Malware Analysis Report

2025-01-22 13:28

Sample ID 231222-g9hh9scha7
Target 75fead0b58b7bd86713bfb97a97286c1
SHA256 e8c1948fd7771add2392cb77713e40d6a71b9c439d2b41f627f0608ed9e99cc4
Tags
mrblack antivm botnet persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e8c1948fd7771add2392cb77713e40d6a71b9c439d2b41f627f0608ed9e99cc4

Threat Level: Known bad

The file 75fead0b58b7bd86713bfb97a97286c1 was found to be: Known bad.

Malicious Activity Summary

mrblack antivm botnet persistence trojan

MrBlack trojan

MrBlack Trojan

Mrblack family

Executes dropped EXE

Modifies init.d

Reads system routing table

Write file to user bin folder

Writes file to system bin folder

Checks CPU configuration

Reads system network configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 06:30

Signatures

MrBlack trojan

Description Indicator Process Target
N/A N/A N/A N/A

Mrblack family

mrblack

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 06:30

Reported

2023-12-23 11:43

Platform

ubuntu1804-amd64-20231215-en

Max time kernel

154s

Max time network

158s

Command Line

[/tmp/75fead0b58b7bd86713bfb97a97286c1]

Signatures

MrBlack Trojan

trojan botnet mrblack

MrBlack trojan

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A /usr/bin/bsd-port/getty /usr/bin/bsd-port/getty N/A
N/A /usr/bin/.sshd /usr/bin/.sshd N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo N/A N/A

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/DbSecuritySpt N/A N/A
File opened for modification /etc/init.d/selinux N/A N/A

Reads system routing table

Description Indicator Process Target
File opened for reading /proc/net/route N/A N/A

Write file to user bin folder

Description Indicator Process Target
File opened for modification /usr/bin/dpkgd/ps /bin/cp N/A
File opened for modification /usr/bin/dpkgd/ss /bin/cp N/A
File opened for modification /usr/bin/dpkgd/lsof /bin/cp N/A
File opened for modification /usr/bin/lsof /bin/cp N/A
File opened for modification /usr/bin/bsd-port/getty.lock N/A N/A
File opened for modification /usr/bin/bsd-port/udevd.lock N/A N/A
File opened for modification /usr/bin/bsd-port/getty /bin/cp N/A
File opened for modification /usr/bin/.sshd /bin/cp N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /bin/ps /bin/cp N/A
File opened for modification /bin/ss /bin/cp N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/dev N/A N/A
File opened for reading /proc/net/route N/A N/A
File opened for reading /proc/net/arp N/A N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/cmdline /sbin/insmod N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/stat N/A N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/meminfo N/A N/A
File opened for reading /proc/cmdline /sbin/insmod N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/mkdir N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/moni.lod N/A N/A
File opened for modification /tmp/bill.lock N/A N/A
File opened for modification /tmp/gates.lod N/A N/A
File opened for modification /tmp/notify.file N/A N/A
File opened for modification /tmp/conf.n N/A N/A

Processes

/tmp/75fead0b58b7bd86713bfb97a97286c1

[/tmp/75fead0b58b7bd86713bfb97a97286c1]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt]

/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt]

/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt]

/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt]

/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt]

/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt]

/bin/sh

[sh -c mkdir -p /usr/bin/bsd-port]

/bin/mkdir

[mkdir -p /usr/bin/bsd-port]

/bin/sh

[sh -c mkdir -p /usr/bin/bsd-port]

/bin/mkdir

[mkdir -p /usr/bin/bsd-port]

/bin/sh

[sh -c cp -f /tmp/75fead0b58b7bd86713bfb97a97286c1 /usr/bin/bsd-port/getty]

/bin/cp

[cp -f /tmp/75fead0b58b7bd86713bfb97a97286c1 /usr/bin/bsd-port/getty]

/bin/sh

[sh -c /usr/bin/bsd-port/getty]

/usr/bin/bsd-port/getty

[/usr/bin/bsd-port/getty]

/bin/sh

[sh -c mkdir -p /usr/bin]

/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c mkdir -p /usr/bin]

/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c cp -f /tmp/75fead0b58b7bd86713bfb97a97286c1 /usr/bin/.sshd]

/bin/cp

[cp -f /tmp/75fead0b58b7bd86713bfb97a97286c1 /usr/bin/.sshd]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux]

/bin/ln

[ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux]

/bin/ln

[ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux]

/bin/ln

[ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux]

/bin/ln

[ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux]

/bin/ln

[ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux]

/bin/sh

[sh -c mkdir -p /usr/bin/dpkgd]

/bin/mkdir

[mkdir -p /usr/bin/dpkgd]

/bin/sh

[sh -c cp -f /bin/ps /usr/bin/dpkgd/ps]

/bin/sh

[sh -c /usr/bin/.sshd]

/usr/bin/.sshd

[/usr/bin/.sshd]

/bin/cp

[cp -f /bin/ps /usr/bin/dpkgd/ps]

/bin/sh

[sh -c mkdir -p /bin]

/bin/mkdir

[mkdir -p /bin]

/bin/sh

[sh -c mkdir -p /bin]

/bin/mkdir

[mkdir -p /bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/getty /bin/ps]

/bin/cp

[cp -f /usr/bin/bsd-port/getty /bin/ps]

/bin/sh

[sh -c chmod 0755 /bin/ps]

/bin/chmod

[chmod 0755 /bin/ps]

/bin/sh

[sh -c cp -f /bin/ss /usr/bin/dpkgd/ss]

/bin/cp

[cp -f /bin/ss /usr/bin/dpkgd/ss]

/bin/sh

[sh -c mkdir -p /bin]

/bin/mkdir

[mkdir -p /bin]

/bin/sh

[sh -c mkdir -p /bin]

/bin/mkdir

[mkdir -p /bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/getty /bin/ss]

/bin/cp

[cp -f /usr/bin/bsd-port/getty /bin/ss]

/bin/sh

[sh -c chmod 0755 /bin/ss]

/bin/chmod

[chmod 0755 /bin/ss]

/bin/sh

[sh -c cp -f /usr/bin/lsof /usr/bin/dpkgd/lsof]

/bin/cp

[cp -f /usr/bin/lsof /usr/bin/dpkgd/lsof]

/bin/sh

[sh -c mkdir -p /usr/bin]

/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c mkdir -p /usr/bin]

/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/getty /usr/bin/lsof]

/bin/cp

[cp -f /usr/bin/bsd-port/getty /usr/bin/lsof]

/bin/sh

[sh -c chmod 0755 /usr/bin/lsof]

/bin/chmod

[chmod 0755 /usr/bin/lsof]

/bin/sh

[sh -c insmod /usr/bin/bsd-port/xpacket.ko]

/sbin/insmod

[insmod /usr/bin/bsd-port/xpacket.ko]

/bin/sh

[sh -c insmod /tmp/xpacket.ko]

/sbin/insmod

[insmod /tmp/xpacket.ko]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.66.49:443 tcp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 151.101.194.49:443 cdn.fwupd.org tcp
US 151.101.129.91:443 tcp
GB 89.187.167.3:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.129.91:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 195.181.164.19:443 1527653184.rsc.cdn77.org tcp
US 1.1.1.1:53 www.8jpk.com udp
US 1.1.1.1:53 blhbd.com udp
US 166.88.228.77:50000 blhbd.com tcp
US 166.88.228.77:50000 blhbd.com tcp

Files

/tmp/gates.lod

MD5 cda72177eba360ff16b7f836e2754370
SHA1 0de7f57bd4db22d7e4a43004aea93b1f0a484259
SHA256 c73c63198a1338f0d19547e3d07db9dc25babedc30ae35b80426d48afe73624c
SHA512 a317aaae56af82ef6f653ee4554a2f95a93a7a2f9caf20603e7d9a2ed59ec43f1edc3a9b64437d8be4555cc608872ea65e6db7205f734770720ce5d7ec348ae1

/etc/init.d/DbSecuritySpt

MD5 e0441ce06606e2d4498060c967167ccf
SHA1 dfd3ed72374db0fb815fe178aabe8da741d2ae2b
SHA256 28bd80af77edd922867d9820575bac3cf979edccb3363825977a914a2a75533a
SHA512 c05bedc51c5c2e417d933350b1e53f900868dcfd33241b4e20d19c647f9cb98a03616080f154b3610cfd31bb6b84b536a7847d77c6fa6722b9583c09dd2f9250

/usr/bin/bsd-port/getty

MD5 75fead0b58b7bd86713bfb97a97286c1
SHA1 6be1a5225beff3823afb78e23a64258761dac77f
SHA256 e8c1948fd7771add2392cb77713e40d6a71b9c439d2b41f627f0608ed9e99cc4
SHA512 07f80b652da80799c6e7b318d50ee2ef551b201167bba6ba287663b25edfce314bcc1a680f90449b0713cd093a0e266660b4c0f8366e84bf6f09456dbece9388

/tmp/notify.file

MD5 ee22e94a12f49db25dd17a0b705dfd32
SHA1 8930848e683617bbccf081e635899692a2e7425d
SHA256 d34b5cc8530a60e43cf7dec0417e2eecdae96a68f44b37e0e919fbdd50583c2a
SHA512 05111cc53709159f92222c74d10e63914339857ceb7a5dbcc2764fe9e5f0eca02a9dfff4f8061a5d54acda87425e725f66840ba343354f9b3e74591f5fe9d8af

/usr/bin/dpkgd/ss

MD5 1dc929b5f2cd12fe6a2fe71140d2a9e3
SHA1 f9995a92bb201b1b7738a39a38570ef0c40b52d2
SHA256 418aae1da62554afe9f260866267af328fd761b3fd6f90f0ea53d543e2fefc38
SHA512 fbed011c595084548db440dfbe485b7d27032a44a6ae9e141fe43f31c8c524ff9347135ab035deb441fca99e5a3794f7bb9194f148aa2f60f1547a7c67d47373

/usr/bin/dpkgd/lsof

MD5 e093dc78225e2a0a25e3b137c1c1e442
SHA1 c29497cfaae729eb576875e4fdfa400640ab16be
SHA256 1190f4dbc7be174de8fd4096c9bf7a28eebfac937d308b7cc533be4a1240d26e
SHA512 fe1cc7a65327732eaaee89f427c10239ba822430e34177842f4681068d78d404b1830d808a2a71b1efcc5f126c6d8c053512237421173aaa150e215a672da6f0

/tmp/moni.lod

MD5 a981f2b708044d6fb4a71a1463242520
SHA1 818c3ca96b188792670c6a0993baa894e345a689
SHA256 2b8ae4541022864d57e65a7db4c70b75fea47c9101edebf0325da25ea84def02
SHA512 c2b3bf26879d974d4082205fe0ab1200ee6e8b0a7cac04092231dbf4ceb2b01e0ffb62f8cec32118aee0a80f5195614c2869d01d2ac1f0c7b7b98ee5a7c880e7