mrblack | be9ce96a9612ff32bc0deae2ffed9f15116b644ec106d1906fe44a6776595291

Analysis

max time kernel
149s
max time network
149s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240221-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
20-03-2024 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be9ce96a9612ff32bc0deae2ffed9f15116b644ec106d1906fe44a6776595291.elf
Size

1.2MB
MD5

5ac9924723ee51a34999132cbd369213
SHA1

8bb17a17dc4a7885978c0161d7be2b0274a42466
SHA256

be9ce96a9612ff32bc0deae2ffed9f15116b644ec106d1906fe44a6776595291
SHA512

f0d1a0ca422c99b37c286b8d6b7b15ad48c6fc0991974623dfbe9c580499e868d36c771aa2d57b1784d515c4cc5524e846e20f5b252f6079b6f71c35c8ae389a
SSDEEP

24576:e845rGHu6gVJKG75oFpA0VWeX4R2y1q2rJp0:745vRVJKGtSA0VWeoIu9p0

Score

10^/10

mrblack antivm botnet persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 1 IoCs

resource	yara_rule
behavioral1/files/fstream-4.dat	family_mrblack

Executes dropped EXE 2 IoCs

ioc	pid	Process
/usr/bin/bsd-port/getty	1842	getty
/usr/bin/.sshd	1866	.sshd

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc
File opened for reading	/proc/cpuinfo

Modifies init.d 1 TTPs 2 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/DbSecuritySpt
File opened for modification	/etc/init.d/selinux

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/route

Write file to user bin folder 1 TTPs 10 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/usr/bin/bsd-port/getty.lock	Process not Found
File opened for modification	/usr/bin/bsd-port/udevd.lock	Process not Found
File opened for modification	/usr/bin/bsd-port/getty	cp
File opened for modification	/usr/bin/dpkgd/ps	cp
File opened for modification	/usr/bin/lsof	cp
File opened for modification	/usr/bin/ss	cp
File opened for modification	/usr/bin/.sshd	cp
File opened for modification	/usr/bin/dpkgd/lsof	cp
File opened for modification	/usr/bin/dpkgd/ss	cp
File opened for modification	/usr/bin/ps	cp

Writes file to system bin folder 1 TTPs 3 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/bin/ss	cp
File opened for modification	/bin/lsof	cp
File opened for modification	/bin/ps	cp

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/dev
File opened for reading	/proc/net/route
File opened for reading	/proc/net/arp

Reads runtime system information 35 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/sys/kernel/version	be9ce96a9612ff32bc0deae2ffed9f15116b644ec106d1906fe44a6776595291.elf
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/sys/kernel/version	getty
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/sys/kernel/version	.sshd
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/meminfo	Process not Found
File opened for reading	/proc/filesystems	mkdir

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
File opened for modification	/tmp/moni.lod
File opened for modification	/tmp/bill.lock
File opened for modification	/tmp/gates.lod
File opened for modification	/tmp/notify.file
File opened for modification	/tmp/conf.n

/tmp/be9ce96a9612ff32bc0deae2ffed9f15116b644ec106d1906fe44a6776595291.elf
/tmp/be9ce96a9612ff32bc0deae2ffed9f15116b644ec106d1906fe44a6776595291.elf
1⤵
- Reads runtime system information
PID:1482

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt"
1⤵
PID:1686
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
  2⤵
  PID:1687

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt"
1⤵
PID:1688
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
  2⤵
  PID:1689

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt"
1⤵
PID:1690
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
  2⤵
  PID:1691

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt"
1⤵
PID:1692
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
  2⤵
  PID:1693

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt"
1⤵
PID:1694
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
  2⤵
  PID:1695

/bin/sh
sh -c "mkdir -p /usr/bin/bsd-port"
1⤵
PID:1834
- /usr/bin/mkdir
  mkdir -p /usr/bin/bsd-port
  2⤵
  - Reads runtime system information
  PID:1835

/bin/sh
sh -c "mkdir -p /usr/bin/bsd-port"
1⤵
PID:1836
- /usr/bin/mkdir
  mkdir -p /usr/bin/bsd-port
  2⤵
  - Reads runtime system information
  PID:1837

/bin/sh
sh -c "cp -f /tmp/be9ce96a9612ff32bc0deae2ffed9f15116b644ec106d1906fe44a6776595291.elf /usr/bin/bsd-port/getty"
1⤵
PID:1838
- /usr/bin/cp
  cp -f /tmp/be9ce96a9612ff32bc0deae2ffed9f15116b644ec106d1906fe44a6776595291.elf /usr/bin/bsd-port/getty
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1839

/bin/sh
sh -c /usr/bin/bsd-port/getty
1⤵
PID:1841
- /usr/bin/bsd-port/getty
  /usr/bin/bsd-port/getty
  2⤵
  - Executes dropped EXE
  - Reads runtime system information
  PID:1842

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1844
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1845

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1846
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1847

/bin/sh
sh -c "cp -f /tmp/be9ce96a9612ff32bc0deae2ffed9f15116b644ec106d1906fe44a6776595291.elf /usr/bin/.sshd"
1⤵
PID:1848
- /usr/bin/cp
  cp -f /tmp/be9ce96a9612ff32bc0deae2ffed9f15116b644ec106d1906fe44a6776595291.elf /usr/bin/.sshd
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1849

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"
1⤵
PID:1850
- /usr/bin/ln
  ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
  2⤵
  PID:1851

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"
1⤵
PID:1852
- /usr/bin/ln
  ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
  2⤵
  PID:1853

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"
1⤵
PID:1854
- /usr/bin/ln
  ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
  2⤵
  PID:1855

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"
1⤵
PID:1856
- /usr/bin/ln
  ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
  2⤵
  PID:1857

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"
1⤵
PID:1858
- /usr/bin/ln
  ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
  2⤵
  PID:1859

/bin/sh
sh -c "mkdir -p /usr/bin/dpkgd"
1⤵
PID:1860
- /usr/bin/mkdir
  mkdir -p /usr/bin/dpkgd
  2⤵
  - Reads runtime system information
  PID:1861

/bin/sh
sh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"
1⤵
PID:1862
- /usr/bin/cp
  cp -f /bin/lsof /usr/bin/dpkgd/lsof
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1863

/bin/sh
sh -c /usr/bin/.sshd
1⤵
PID:1865
- /usr/bin/.sshd
  /usr/bin/.sshd
  2⤵
  - Executes dropped EXE
  - Reads runtime system information
  PID:1866

/bin/sh
sh -c "mkdir -p /bin"
1⤵
PID:1867
- /usr/bin/mkdir
  mkdir -p /bin
  2⤵
  - Reads runtime system information
  PID:1868

/bin/sh
sh -c "mkdir -p /bin"
1⤵
PID:1869
- /usr/bin/mkdir
  mkdir -p /bin
  2⤵
  - Reads runtime system information
  PID:1870

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/getty /bin/lsof"
1⤵
PID:1871
- /usr/bin/cp
  cp -f /usr/bin/bsd-port/getty /bin/lsof
  2⤵
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1872

/bin/sh
sh -c "chmod 0755 /bin/lsof"
1⤵
PID:1873
- /usr/bin/chmod
  chmod 0755 /bin/lsof
  2⤵
  PID:1874

/bin/sh
sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"
1⤵
PID:1875
- /usr/bin/cp
  cp -f /bin/ps /usr/bin/dpkgd/ps
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1876

/bin/sh
sh -c "mkdir -p /bin"
1⤵
PID:1877
- /usr/bin/mkdir
  mkdir -p /bin
  2⤵
  - Reads runtime system information
  PID:1878

/bin/sh
sh -c "mkdir -p /bin"
1⤵
PID:1879
- /usr/bin/mkdir
  mkdir -p /bin
  2⤵
  - Reads runtime system information
  PID:1880

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/getty /bin/ps"
1⤵
PID:1881
- /usr/bin/cp
  cp -f /usr/bin/bsd-port/getty /bin/ps
  2⤵
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1882

/bin/sh
sh -c "chmod 0755 /bin/ps"
1⤵
PID:1883
- /usr/bin/chmod
  chmod 0755 /bin/ps
  2⤵
  PID:1884

/bin/sh
sh -c "cp -f /bin/ss /usr/bin/dpkgd/ss"
1⤵
PID:1885
- /usr/bin/cp
  cp -f /bin/ss /usr/bin/dpkgd/ss
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1886

/bin/sh
sh -c "mkdir -p /bin"
1⤵
PID:1887
- /usr/bin/mkdir
  mkdir -p /bin
  2⤵
  - Reads runtime system information
  PID:1888

/bin/sh
sh -c "mkdir -p /bin"
1⤵
PID:1889
- /usr/bin/mkdir
  mkdir -p /bin
  2⤵
  - Reads runtime system information
  PID:1890

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/getty /bin/ss"
1⤵
PID:1891
- /usr/bin/cp
  cp -f /usr/bin/bsd-port/getty /bin/ss
  2⤵
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1892

/bin/sh
sh -c "chmod 0755 /bin/ss"
1⤵
PID:1893
- /usr/bin/chmod
  chmod 0755 /bin/ss
  2⤵
  PID:1894

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1895
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1896

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1897
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1898

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/lsof"
1⤵
PID:1899
- /usr/bin/cp
  cp -f /usr/bin/bsd-port/getty /usr/bin/lsof
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1900

/bin/sh
sh -c "chmod 0755 /usr/bin/lsof"
1⤵
PID:1901
- /usr/bin/chmod
  chmod 0755 /usr/bin/lsof
  2⤵
  PID:1902

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1903
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1904

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1905
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1906

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/ps"
1⤵
PID:1907
- /usr/bin/cp
  cp -f /usr/bin/bsd-port/getty /usr/bin/ps
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1908

/bin/sh
sh -c "chmod 0755 /usr/bin/ps"
1⤵
PID:1909
- /usr/bin/chmod
  chmod 0755 /usr/bin/ps
  2⤵
  PID:1910

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1911
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1912

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1913
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1914

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/ss"
1⤵
PID:1915
- /usr/bin/cp
  cp -f /usr/bin/bsd-port/getty /usr/bin/ss
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1916

/bin/sh
sh -c "chmod 0755 /usr/bin/ss"
1⤵
PID:1917
- /usr/bin/chmod
  chmod 0755 /usr/bin/ss
  2⤵
  PID:1918

/bin/sh
sh -c "insmod /usr/bin/bsd-port/xpacket.ko"
1⤵
PID:2019
- /usr/sbin/insmod
  insmod /usr/bin/bsd-port/xpacket.ko
  2⤵
  - Reads runtime system information
  PID:2020

/bin/sh
sh -c "insmod /tmp/xpacket.ko"
1⤵
PID:2027
- /usr/sbin/insmod
  insmod /tmp/xpacket.ko
  2⤵
  - Reads runtime system information
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/DbSecuritySpt

Filesize
86B

MD5
2566e7cf0a924622be39a81c3cd496ac

SHA1
a78a3a411636127b2f39f49423e3ff369ce7e0dd

SHA256
3b4ac7b17cadf1647e3121b80b92393a0273989b413957e75b57094778bff5ee

SHA512
abd318ea82a6aaaf5c6b233f104298ee2cac1fc7213a9843033cd95c4405b081e5fe927b8352710261ac2b0710e534958262ea74e1d777d08b22ba4ff7132366

Download Submit
/etc/init.d/selinux

Filesize
36B

MD5
993cc15058142d96c3daf7852c3d5ee8

SHA1
0950b8b391b04dd3895ea33cd3141543ebd2525d

SHA256
8171d077918611803d93088409f220c66fae1c670b297e1aa5d8cbd548ce9208

SHA512
0c4256c00a3710f97e92581b552682b36b62afc35fe72622c491323c618c19ea62611ac04ccafc3dfcde2254a2ebbd93b69b66795b16e36332293bed83adb928

Download Submit
/tmp/gates.lod

Filesize
4B

MD5
1714726c817af50457d810aae9d27a2e

SHA1
bb7e0878197e923c50408c8cccedb73e9630a7f8

SHA256
b3396bcb59674d33f54fa27c6d3855f647834cfcb75b4cb98f2d279c053e83ea

SHA512
70fa8703e56acbd7fb729e72c30dcf49cb714a24d7f280b26c01a615decbdd3b64da51b7f74c0d66b68d5049a7198d7010c669d5f2609af96f0b56dd19c26152

Download Submit
/tmp/moni.lod

Filesize
4B

MD5
0950ca92a4dcf426067cfd2246bb5ff3

SHA1
9ee53d1cec0d5e0348cb88f67155a25ff80635ec

SHA256
80f8ded29fa2e922c77b98ea8f229ef65ea360daf5d1c9e05b80539e502b5621

SHA512
0d8f218692cb4671899a2673af970a34b39e2fabba0a8ae53b4282804ed217dbfeb71a96756733b0f019b0640c292c427d1e0b4bc6f5cacdd252dd0d1c50abcc

Download Submit
/tmp/notify.file

Filesize
73B

MD5
71ac2431ef135ea0bb3a82deb9d83fa4

SHA1
971275333911a515887072862df9543864d43cff

SHA256
ac6016f4790b500a4500be5ef7e04d091c8955dab66aff13a2f5595ed6e4d88e

SHA512
c34a7945abf442603d5c8875b76d928622423ffdedb0896809e049945303a8646982558343af216d4ad204002a3d11ebbc1cbc4ac096ec905e5e4951d612bc0e

Download Submit
/usr/bin/bsd-port/getty

Filesize
1.2MB

MD5
5ac9924723ee51a34999132cbd369213

SHA1
8bb17a17dc4a7885978c0161d7be2b0274a42466

SHA256
be9ce96a9612ff32bc0deae2ffed9f15116b644ec106d1906fe44a6776595291

SHA512
f0d1a0ca422c99b37c286b8d6b7b15ad48c6fc0991974623dfbe9c580499e868d36c771aa2d57b1784d515c4cc5524e846e20f5b252f6079b6f71c35c8ae389a

Download Submit
/usr/bin/dpkgd/lsof

Filesize
171KB

MD5
061386937ec7acf924438a2643a32be0

SHA1
01a044b9e58839bea3e58c66cb32acc16241bf91

SHA256
8a26bbae9eb85aa98ef29cfe5b0a291234db6eb394c3e0c2841983dcf7dda959

SHA512
2de2e56ac4c32f47b4a1945ccfb0db378e6d59019ee8004e3e5d2ec8935efb5aa8ee14b8a0b21c61a267e195d42a3232a6dcade8720de06118fd579277f59db7

Download Submit
/usr/bin/dpkgd/ps

Filesize
134KB

MD5
d194576b899af45b1d2a448612ec21e5

SHA1
492f7d8f28cd4397ce22fcf0d8bf3304ea93465a

SHA256
a8cf81f3a1137c999c3cf336507ce120b3065e633ade01db6280d427b7d986ca

SHA512
b323babd9580b91772cde29c9f22ae75b27f5ce8ce0268a48ca41713c3545dd72409932a5c48f6af66ac6e43127eb5461d1f686bd667fa1b0e56a1564db3c539

Download Submit
/usr/bin/dpkgd/ss

Filesize
164KB

MD5
51d83131b398a97dd38555ba57084721

SHA1
7d392a87f7db787dfa85fbcdf2a5ba6f0b59b4ed

SHA256
e429f9d16a4cd64593b94dee8309a427fe8ca57765bf0d2e7b822efd123fe768

SHA512
adc7137df75410c2535986c1e86c2e92e58f9bee70094f72f1f7adf3db125720ce281eb3f48474b0e192d672e96cbb1bc6e1ef6b26b10bf76a412c4516948216

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads