mrblack | 13b31c857ca874127126dc16929e7a281f97d2dc84650fb5898bd41572efc7a8

Analysis

max time kernel
152s
max time network
147s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231222-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231222-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecd85f48177089d1e7672cf04d91b8ec
Size

1.1MB
MD5

ecd85f48177089d1e7672cf04d91b8ec
SHA1

1de79f6fd9322ce3a3716e24bda666a7b97ed293
SHA256

13b31c857ca874127126dc16929e7a281f97d2dc84650fb5898bd41572efc7a8
SHA512

5de0f0aebd0b9daaa06cc2cd1773bb6fe39f5dc1d7d58f423b77d73a966575cc70958275aee8ccbbadfcd07841e99b92d6d84c5fc4a7864a6af5c23e4750ca0c
SSDEEP

24576:4vRE7caCfKGPqVEDNLFxKsfaJI+gIGYuuCol7r:4vREKfPqVE5jKsfaJRHGVo7r

Score

10^/10

mrblack antivm botnet persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 2 IoCs

Processes:

resource	yara_rule
/usr/bin/bsd-port/getty	family_mrblack
/usr/bin/libsw	family_mrblack

Executes dropped EXE 2 IoCs

Processes:

gettylibsw

ioc pid process

/usr/bin/bsd-port/getty 1636 getty
/usr/bin/libsw 1644 libsw
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

description ioc

File opened for reading /proc/cpuinfo
Modifies init.d 1 TTPs 2 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

File opened for modification /etc/init.d/DbSecuritySpt
File opened for modification /etc/init.d/selinux
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.

System Network Configuration Discovery
T1016

Processes:

description ioc

File opened for reading /proc/net/route

ioc	pid	process
/usr/bin/bsd-port/getty	1636	getty
/usr/bin/libsw	1644	libsw

description	ioc
File opened for reading	/proc/cpuinfo

description	ioc
File opened for modification	/etc/init.d/DbSecuritySpt
File opened for modification	/etc/init.d/selinux

description	ioc
File opened for reading	/proc/net/route

Write file to user bin folder 1 TTPs 7 IoCs

Hijack Execution Flow

T1574

Processes:

cpcpcpcpcp

description	ioc
File opened for modification	/usr/bin/bsd-port/getty.lock
File opened for modification	/usr/bin/bsd-port/udevd.lock
File opened for modification	/usr/bin/bsd-port/getty	cp
File opened for modification	/usr/bin/libsw	cp
File opened for modification	/usr/bin/dpkgd/ps	cp
File opened for modification	/usr/bin/dpkgd/lsof	cp
File opened for modification	/usr/bin/lsof	cp

Writes file to system bin folder 1 TTPs 1 IoCs

Hijack Execution Flow
T1574

Processes:

cp

description ioc process

File opened for modification /bin/ps cp
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

description ioc

File opened for reading /proc/net/dev
File opened for reading /proc/net/route
File opened for reading /proc/net/arp

description	ioc	process
File opened for modification	/bin/ps	cp

description	ioc
File opened for reading	/proc/net/dev
File opened for reading	/proc/net/route
File opened for reading	/proc/net/arp

Reads runtime system information 15 IoCs

Reads data from /proc virtual filesystem.

Processes:

mkdircpmkdircpcpmkdirinsmodmkdircpmkdircpcpinsmod

description	ioc	process
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/stat
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/meminfo

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

Processes:

description	ioc
File opened for modification	/tmp/moni.lock
File opened for modification	/tmp/bill.lock
File opened for modification	/tmp/gates.lock
File opened for modification	/tmp/notify.file
File opened for modification	/tmp/conf.n

/tmp/ecd85f48177089d1e7672cf04d91b8ec
/tmp/ecd85f48177089d1e7672cf04d91b8ec
1⤵
PID:1613

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt"
1⤵
PID:1620

/bin/ln
ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
2⤵
PID:1621

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt"
1⤵
PID:1622

/bin/ln
ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
2⤵
PID:1623

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt"
1⤵
PID:1624

/bin/ln
ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
2⤵
PID:1625

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt"
1⤵
PID:1626

/bin/ln
ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
2⤵
PID:1627

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt"
1⤵
PID:1628

/bin/ln
ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
2⤵
PID:1629

/bin/sh
sh -c "mkdir -p /usr/bin/bsd-port"
1⤵
PID:1630

/bin/mkdir
mkdir -p /usr/bin/bsd-port
2⤵
- Reads runtime system information
PID:1631

/bin/sh
sh -c "cp -f /tmp/ecd85f48177089d1e7672cf04d91b8ec /usr/bin/bsd-port/getty"
1⤵
PID:1632

/bin/cp
cp -f /tmp/ecd85f48177089d1e7672cf04d91b8ec /usr/bin/bsd-port/getty
2⤵
- Write file to user bin folder
- Reads runtime system information
PID:1633

/bin/sh
sh -c /usr/bin/bsd-port/getty
1⤵
PID:1635

/usr/bin/bsd-port/getty
/usr/bin/bsd-port/getty
2⤵
- Executes dropped EXE
PID:1636

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1638

/bin/mkdir
mkdir -p /usr/bin
2⤵
- Reads runtime system information
PID:1639

/bin/sh
sh -c "cp -f /tmp/ecd85f48177089d1e7672cf04d91b8ec /usr/bin/libsw"
1⤵
PID:1640

/bin/cp
cp -f /tmp/ecd85f48177089d1e7672cf04d91b8ec /usr/bin/libsw
2⤵
- Write file to user bin folder
- Reads runtime system information
PID:1641

/bin/sh
sh -c /usr/bin/libsw
1⤵
PID:1643

/usr/bin/libsw
/usr/bin/libsw
2⤵
- Executes dropped EXE
PID:1644

/bin/sh
sh -c "insmod /usr/lib/xpacket.ko"
1⤵
PID:1646

/sbin/insmod
insmod /usr/lib/xpacket.ko
2⤵
- Reads runtime system information
PID:1647

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"
1⤵
PID:1648

/bin/ln
ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
2⤵
PID:1649

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"
1⤵
PID:1650

/bin/ln
ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
2⤵
PID:1651

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"
1⤵
PID:1653

/bin/ln
ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
2⤵
PID:1654

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"
1⤵
PID:1656

/bin/ln
ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
2⤵
PID:1657

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"
1⤵
PID:1658

/bin/ln
ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
2⤵
PID:1659

/bin/sh
sh -c "mkdir -p /usr/bin/dpkgd"
1⤵
PID:1660

/bin/mkdir
mkdir -p /usr/bin/dpkgd
2⤵
- Reads runtime system information
PID:1662

/bin/sh
sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"
1⤵
PID:1664

/bin/cp
cp -f /bin/ps /usr/bin/dpkgd/ps
2⤵
- Write file to user bin folder
- Reads runtime system information
PID:1666

/bin/sh
sh -c "mkdir -p /bin"
1⤵
PID:1668

/bin/mkdir
mkdir -p /bin
2⤵
- Reads runtime system information
PID:1670

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/getty /bin/ps"
1⤵
PID:1671

/bin/cp
cp -f /usr/bin/bsd-port/getty /bin/ps
2⤵
- Writes file to system bin folder
- Reads runtime system information
PID:1672

/bin/sh
sh -c "chmod 0755 /bin/ps"
1⤵
PID:1673

/bin/chmod
chmod 0755 /bin/ps
2⤵
PID:1674

/bin/sh
sh -c "cp -f /usr/bin/lsof /usr/bin/dpkgd/lsof"
1⤵
PID:1675

/bin/cp
cp -f /usr/bin/lsof /usr/bin/dpkgd/lsof
2⤵
- Write file to user bin folder
- Reads runtime system information
PID:1676

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1677

/bin/mkdir
mkdir -p /usr/bin
2⤵
- Reads runtime system information
PID:1678

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/lsof"
1⤵
PID:1679

/bin/cp
cp -f /usr/bin/bsd-port/getty /usr/bin/lsof
2⤵
- Write file to user bin folder
- Reads runtime system information
PID:1680

/bin/sh
sh -c "chmod 0755 /usr/bin/lsof"
1⤵
PID:1681

/bin/chmod
chmod 0755 /usr/bin/lsof
2⤵
PID:1682

/bin/sh
sh -c "insmod /usr/lib/xpacket.ko"
1⤵
PID:1683

/sbin/insmod
insmod /usr/lib/xpacket.ko
2⤵
- Reads runtime system information
PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Hijack Execution Flow

T1574

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/DbSecuritySpt
Filesize
50B

MD5
deffdf915ba27bec9c71115d8804b6b3

SHA1
8a1559c2534e4925487d7ab9d262bd02c06aa48a

SHA256
80c06048a8438b7b0ef20eddd59c37aee7e07cfe69c94b4f6746fdc977a30144

SHA512
d4044e5b691f8efa7e39c1377940761d0689ae75bc06eb6a0cca3c887e229d68a3badbbbe31d7b84c9bf9349e5605478f62ae7101e7e26f1c6d6cdff668c5188

Download Submit
/etc/init.d/selinux
Filesize
36B

MD5
993cc15058142d96c3daf7852c3d5ee8

SHA1
0950b8b391b04dd3895ea33cd3141543ebd2525d

SHA256
8171d077918611803d93088409f220c66fae1c670b297e1aa5d8cbd548ce9208

SHA512
0c4256c00a3710f97e92581b552682b36b62afc35fe72622c491323c618c19ea62611ac04ccafc3dfcde2254a2ebbd93b69b66795b16e36332293bed83adb928

Download Submit
/tmp/gates.lock
Filesize
4B

MD5
71a58e8cb75904f24cde464161c3e766

SHA1
d56081031c3ba10d08365e73aeb120b3e186291b

SHA256
f68a11527b819bdf3658377dab1ea309bb5c6eefe69bb751e4b59b277cc29a7d

SHA512
e463e680ac2e1b9539a7f1c8eae96748fb6f819e5bfb819ddec5079d6d6c24d69633dbf1052930114259a8144978940d2c1f29f746e1d993a77d0a2a79a80136

Download Submit
/tmp/moni.lock
Filesize
4B

MD5
c1fea270c48e8079d8ddf7d06d26ab52

SHA1
637250c78dd38a4e6c7e05c62f9ff2e960a977a0

SHA256
7e5cb8429dce239403fec15b8930529f51efdf34ce3e28548977ea97e152f303

SHA512
30b6282fe8e42efd00e6b26bf7233375015a9051553b1f0c5e465910de8683680615675a3e24f43ce349baf54564c70b385bb70ea9546150f2fc675a19f0f33a

Download Submit
/tmp/notify.file
Filesize
37B

MD5
27aa447e3e33808ba7976656f8707365

SHA1
16df79def03fa28bc4bcc221f18753d3bde0c5fe

SHA256
2189f391207454510f6b4faa17d53d45b1f3bf7088db3cf66826260935055850

SHA512
f955b4c47aef3e0861aaa2528642f00c3afb3c140237e1602a50065dc0602c28813cc63e654974fdb9b7d605cdf0e203b755d925ca0ea0534901711b4d652b49

Download Submit
/usr/bin/bsd-port/getty
Filesize
1.1MB

MD5
ecd85f48177089d1e7672cf04d91b8ec

SHA1
1de79f6fd9322ce3a3716e24bda666a7b97ed293

SHA256
13b31c857ca874127126dc16929e7a281f97d2dc84650fb5898bd41572efc7a8

SHA512
5de0f0aebd0b9daaa06cc2cd1773bb6fe39f5dc1d7d58f423b77d73a966575cc70958275aee8ccbbadfcd07841e99b92d6d84c5fc4a7864a6af5c23e4750ca0c

Download Submit
/usr/bin/dpkgd/lsof
Filesize
159KB

MD5
e093dc78225e2a0a25e3b137c1c1e442

SHA1
c29497cfaae729eb576875e4fdfa400640ab16be

SHA256
1190f4dbc7be174de8fd4096c9bf7a28eebfac937d308b7cc533be4a1240d26e

SHA512
fe1cc7a65327732eaaee89f427c10239ba822430e34177842f4681068d78d404b1830d808a2a71b1efcc5f126c6d8c053512237421173aaa150e215a672da6f0

Download Submit
/usr/bin/dpkgd/ps
Filesize
130KB

MD5
558edc26f8a38fa9788220b9af8a73e7

SHA1
3024d44e580e9c67f32f6c585d50e2a6cc9a7cac

SHA256
b76435c80333d2c1fd18e0e7682f1c9dfb5da8d507e93e3c416f54b481c428d5

SHA512
edaa425b441044f015e8f68fffa1664e42372d00dd0e7b0924d24ce947aa8e5f96b3bdc326fa2f8b978e3fcf638a1ceca45a223735db73f1607df66990feb56f

Download Submit
/usr/bin/libsw
Filesize
639KB

MD5
5a78419f23886049121bd31760f80043

SHA1
9e896925da4bcff28c59d4a94e9cdf556275ecfb

SHA256
b114db85bc8fcb63bf52b0a6d268e56ab79ef0770bd718e4b774b815015d2aa8

SHA512
13296213e32feb8060bd76c8413357ea026522b767a778b4a7f3f6a515bd6a22dda05a6c22fd93bb6102f23517a2fb5098e3a4f38f261aa5f0e5b2b39f3e2138

Download Submit