mrblack | e06f76599cb5c522b9e739db71afd98be6d77807a5eeb610dfa12c16730b7e14

Sharing

Copy URL

Twitter E-mail

General

Target

b1e08153338182a4c43ba968c954a022
Size

26.3MB
Sample

231222-q8j55sdedl
MD5

b1e08153338182a4c43ba968c954a022
SHA1

1dc4b3fa2093abcf3eb833f0b123670aea42988c
SHA256

e06f76599cb5c522b9e739db71afd98be6d77807a5eeb610dfa12c16730b7e14
SHA512

35873d457ab09e71b6348ecec52dfa58390cc691b92bbe96537d731a6d0aca46677d2282625393b16e76dafc7c9fefa2073e5f6ce2505c588a39da9b39b75710
SSDEEP

786432:QKnoJMZRZpGpFwZHyKyOXEIQOhG2aa7DT:QKoJMZRLGXeHypOh+o

Score

10^/10

Malware Config

Targets

- Target
  
  22222.war
- Size
  
  52KB
- MD5
  
  764d15129db10b5d99a78cf485846c9f
- SHA1
  
  31c81c602a69fb7482d3284e2364cedf50d801a8
- SHA256
  
  80450a096e6031547978589093faedc34f79befd76626063c2716617937c0b95
- SHA512
  
  e1dd77156fb6db52eebee7d69ac93e45edf2e4077810c98bdd4c7937510462205208b54907f35ce459fc81fc1361836281ed09b74ae3df502a5542d7c64a79f1
- SSDEEP
  
  1536:vAge4uIF0F5eBqj6P7qCbn7fTMiZ9GZnVWhPPk:a/58qWPrbToo96nVWG
Score

7^/10

discovery
- Modifies file permissions
  discovery
behavioral1 behavioral2
- Target
  
  A.war
- Size
  
  76KB
- MD5
  
  ef04d5487b1a45b29054fa5214714e2b
- SHA1
  
  dcda5360be950103f43d71e4668f0db2cac76e1e
- SHA256
  
  e2b0dd06b53e6485a9647ff2ff00e6788b1e8ab38eaa62c1ef7c518e92351a73
- SHA512
  
  73b8f9d8f9e4f9fd20dbfdfa20e073308ae9bbd2ac2ac677b44e059d625d40b0af264fed4fba3e0727195a0762c7e183bf1111dcde590fc3a8c688bdc52d1ac1
- SSDEEP
  
  768:AsizDPjHibDEYIYWtnPWYwQ4ouhG+dKYFf9Ql5UVeTVBxVmVjGHdZwRsL3eOZVPt:5oFH9/w22rN2tVBx8pyL3HZVPwFi+py
Score

1^/10
behavioral3 behavioral4
- Target
  
  ClouderaPortal.war
- Size
  
  25.7MB
- MD5
  
  4f6e21be085d2a29a0c6da35d928d576
- SHA1
  
  e14dd8d47cfccc3a8a73e5afb4da5aa99b81deae
- SHA256
  
  727f4376565cf1077b3c24318f1a3d0c0f847a05006315336dfcce51b95cfd04
- SHA512
  
  c18bc526f97a33226907b15e1ca491b0ab37c0c48d628b516cd71856c1b97fb53f27cd5a0aa0dca1ed80d8c2784e9650b03f137c7cc28c2a389a736c5d8b7814
- SSDEEP
  
  393216:ZfSFVYM8/aAQia7LBmDFPWZu6l3ZLI0mg1okwKJw8j9WTctZW+viB22EP3BuhA3:ZfMVYTFFTS738BQEAw8jkyW+vic2EpV
Score

7^/10

discovery
- Modifies file permissions
  discovery
behavioral5 behavioral6
- Target
  
  W-j.war
- Size
  
  18KB
- MD5
  
  fd4fec8af65aec693c35c504d9eb74e3
- SHA1
  
  e26f5d45bd856d98cbe1398109d5ac219b46d125
- SHA256
  
  532cb95e2ea50298afb02ab0d7ca1cb60a014dd6432b5150efcbb5237199818a
- SHA512
  
  441f17a6b8d3d3351de46c463983373e8a17a83e369f0b1eb68d7f134b391c454a04a2cdd21430e338bbeba5dac927aca9a2f3d1bbf13f0df35e5a5055f90c26
- SSDEEP
  
  384:nv7fagWyX/1XMDj6INAIbPvtnCdHUxDG2YBcYb/ln/ZYnP3:nv7faC/9MDjXG2GvBc0/V/k3
Score

7^/10

discovery
- Modifies file permissions
  discovery
behavioral7 behavioral8
- Target
  
  ssh.war
- Size
  
  36KB
- MD5
  
  1cdc2c45232110551b6e21a43a067cb3
- SHA1
  
  f8e661aab0e09b8d8b663d1e339cc637a6e16978
- SHA256
  
  0b2c1618bab989ab3146a97b0913da5203025d7f7874d0e14fca6e1dba726615
- SHA512
  
  e22293ead032ced2669e7876ade1d82f5c95e883b6916061b04d0032bad14fbfe9f6ee86e7e501da49c8fea84225c4c5604cf85d96d4000d3faeecb0614bb09d
- SSDEEP
  
  768:OKjRVzZTWZ9fGguTsNhL572lQFVgHj2ckAm5hC4WX:OMiZ9GZyhlhVgKxk4G
Score

7^/10

discovery
- Modifies file permissions
  discovery
behavioral10 behavioral9
- Target
  
  udp
- Size
  
  1.2MB
- MD5
  
  6205df8b077b2ca968077127dd03ab84
- SHA1
  
  4db1c73a4a33696da9208cc220f8262fb90767af
- SHA256
  
  da2a3acb7a40ceca3d89f84583703ddc1003a5448e9b1dcda7dea986a4d84f82
- SHA512
  
  9b0ec70890246e2cde9d2df1faabac9fabfd9fe80a7649200f4ae9b81dcbe9cd7c0788fac19ebd5e05be1475a62ffa3b0df0fc0b278894aaa66d996792a4d7b7
- SSDEEP
  
  24576:e845rlHu6gVJKG75oFpA0VWEX4G2y1q2rJp0:745wRVJKGtSA0VWEoVu9p0
Score

10^/10

mrblack antivm botnet persistence trojan
- MrBlack Trojan
  IoT botnet which infects routers to be used for DDoS attacks.
  trojan botnet mrblack
- MrBlack trojan
- Executes dropped EXE
- Checks CPU configuration
  Checks CPU information which indicate if the system is a virtual machine.
  antivm
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Reads system routing table
  Gets active network interfaces from /proc virtual filesystem.
- Write file to user bin folder
- Writes file to system bin folder
behavioral11

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

File and Directory Permissions Modification

T1222

Hijack Execution Flow

T1574

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Modifies file permissions

Modifies file permissions

Modifies file permissions

Modifies file permissions

MrBlack Trojan

MrBlack trojan

Executes dropped EXE

Checks CPU configuration

Modifies init.d

Reads system routing table

Write file to user bin folder

Writes file to system bin folder

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11