Malware Analysis Report

2025-01-22 13:28

Sample ID 231222-fp8dhsaed5
Target 6e2e71eec8d4c018d70f33c15621aa35
SHA256 98811afe3b43cebb55cf7e70463622dc66e020edf5b0d39d198438abf7740814
Tags
mrblack antivm botnet persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

98811afe3b43cebb55cf7e70463622dc66e020edf5b0d39d198438abf7740814

Threat Level: Known bad

The file 6e2e71eec8d4c018d70f33c15621aa35 was found to be: Known bad.

Malicious Activity Summary

mrblack antivm botnet persistence trojan

Mrblack family

MrBlack Trojan

MrBlack trojan

Executes dropped EXE

Writes file to system bin folder

Modifies init.d

Reads system routing table

Write file to user bin folder

Checks CPU configuration

Reads system network configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 05:04

Signatures

MrBlack trojan

Description Indicator Process Target
N/A N/A N/A N/A

Mrblack family

mrblack

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 05:03

Reported

2023-12-23 10:18

Platform

ubuntu1804-amd64-20231215-en

Max time kernel

154s

Max time network

154s

Command Line

[/tmp/6e2e71eec8d4c018d70f33c15621aa35]

Signatures

MrBlack Trojan

trojan botnet mrblack

MrBlack trojan

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A /usr/bin/bsd-port/getty /usr/bin/bsd-port/getty N/A
N/A /usr/bin/.sshd /usr/bin/.sshd N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo N/A N/A

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/DbSecuritySpt N/A N/A
File opened for modification /etc/init.d/selinux N/A N/A

Reads system routing table

Description Indicator Process Target
File opened for reading /proc/net/route N/A N/A

Write file to user bin folder

Description Indicator Process Target
File opened for modification /usr/bin/bsd-port/getty.lock N/A N/A
File opened for modification /usr/bin/bsd-port/udevd.lock N/A N/A
File opened for modification /usr/bin/bsd-port/getty /bin/cp N/A
File opened for modification /usr/bin/.sshd /bin/cp N/A
File opened for modification /usr/bin/dpkgd/ps /bin/cp N/A
File opened for modification /usr/bin/dpkgd/lsof /bin/cp N/A
File opened for modification /usr/bin/lsof /bin/cp N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /bin/ps /bin/cp N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/dev N/A N/A
File opened for reading /proc/net/route N/A N/A
File opened for reading /proc/net/arp N/A N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/stat N/A N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/cmdline /sbin/insmod N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/cmdline /sbin/insmod N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/meminfo N/A N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/moni.lock N/A N/A
File opened for modification /tmp/bill.lock N/A N/A
File opened for modification /tmp/gates.lock N/A N/A
File opened for modification /tmp/notify.file N/A N/A
File opened for modification /tmp/conf.n N/A N/A

Processes

/tmp/6e2e71eec8d4c018d70f33c15621aa35

[/tmp/6e2e71eec8d4c018d70f33c15621aa35]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt]

/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt]

/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt]

/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt]

/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt]

/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt]

/bin/sh

[sh -c mkdir -p /usr/bin/bsd-port]

/bin/mkdir

[mkdir -p /usr/bin/bsd-port]

/bin/sh

[sh -c cp -f /tmp/6e2e71eec8d4c018d70f33c15621aa35 /usr/bin/bsd-port/getty]

/bin/cp

[cp -f /tmp/6e2e71eec8d4c018d70f33c15621aa35 /usr/bin/bsd-port/getty]

/bin/sh

[sh -c /usr/bin/bsd-port/getty]

/usr/bin/bsd-port/getty

[/usr/bin/bsd-port/getty]

/bin/sh

[sh -c mkdir -p /usr/bin]

/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c cp -f /tmp/6e2e71eec8d4c018d70f33c15621aa35 /usr/bin/.sshd]

/bin/cp

[cp -f /tmp/6e2e71eec8d4c018d70f33c15621aa35 /usr/bin/.sshd]

/bin/sh

[sh -c /usr/bin/.sshd]

/usr/bin/.sshd

[/usr/bin/.sshd]

/bin/sh

[sh -c insmod /usr/lib/xpacket.ko]

/sbin/insmod

[insmod /usr/lib/xpacket.ko]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux]

/bin/ln

[ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux]

/bin/ln

[ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux]

/bin/ln

[ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux]

/bin/ln

[ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux]

/bin/ln

[ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux]

/bin/sh

[sh -c mkdir -p /usr/bin/dpkgd]

/bin/mkdir

[mkdir -p /usr/bin/dpkgd]

/bin/sh

[sh -c cp -f /bin/ps /usr/bin/dpkgd/ps]

/bin/cp

[cp -f /bin/ps /usr/bin/dpkgd/ps]

/bin/sh

[sh -c mkdir -p /bin]

/bin/mkdir

[mkdir -p /bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/getty /bin/ps]

/bin/cp

[cp -f /usr/bin/bsd-port/getty /bin/ps]

/bin/sh

[sh -c chmod 0755 /bin/ps]

/bin/chmod

[chmod 0755 /bin/ps]

/bin/sh

[sh -c cp -f /usr/bin/lsof /usr/bin/dpkgd/lsof]

/bin/cp

[cp -f /usr/bin/lsof /usr/bin/dpkgd/lsof]

/bin/sh

[sh -c mkdir -p /usr/bin]

/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/getty /usr/bin/lsof]

/bin/cp

[cp -f /usr/bin/bsd-port/getty /usr/bin/lsof]

/bin/sh

[sh -c chmod 0755 /usr/bin/lsof]

/bin/chmod

[chmod 0755 /usr/bin/lsof]

/bin/sh

[sh -c insmod /usr/lib/xpacket.ko]

/sbin/insmod

[insmod /usr/lib/xpacket.ko]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.66.49:443 tcp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 151.101.129.91:443 tcp
US 151.101.194.49:443 cdn.fwupd.org tcp
GB 89.187.167.3:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.129.91:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 89.187.167.7:443 1527653184.rsc.cdn77.org tcp
CN 124.232.165.243:54321 tcp
US 1.1.1.1:53 yeyou.t1linux.com udp
CN 124.232.165.243:54321 tcp

Files

/tmp/gates.lock

MD5 6b8eba43551742214453411664a0dcc8
SHA1 3c8101acb51e8f51363933e63bfb9106ec64d6e4
SHA256 c27484c7087191b29f05f9c05efc20adeabbf7549f642629322532cb685ffb99
SHA512 e3ad4f343d4640711b3f6b3f5d4bb4e0077a7cfbecf5af9f5c6b4acfcf66ca669bed3d0d47eeeac6c1481efe345c37415526df688f7666abaea28bed4507ed0b

/etc/init.d/DbSecuritySpt

MD5 e5e06adac5660eac75a927514e13e84d
SHA1 9b6354de15f9a6dbfdd355d99d3462906d2be856
SHA256 63f508bb4c26e4c0baa24f064a525539ba93d61cf22d52aaccef062649ecc356
SHA512 ed251f4e1def56283d801cf2c649d82d05be36c8c4a7b913fe217c0a34bf114fe5e8b7e4efe148e734c6f7207db7cd5b91dc345b552ea4d099eec9a03a52b7d2

/usr/bin/bsd-port/getty

MD5 6e2e71eec8d4c018d70f33c15621aa35
SHA1 c83935da847a5eeff1152565cdb79e1129cf4e00
SHA256 98811afe3b43cebb55cf7e70463622dc66e020edf5b0d39d198438abf7740814
SHA512 664defc7f27f4cb9445b24c298f35f559c089ea5847be62db9bfc7384b970bd620235f7a2f81d6ad5d7e41c0f1bca4b4f358fdd98e7764e2d96aa91106490c31

/tmp/notify.file

MD5 b47dc9ee05d8e3849ad03961cf5a3b78
SHA1 596212face3a0f9250123d7b743d321dd08444b5
SHA256 920cbaae47e8914bd499a749305f72b96a2e9088889e0b6231d4984edd7ac350
SHA512 d7e37382ce1d86ded41e610388cd4ba1b1951512766d83e1a57d8e2f5d7e8fdd870bf1e3c7d9dbb8472486865dedfe9918ffbc5144c57de8c2ccf68da3e71218

/etc/init.d/selinux

MD5 993cc15058142d96c3daf7852c3d5ee8
SHA1 0950b8b391b04dd3895ea33cd3141543ebd2525d
SHA256 8171d077918611803d93088409f220c66fae1c670b297e1aa5d8cbd548ce9208
SHA512 0c4256c00a3710f97e92581b552682b36b62afc35fe72622c491323c618c19ea62611ac04ccafc3dfcde2254a2ebbd93b69b66795b16e36332293bed83adb928

/tmp/moni.lock

MD5 ed4227734ed75d343320b6a5fd16ce57
SHA1 23d202fb561c67ac5d22ae22f0e595ed35106b02
SHA256 ec11f26d671bcc37162187abc1cf6a072960f13ee961a5f20c94bdad512d1428
SHA512 8b191350bf438fc6e2075005d862fa1a33e7c7f8b01e15713a645b4b017bd266cbe5164b6a3f994a5e37a40906e03f58a09232e6d739586caf395a1e7ed94967

/usr/bin/dpkgd/ps

MD5 558edc26f8a38fa9788220b9af8a73e7
SHA1 3024d44e580e9c67f32f6c585d50e2a6cc9a7cac
SHA256 b76435c80333d2c1fd18e0e7682f1c9dfb5da8d507e93e3c416f54b481c428d5
SHA512 edaa425b441044f015e8f68fffa1664e42372d00dd0e7b0924d24ce947aa8e5f96b3bdc326fa2f8b978e3fcf638a1ceca45a223735db73f1607df66990feb56f

/usr/bin/dpkgd/lsof

MD5 e093dc78225e2a0a25e3b137c1c1e442
SHA1 c29497cfaae729eb576875e4fdfa400640ab16be
SHA256 1190f4dbc7be174de8fd4096c9bf7a28eebfac937d308b7cc533be4a1240d26e
SHA512 fe1cc7a65327732eaaee89f427c10239ba822430e34177842f4681068d78d404b1830d808a2a71b1efcc5f126c6d8c053512237421173aaa150e215a672da6f0