mrblack | 26f389b1b3f68324e328925fa4538fd4843014ed609fdff4bee80f72c845654f

General

Target

a9c95cbf64552c07a2278f29b249135b
Size

1.1MB
MD5

a9c95cbf64552c07a2278f29b249135b
SHA1

6960164d2652ed3d6006dccdae8ff0e1eefa041a
SHA256

26f389b1b3f68324e328925fa4538fd4843014ed609fdff4bee80f72c845654f
SHA512

b4144490ad0f092d12977395192cb0155f0187b146bac8a51e51a465ddacd940346abb58c38524ddf9134cdaa781b4d17ec2217b4a71057d558cc8e5ecf16844
SSDEEP

24576:4vRE7caCfKGPqVEDNLFxKsfaSI+gIGYuuCol7r:4vREKfPqVE5jKsfaSRHGVo7r

Score

10^/10

mrblack antivm botnet persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 2 IoCs

resource	yara_rule
behavioral1/files/fstream-4.dat	family_mrblack
behavioral1/files/fstream-6.dat	family_mrblack

Executes dropped EXE 2 IoCs

ioc	pid	Process
/usr/bin/bsd-port/getty	1558	getty
/usr/bin/.swhd	1576	.swhd

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc
File opened for reading	/proc/cpuinfo

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/DbSecuritySpt

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/route

Write file to user bin folder 1 TTPs 4 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/usr/bin/bsd-port/getty	cp
File opened for modification	/usr/bin/.swhd	cp
File opened for modification	/usr/bin/bsd-port/getty.lock	Process not Found
File opened for modification	/usr/bin/bsd-port/udevd.lock	Process not Found

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/dev
File opened for reading	/proc/net/route
File opened for reading	/proc/net/arp

Reads runtime system information 7 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/meminfo	Process not Found
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
File opened for modification	/tmp/moni.lock
File opened for modification	/tmp/bill.lock
File opened for modification	/tmp/gates.lock
File opened for modification	/tmp/notify.file
File opened for modification	/tmp/conf.n

/tmp/a9c95cbf64552c07a2278f29b249135b
/tmp/a9c95cbf64552c07a2278f29b249135b
1⤵
PID:1533

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt"
1⤵
PID:1539
- /bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
  2⤵
  PID:1540

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt"
1⤵
PID:1541
- /bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
  2⤵
  PID:1542

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt"
1⤵
PID:1543
- /bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
  2⤵
  PID:1544

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt"
1⤵
PID:1545
- /bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
  2⤵
  PID:1546

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt"
1⤵
PID:1547
- /bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
  2⤵
  PID:1548

/bin/sh
sh -c "mkdir -p /usr/bin/bsd-port"
1⤵
PID:1552
- /bin/mkdir
  mkdir -p /usr/bin/bsd-port
  2⤵
  - Reads runtime system information
  PID:1553

/bin/sh
sh -c "cp -f /tmp/a9c95cbf64552c07a2278f29b249135b /usr/bin/bsd-port/getty"
1⤵
PID:1554
- /bin/cp
  cp -f /tmp/a9c95cbf64552c07a2278f29b249135b /usr/bin/bsd-port/getty
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1555

/bin/sh
sh -c /usr/bin/bsd-port/getty
1⤵
PID:1557
- /usr/bin/bsd-port/getty
  /usr/bin/bsd-port/getty
  2⤵
  - Executes dropped EXE
  PID:1558

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1560
- /bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1561

/bin/sh
sh -c "cp -f /tmp/a9c95cbf64552c07a2278f29b249135b /usr/bin/.swhd"
1⤵
PID:1562
- /bin/cp
  cp -f /tmp/a9c95cbf64552c07a2278f29b249135b /usr/bin/.swhd
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1563

/bin/sh
sh -c /usr/bin/.swhd
1⤵
PID:1575
- /usr/bin/.swhd
  /usr/bin/.swhd
  2⤵
  - Executes dropped EXE
  PID:1576

