.1MB

MD5
0c2fced6cd1b58dc85669dae1736a19e

SHA1
775a3e0e4c5e0b53c7adf2e81ab13b0994338e0a

SHA256
4fb50087fd3ecf8590b34a6ef40bdc227caee4314f480a4b01abab01c3e805ea

SHA512
cfcf9d27b21c157a250f3fbc6b359f100293218422225ae6203f96b535a897cef84046abbf44c429aeade4e4123bee1c805a7903fcd4a08cff5cba34c6d569a4

Download Submit
/usr/bin/dpkgd/lsof

Filesize
159KB

MD5
e093dc78225e2a0a25e3b137c1c1e442

SHA1
c29497cfaae729eb576875e4fdfa400640ab16be

SHA256
1190f4dbc7be174de8fd4096c9bf7a28eebfac937d308b7cc533be4a1240d26e

SHA512
fe1cc7a65327732eaaee89f427c10239ba822430e34177842f4681068d78d404b1830d808a2a71b1efcc5f126c6d8c053512237421173aaa150e215a672da6f0

Download Submit
/usr/bin/dpkgd/ps

Filesize
130KB

MD5
558edc26f8a38fa9788220b9af8a73e7

SHA1
3024d44e580e9c67f32f6c585d50e2a6cc9a7cac

SHA256
b76435c80333d2c1fd18e0e7682f1c9dfb5da8d507e93e3c416f54b481c428d5

SHA512
edaa425b441044f015e8f68fffa1664e42372d00dd0e7b0924d24ce947aa8e5f96b3bdc326fa2f8b978e3fcf638a1ceca45a223735db73f1607df66990feb56f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads