Analysis
-
max time kernel
152s -
max time network
147s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231222-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20231222-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
22-12-2023 16:19
Behavioral task
behavioral1
Sample
ecd85f48177089d1e7672cf04d91b8ec
Resource
ubuntu1804-amd64-20231222-en
General
-
Target
ecd85f48177089d1e7672cf04d91b8ec
-
Size
1.1MB
-
MD5
ecd85f48177089d1e7672cf04d91b8ec
-
SHA1
1de79f6fd9322ce3a3716e24bda666a7b97ed293
-
SHA256
13b31c857ca874127126dc16929e7a281f97d2dc84650fb5898bd41572efc7a8
-
SHA512
5de0f0aebd0b9daaa06cc2cd1773bb6fe39f5dc1d7d58f423b77d73a966575cc70958275aee8ccbbadfcd07841e99b92d6d84c5fc4a7864a6af5c23e4750ca0c
-
SSDEEP
24576:4vRE7caCfKGPqVEDNLFxKsfaJI+gIGYuuCol7r:4vREKfPqVE5jKsfaJRHGVo7r
Malware Config
Signatures
-
MrBlack trojan 2 IoCs
Processes:
resource yara_rule /usr/bin/bsd-port/getty family_mrblack /usr/bin/libsw family_mrblack -
Executes dropped EXE 2 IoCs
Processes:
gettylibswioc pid process /usr/bin/bsd-port/getty 1636 getty /usr/bin/libsw 1644 libsw -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Processes:
description ioc File opened for modification /etc/init.d/DbSecuritySpt File opened for modification /etc/init.d/selinux -
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/net/route -
Write file to user bin folder 1 TTPs 7 IoCs
Processes:
cpcpcpcpcpdescription ioc File opened for modification /usr/bin/bsd-port/getty.lock File opened for modification /usr/bin/bsd-port/udevd.lock File opened for modification /usr/bin/bsd-port/getty cp File opened for modification /usr/bin/libsw cp File opened for modification /usr/bin/dpkgd/ps cp File opened for modification /usr/bin/dpkgd/lsof cp File opened for modification /usr/bin/lsof cp -
Writes file to system bin folder 1 TTPs 1 IoCs
Processes:
cpdescription ioc process File opened for modification /bin/ps cp -
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
description ioc File opened for reading /proc/net/dev File opened for reading /proc/net/route File opened for reading /proc/net/arp -
Reads runtime system information 15 IoCs
Reads data from /proc virtual filesystem.
Processes:
mkdircpmkdircpcpmkdirinsmodmkdircpmkdircpcpinsmoddescription ioc process File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/stat File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mkdir File opened for reading /proc/cmdline insmod File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/cmdline insmod File opened for reading /proc/meminfo -
Writes file to tmp directory 5 IoCs
Malware often drops required files in the /tmp directory.
Processes:
description ioc File opened for modification /tmp/moni.lock File opened for modification /tmp/bill.lock File opened for modification /tmp/gates.lock File opened for modification /tmp/notify.file File opened for modification /tmp/conf.n
Processes
-
/tmp/ecd85f48177089d1e7672cf04d91b8ec/tmp/ecd85f48177089d1e7672cf04d91b8ec1⤵
-
/bin/shsh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt"1⤵
-
/bin/lnln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt2⤵
-
/bin/shsh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt"1⤵
-
/bin/lnln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt2⤵
-
/bin/shsh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt"1⤵
-
/bin/lnln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt2⤵
-
/bin/shsh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt"1⤵
-
/bin/lnln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt2⤵
-
/bin/shsh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt"1⤵
-
/bin/lnln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt2⤵
-
/bin/shsh -c "mkdir -p /usr/bin/bsd-port"1⤵
-
/bin/mkdirmkdir -p /usr/bin/bsd-port2⤵
- Reads runtime system information
-
/bin/shsh -c "cp -f /tmp/ecd85f48177089d1e7672cf04d91b8ec /usr/bin/bsd-port/getty"1⤵
-
/bin/cpcp -f /tmp/ecd85f48177089d1e7672cf04d91b8ec /usr/bin/bsd-port/getty2⤵
- Write file to user bin folder
- Reads runtime system information
-
/bin/shsh -c /usr/bin/bsd-port/getty1⤵
-
/usr/bin/bsd-port/getty/usr/bin/bsd-port/getty2⤵
- Executes dropped EXE
-
/bin/shsh -c "mkdir -p /usr/bin"1⤵
-
/bin/mkdirmkdir -p /usr/bin2⤵
- Reads runtime system information
-
/bin/shsh -c "cp -f /tmp/ecd85f48177089d1e7672cf04d91b8ec /usr/bin/libsw"1⤵
-
/bin/cpcp -f /tmp/ecd85f48177089d1e7672cf04d91b8ec /usr/bin/libsw2⤵
- Write file to user bin folder
- Reads runtime system information
-
/bin/shsh -c /usr/bin/libsw1⤵
-
/usr/bin/libsw/usr/bin/libsw2⤵
- Executes dropped EXE
-
/bin/shsh -c "insmod /usr/lib/xpacket.ko"1⤵
-
/sbin/insmodinsmod /usr/lib/xpacket.ko2⤵
- Reads runtime system information
-
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"1⤵
-
/bin/lnln -s /etc/init.d/selinux /etc/rc1.d/S99selinux2⤵
-
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"1⤵
-
/bin/lnln -s /etc/init.d/selinux /etc/rc2.d/S99selinux2⤵
-
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"1⤵
-
/bin/lnln -s /etc/init.d/selinux /etc/rc3.d/S99selinux2⤵
-
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"1⤵
-
/bin/lnln -s /etc/init.d/selinux /etc/rc4.d/S99selinux2⤵
-
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"1⤵
-
/bin/lnln -s /etc/init.d/selinux /etc/rc5.d/S99selinux2⤵
-
/bin/shsh -c "mkdir -p /usr/bin/dpkgd"1⤵
-
/bin/mkdirmkdir -p /usr/bin/dpkgd2⤵
- Reads runtime system information
-
/bin/shsh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"1⤵
-
/bin/cpcp -f /bin/ps /usr/bin/dpkgd/ps2⤵
- Write file to user bin folder
- Reads runtime system information
-
/bin/shsh -c "mkdir -p /bin"1⤵
-
/bin/mkdirmkdir -p /bin2⤵
- Reads runtime system information
-
/bin/shsh -c "cp -f /usr/bin/bsd-port/getty /bin/ps"1⤵
-
/bin/cpcp -f /usr/bin/bsd-port/getty /bin/ps2⤵
- Writes file to system bin folder
- Reads runtime system information
-
/bin/shsh -c "chmod 0755 /bin/ps"1⤵
-
/bin/chmodchmod 0755 /bin/ps2⤵
-
/bin/shsh -c "cp -f /usr/bin/lsof /usr/bin/dpkgd/lsof"1⤵
-
/bin/cpcp -f /usr/bin/lsof /usr/bin/dpkgd/lsof2⤵
- Write file to user bin folder
- Reads runtime system information
-
/bin/shsh -c "mkdir -p /usr/bin"1⤵
-
/bin/mkdirmkdir -p /usr/bin2⤵
- Reads runtime system information
-
/bin/shsh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/lsof"1⤵
-
/bin/cpcp -f /usr/bin/bsd-port/getty /usr/bin/lsof2⤵
- Write file to user bin folder
- Reads runtime system information
-
/bin/shsh -c "chmod 0755 /usr/bin/lsof"1⤵
-
/bin/chmodchmod 0755 /usr/bin/lsof2⤵
-
/bin/shsh -c "insmod /usr/lib/xpacket.ko"1⤵
-
/sbin/insmodinsmod /usr/lib/xpacket.ko2⤵
- Reads runtime system information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/etc/init.d/DbSecuritySptFilesize
50B
MD5deffdf915ba27bec9c71115d8804b6b3
SHA18a1559c2534e4925487d7ab9d262bd02c06aa48a
SHA25680c06048a8438b7b0ef20eddd59c37aee7e07cfe69c94b4f6746fdc977a30144
SHA512d4044e5b691f8efa7e39c1377940761d0689ae75bc06eb6a0cca3c887e229d68a3badbbbe31d7b84c9bf9349e5605478f62ae7101e7e26f1c6d6cdff668c5188
-
/etc/init.d/selinuxFilesize
36B
MD5993cc15058142d96c3daf7852c3d5ee8
SHA10950b8b391b04dd3895ea33cd3141543ebd2525d
SHA2568171d077918611803d93088409f220c66fae1c670b297e1aa5d8cbd548ce9208
SHA5120c4256c00a3710f97e92581b552682b36b62afc35fe72622c491323c618c19ea62611ac04ccafc3dfcde2254a2ebbd93b69b66795b16e36332293bed83adb928
-
/tmp/gates.lockFilesize
4B
MD571a58e8cb75904f24cde464161c3e766
SHA1d56081031c3ba10d08365e73aeb120b3e186291b
SHA256f68a11527b819bdf3658377dab1ea309bb5c6eefe69bb751e4b59b277cc29a7d
SHA512e463e680ac2e1b9539a7f1c8eae96748fb6f819e5bfb819ddec5079d6d6c24d69633dbf1052930114259a8144978940d2c1f29f746e1d993a77d0a2a79a80136
-
/tmp/moni.lockFilesize
4B
MD5c1fea270c48e8079d8ddf7d06d26ab52
SHA1637250c78dd38a4e6c7e05c62f9ff2e960a977a0
SHA2567e5cb8429dce239403fec15b8930529f51efdf34ce3e28548977ea97e152f303
SHA51230b6282fe8e42efd00e6b26bf7233375015a9051553b1f0c5e465910de8683680615675a3e24f43ce349baf54564c70b385bb70ea9546150f2fc675a19f0f33a
-
/tmp/notify.fileFilesize
37B
MD527aa447e3e33808ba7976656f8707365
SHA116df79def03fa28bc4bcc221f18753d3bde0c5fe
SHA2562189f391207454510f6b4faa17d53d45b1f3bf7088db3cf66826260935055850
SHA512f955b4c47aef3e0861aaa2528642f00c3afb3c140237e1602a50065dc0602c28813cc63e654974fdb9b7d605cdf0e203b755d925ca0ea0534901711b4d652b49
-
/usr/bin/bsd-port/gettyFilesize
1.1MB
MD5ecd85f48177089d1e7672cf04d91b8ec
SHA11de79f6fd9322ce3a3716e24bda666a7b97ed293
SHA25613b31c857ca874127126dc16929e7a281f97d2dc84650fb5898bd41572efc7a8
SHA5125de0f0aebd0b9daaa06cc2cd1773bb6fe39f5dc1d7d58f423b77d73a966575cc70958275aee8ccbbadfcd07841e99b92d6d84c5fc4a7864a6af5c23e4750ca0c
-
/usr/bin/dpkgd/lsofFilesize
159KB
MD5e093dc78225e2a0a25e3b137c1c1e442
SHA1c29497cfaae729eb576875e4fdfa400640ab16be
SHA2561190f4dbc7be174de8fd4096c9bf7a28eebfac937d308b7cc533be4a1240d26e
SHA512fe1cc7a65327732eaaee89f427c10239ba822430e34177842f4681068d78d404b1830d808a2a71b1efcc5f126c6d8c053512237421173aaa150e215a672da6f0
-
/usr/bin/dpkgd/psFilesize
130KB
MD5558edc26f8a38fa9788220b9af8a73e7
SHA13024d44e580e9c67f32f6c585d50e2a6cc9a7cac
SHA256b76435c80333d2c1fd18e0e7682f1c9dfb5da8d507e93e3c416f54b481c428d5
SHA512edaa425b441044f015e8f68fffa1664e42372d00dd0e7b0924d24ce947aa8e5f96b3bdc326fa2f8b978e3fcf638a1ceca45a223735db73f1607df66990feb56f
-
/usr/bin/libswFilesize
639KB
MD55a78419f23886049121bd31760f80043
SHA19e896925da4bcff28c59d4a94e9cdf556275ecfb
SHA256b114db85bc8fcb63bf52b0a6d268e56ab79ef0770bd718e4b774b815015d2aa8
SHA51213296213e32feb8060bd76c8413357ea026522b767a778b4a7f3f6a515bd6a22dda05a6c22fd93bb6102f23517a2fb5098e3a4f38f261aa5f0e5b2b39f3e2138