/bin/sh
sh -c "insmod /usr/lib/xpacket.ko"
1⤵
PID:1578
- /sbin/insmod
  insmod /usr/lib/xpacket.ko
  2⤵
  - Reads runtime system information
  PID:1579

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Hijack Execution Flow

1

T1574

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Hijack Execution Flow

1

T1574

Defense Evasion

Hijack Execution Flow

1

T1574

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

System Network Configuration Discovery

2

T1016

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/DbSecuritySpt

Filesize
50B

MD5
4a4007ea7945833380d09763f7843c0a

SHA1
8cd1a7aecfb171c46ab7771c59381a956e1c418e

SHA256
153ef03f55058dfad32f42e936c148fa96e50435777ed03cf5a774f6edf4b940

SHA512
623db51e5d1ac07722f08e461efcb278e0815d37050f9fbba0eb3b19ff0202d7270beafcf9a3be200618fbf43ebde6d046fe3581ee1bfc5ef0e20f79aa50ed5e

Download Submit
/tmp/gates.lock

Filesize
4B

MD5
d63fbf8c3173730f82b150c5ef38b8ff

SHA1
1d23c8edf135106a57d7f1694d9c2c7eb67cc326

SHA256
13be5b896be039957e7996f606c8513fa2d9061132bdcabdbee5a362dd9fd8ff

SHA512
275c9875be2b60cc2d67678f6c08b9bfb4f21f8f087eaa942aad8d808f2141a9d1b376e1825ab764f8eda46cc7f6a86490d8475ca8446a6ef519c71784fdc11a

Download Submit
/tmp/moni.lock

Filesize
4B

MD5
7e1d842d0f7ee600116ffc6b2d87d83f

SHA1
58cb004c78ad7dd27552600c7c1d525e5797cd1d

SHA256
1d16bb3354a11b509e641db094ca078be290298b0ec32c6b46b88fe919a1a8ed

SHA512
113c6380957062e07ff7390ef365b7352fa3e96dabb6503422821a7de921d40296db514ff99bf85f780aee8486787810184d16106a8a7ccdc92423e23bf31575

Download Submit
/tmp/notify.file

Filesize
37B

MD5
91246cab966943cd6632b08e6a200ef2

SHA1
cf0f300185bc964f4eefc227f0b78be19b49ef92

SHA256
5b247bc588a5e20ae01c3ac67f6f590549a8fb746e74abd191d9ed51899323ff

SHA512
81b5a6de110b6a60ed7d5f0275f64c9361075dbec5811fb3b1f7b3868d77abb10532a7948ac4a17923ca4bb18d17e84da1bec5694cd5831adef14b6a4f28ffc2

Download Submit
/usr/bin/.swhd

Filesize
1.0MB

MD5
cd8f76938e2d891bde4975dd1f39ee7f

SHA1
cbfbd91dab1c58f787c51006f664ff0bf7039d3b

SHA256
fe58d07305ce8b9bfbad7563de2a5d3e346cb0759b838412f9f1e5ec295dccf5

SHA512
c470d640fa7b52004cee075d2eaf051fe9fa5d6800d6bda101472468e96c6fc9889f3d604d52318e2cdea3db2e4b767a3f9b510b0ec95f12c24cc39fe61e5100

Download Submit
/usr/bin/bsd-port/getty

Filesize
1.1MB

MD5
a9c95cbf64552c07a2278f29b249135b

SHA1
6960164d2652ed3d6006dccdae8ff0e1eefa041a

SHA256
26f389b1b3f68324e328925fa4538fd4843014ed609fdff4bee80f72c845654f

SHA512
b4144490ad0f092d12977395192cb0155f0187b146bac8a51e51a465ddacd940346abb58c38524ddf9134cdaa781b4d17ec2217b4a71057d558cc8e5ecf16844

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads