Malware Analysis Report

2025-01-22 13:28

Sample ID 231222-fpwdysadd6
Target 6dbfddc3991121ab2232a0d6f775f453
SHA256 dae7c68a3605b6df65e83e1e53f7ac0a85b85220e8ebb075e5a25a7ca8ebcc22
Tags
mrblack antivm botnet persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dae7c68a3605b6df65e83e1e53f7ac0a85b85220e8ebb075e5a25a7ca8ebcc22

Threat Level: Known bad

The file 6dbfddc3991121ab2232a0d6f775f453 was found to be: Known bad.

Malicious Activity Summary

mrblack antivm botnet persistence trojan

MrBlack trojan

Mrblack family

MrBlack Trojan

Executes dropped EXE

Reads system routing table

Write file to user bin folder

Checks CPU configuration

Modifies init.d

Writes file to system bin folder

Reads system network configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 05:03

Signatures

MrBlack trojan

Description Indicator Process Target
N/A N/A N/A N/A

Mrblack family

mrblack

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 05:03

Reported

2023-12-23 10:14

Platform

ubuntu1804-amd64-20231215-en

Max time kernel

150s

Max time network

153s

Command Line

[/tmp/6dbfddc3991121ab2232a0d6f775f453]

Signatures

MrBlack Trojan

trojan botnet mrblack

MrBlack trojan

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A /usr/bin/bsd-port/getty /usr/bin/bsd-port/getty N/A
N/A /usr/bin/.sshd /usr/bin/.sshd N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo N/A N/A

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/DbSecuritySpt N/A N/A
File opened for modification /etc/init.d/selinux N/A N/A

Reads system routing table

Description Indicator Process Target
File opened for reading /proc/net/route N/A N/A

Write file to user bin folder

Description Indicator Process Target
File opened for modification /usr/bin/dpkgd/ss /bin/cp N/A
File opened for modification /usr/bin/dpkgd/lsof /bin/cp N/A
File opened for modification /usr/bin/lsof /bin/cp N/A
File opened for modification /usr/bin/bsd-port/getty.lock N/A N/A
File opened for modification /usr/bin/bsd-port/udevd.lock N/A N/A
File opened for modification /usr/bin/bsd-port/getty /bin/cp N/A
File opened for modification /usr/bin/.sshd /bin/cp N/A
File opened for modification /usr/bin/dpkgd/ps /bin/cp N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /bin/ps /bin/cp N/A
File opened for modification /bin/ss /bin/cp N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/dev N/A N/A
File opened for reading /proc/net/route N/A N/A
File opened for reading /proc/net/arp N/A N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/cmdline /sbin/insmod N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/stat N/A N/A
File opened for reading /proc/meminfo N/A N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/cmdline /sbin/insmod N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/mkdir N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/notify.file N/A N/A
File opened for modification /tmp/conf.n N/A N/A
File opened for modification /tmp/moni.lod N/A N/A
File opened for modification /tmp/bill.lock N/A N/A
File opened for modification /tmp/gates.lod N/A N/A

Processes

/tmp/6dbfddc3991121ab2232a0d6f775f453

[/tmp/6dbfddc3991121ab2232a0d6f775f453]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt]

/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt]

/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt]

/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt]

/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt]

/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt]

/bin/sh

[sh -c mkdir -p /usr/bin/bsd-port]

/bin/mkdir

[mkdir -p /usr/bin/bsd-port]

/bin/sh

[sh -c mkdir -p /usr/bin/bsd-port]

/bin/mkdir

[mkdir -p /usr/bin/bsd-port]

/bin/sh

[sh -c cp -f /tmp/6dbfddc3991121ab2232a0d6f775f453 /usr/bin/bsd-port/getty]

/bin/cp

[cp -f /tmp/6dbfddc3991121ab2232a0d6f775f453 /usr/bin/bsd-port/getty]

/bin/sh

[sh -c /usr/bin/bsd-port/getty]

/usr/bin/bsd-port/getty

[/usr/bin/bsd-port/getty]

/bin/sh

[sh -c mkdir -p /usr/bin]

/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c mkdir -p /usr/bin]

/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c cp -f /tmp/6dbfddc3991121ab2232a0d6f775f453 /usr/bin/.sshd]

/bin/cp

[cp -f /tmp/6dbfddc3991121ab2232a0d6f775f453 /usr/bin/.sshd]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux]

/bin/ln

[ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux]

/bin/ln

[ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux]

/bin/ln

[ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux]

/bin/ln

[ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux]

/bin/ln

[ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux]

/bin/sh

[sh -c mkdir -p /usr/bin/dpkgd]

/bin/mkdir

[mkdir -p /usr/bin/dpkgd]

/bin/sh

[sh -c cp -f /bin/ps /usr/bin/dpkgd/ps]

/bin/cp

[cp -f /bin/ps /usr/bin/dpkgd/ps]

/bin/sh

[sh -c mkdir -p /bin]

/bin/mkdir

[mkdir -p /bin]

/bin/sh

[sh -c mkdir -p /bin]

/bin/mkdir

[mkdir -p /bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/getty /bin/ps]

/bin/cp

[cp -f /usr/bin/bsd-port/getty /bin/ps]

/bin/sh

[sh -c chmod 0755 /bin/ps]

/bin/chmod

[chmod 0755 /bin/ps]

/bin/sh

[sh -c cp -f /bin/ss /usr/bin/dpkgd/ss]

/bin/cp

[cp -f /bin/ss /usr/bin/dpkgd/ss]

/bin/sh

[sh -c mkdir -p /bin]

/bin/mkdir

[mkdir -p /bin]

/bin/sh

[sh -c mkdir -p /bin]

/bin/mkdir

[mkdir -p /bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/getty /bin/ss]

/bin/cp

[cp -f /usr/bin/bsd-port/getty /bin/ss]

/bin/sh

[sh -c chmod 0755 /bin/ss]

/bin/chmod

[chmod 0755 /bin/ss]

/bin/sh

[sh -c cp -f /usr/bin/lsof /usr/bin/dpkgd/lsof]

/bin/cp

[cp -f /usr/bin/lsof /usr/bin/dpkgd/lsof]

/bin/sh

[sh -c mkdir -p /usr/bin]

/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c mkdir -p /usr/bin]

/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/getty /usr/bin/lsof]

/bin/cp

[cp -f /usr/bin/bsd-port/getty /usr/bin/lsof]

/bin/sh

[sh -c chmod 0755 /usr/bin/lsof]

/bin/chmod

[chmod 0755 /usr/bin/lsof]

/bin/sh

[sh -c /usr/bin/.sshd]

/usr/bin/.sshd

[/usr/bin/.sshd]

/bin/sh

[sh -c insmod /usr/bin/bsd-port/xpacket.ko]

/sbin/insmod

[insmod /usr/bin/bsd-port/xpacket.ko]

/bin/sh

[sh -c insmod /tmp/xpacket.ko]

/sbin/insmod

[insmod /tmp/xpacket.ko]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.130.49:443 tcp
US 151.101.193.91:443 tcp
GB 89.187.167.4:443 tcp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 151.101.194.49:443 cdn.fwupd.org tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
US 1.1.1.1:53 www.2xpk.com udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 195.181.164.16:443 1527653184.rsc.cdn77.org tcp
CN 58.221.42.45:26000 tcp
CN 58.221.42.45:26000 tcp

Files

/tmp/gates.lod

MD5 3a20f62a0af1aa152670bab3c602feed
SHA1 062dd0f773cd5999a09714a371e1f8017163e2a1
SHA256 c649b15e769148e6b199b7a671140d60c77847fce6fe17277723dc91f0b27d4c
SHA512 419f66b1afde60779300c3cb662c238c1bfad252c9db934512fa5af99f598c27dffdb1b3514fc254dc947a0080a0484a84ff12ed9aae5ca491091fec39989b86

/etc/init.d/DbSecuritySpt

MD5 7bc3e375a8c71dd59894cdddb91e2c50
SHA1 185d8ae77f03be110a694e6cfa57b35402552db3
SHA256 75e723379f40e0072bb8e3da0cd4cb46d225751ea8028a818e34c78c44903b2e
SHA512 08f8015b103692be600971eef1ea4036aaf121abdf9801620904784f0b2364104a7fd48e3fff2ae2972d81ceeaba781a435bef777722d94f309b4f6229e987fc

/usr/bin/bsd-port/getty

MD5 6dbfddc3991121ab2232a0d6f775f453
SHA1 6833bbfa03d75146f1a5182212c2674157796679
SHA256 dae7c68a3605b6df65e83e1e53f7ac0a85b85220e8ebb075e5a25a7ca8ebcc22
SHA512 288a6d22e441ceda288ff0391cd87244b313ac2df68f0b76290147fdb54e31a78704a25745e1de05265b16932df79e276fac719b0300f68684da6a90bd78be6c

/tmp/notify.file

MD5 6af73f576e49c754a91a2a4c81fdfe28
SHA1 0dc9cfbe14f6e089146f43d70dc229f1142b3eae
SHA256 c97d3ddf7400caebf246e8b99af802d8b90f5331ff6460416efb3ab0248e7a0b
SHA512 0f9939e017202de5e265daf8292bdaf75fbca30ea9bbce1de7b90819039bfda85a44d81895c07dbec34d994c50738cd9f2e25d50fb47dd2e4f00bbde5df5d680

/usr/bin/dpkgd/ps

MD5 558edc26f8a38fa9788220b9af8a73e7
SHA1 3024d44e580e9c67f32f6c585d50e2a6cc9a7cac
SHA256 b76435c80333d2c1fd18e0e7682f1c9dfb5da8d507e93e3c416f54b481c428d5
SHA512 edaa425b441044f015e8f68fffa1664e42372d00dd0e7b0924d24ce947aa8e5f96b3bdc326fa2f8b978e3fcf638a1ceca45a223735db73f1607df66990feb56f

/usr/bin/dpkgd/ss

MD5 1dc929b5f2cd12fe6a2fe71140d2a9e3
SHA1 f9995a92bb201b1b7738a39a38570ef0c40b52d2
SHA256 418aae1da62554afe9f260866267af328fd761b3fd6f90f0ea53d543e2fefc38
SHA512 fbed011c595084548db440dfbe485b7d27032a44a6ae9e141fe43f31c8c524ff9347135ab035deb441fca99e5a3794f7bb9194f148aa2f60f1547a7c67d47373

/usr/bin/dpkgd/lsof

MD5 e093dc78225e2a0a25e3b137c1c1e442
SHA1 c29497cfaae729eb576875e4fdfa400640ab16be
SHA256 1190f4dbc7be174de8fd4096c9bf7a28eebfac937d308b7cc533be4a1240d26e
SHA512 fe1cc7a65327732eaaee89f427c10239ba822430e34177842f4681068d78d404b1830d808a2a71b1efcc5f126c6d8c053512237421173aaa150e215a672da6f0

/tmp/moni.lod

MD5 c1fea270c48e8079d8ddf7d06d26ab52
SHA1 637250c78dd38a4e6c7e05c62f9ff2e960a977a0
SHA256 7e5cb8429dce239403fec15b8930529f51efdf34ce3e28548977ea97e152f303
SHA512 30b6282fe8e42efd00e6b26bf7233375015a9051553b1f0c5e465910de8683680615675a3e24f43ce349baf54564c70b385bb70ea9546150f2fc675a19f0f33a