mrblack | a91b8ea628b31ec5c5724dad7b96b38d26ad25c1f185335b6fb639c59e5050e8

Analysis

max time kernel
150s
max time network
154s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240221-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
21-03-2024 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be9ce96a9612ff32bc0deae2ffed9f15116b644ec106d1906fe44a6776595291.elf
Size

1.2MB
MD5

5ac9924723ee51a34999132cbd369213
SHA1

8bb17a17dc4a7885978c0161d7be2b0274a42466
SHA256

be9ce96a9612ff32bc0deae2ffed9f15116b644ec106d1906fe44a6776595291
SHA512

f0d1a0ca422c99b37c286b8d6b7b15ad48c6fc0991974623dfbe9c580499e868d36c771aa2d57b1784d515c4cc5524e846e20f5b252f6079b6f71c35c8ae389a
SSDEEP

24576:e845rGHu6gVJKG75oFpA0VWeX4R2y1q2rJp0:745vRVJKGtSA0VWeoIu9p0

Score

10^/10

mrblack antivm botnet persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 1 IoCs

resource	yara_rule
behavioral1/files/fstream-4.dat	family_mrblack

Executes dropped EXE 2 IoCs

ioc	pid	Process
/usr/bin/bsd-port/getty	1552	getty
/usr/bin/.sshd	1682	.sshd

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc
File opened for reading	/proc/cpuinfo

Modifies init.d 1 TTPs 2 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/DbSecuritySpt
File opened for modification	/etc/init.d/selinux

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/route

Write file to user bin folder 1 TTPs 10 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/usr/bin/bsd-port/getty.lock	Process not Found
File opened for modification	/usr/bin/bsd-port/getty	cp
File opened for modification	/usr/bin/dpkgd/ps	cp
File opened for modification	/usr/bin/ss	cp
File opened for modification	/usr/bin/ps	cp
File opened for modification	/usr/bin/bsd-port/udevd.lock	Process not Found
File opened for modification	/usr/bin/.sshd	cp
File opened for modification	/usr/bin/dpkgd/lsof	cp
File opened for modification	/usr/bin/dpkgd/ss	cp
File opened for modification	/usr/bin/lsof	cp

Writes file to system bin folder 1 TTPs 3 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/bin/ps	cp
File opened for modification	/bin/ss	cp
File opened for modification	/bin/lsof	cp

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/dev
File opened for reading	/proc/net/route
File opened for reading	/proc/net/arp

Reads runtime system information 35 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/kernel/version	getty
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/sys/kernel/version	be9ce96a9612ff32bc0deae2ffed9f15116b644ec106d1906fe44a6776595291.elf
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/meminfo	Process not Found
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/sys/kernel/version	.sshd
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
File opened for modification	/tmp/moni.lod
File opened for modification	/tmp/bill.lock
File opened for modification	/tmp/gates.lod
File opened for modification	/tmp/notify.file
File opened for modification	/tmp/conf.n

/tmp/be9ce96a9612ff32bc0deae2ffed9f15116b644ec106d1906fe44a6776595291.elf
/tmp/be9ce96a9612ff32bc0deae2ffed9f15116b644ec106d1906fe44a6776595291.elf
1⤵
- Reads runtime system information
PID:1476

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt"
1⤵
PID:1534
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
  2⤵
  PID:1535

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt"
1⤵
PID:1536
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
  2⤵
  PID:1537

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt"
1⤵
PID:1538
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
  2⤵
  PID:1539

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt"
1⤵
PID:1540
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
  2⤵
  PID:1541

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt"
1⤵
PID:1542
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
  2⤵
  PID:1543

/bin/sh
sh -c "mkdir -p /usr/bin/bsd-port"
1⤵
PID:1544
- /usr/bin/mkdir
  mkdir -p /usr/bin/bsd-port
  2⤵
  - Reads runtime system information
  PID:1545

/bin/sh
sh -c "mkdir -p /usr/bin/bsd-port"
1⤵
PID:1546
- /usr/bin/mkdir
  mkdir -p /usr/bin/bsd-port
  2⤵
  - Reads runtime system information
  PID:1547

/bin/sh
sh -c "cp -f /tmp/be9ce96a9612ff32bc0deae2ffed9f15116b644ec106d1906fe44a6776595291.elf /usr/bin/bsd-port/getty"
1⤵
PID:1548
- /usr/bin/cp
  cp -f /tmp/be9ce96a9612ff32bc0deae2ffed9f15116b644ec106d1906fe44a6776595291.elf /usr/bin/bsd-port/getty
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1549

/bin/sh
sh -c /usr/bin/bsd-port/getty
1⤵
PID:1551
- /usr/bin/bsd-port/getty
  /usr/bin/bsd-port/getty
  2⤵
  - Executes dropped EXE
  - Reads runtime system information
  PID:1552

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1555
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1556

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1557
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1558

/bin/sh
sh -c "cp -f /tmp/be9ce96a9612ff32bc0deae2ffed9f15116b644ec106d1906fe44a6776595291.elf /usr/bin/.sshd"
1⤵
PID:1559
- /usr/bin/cp
  cp -f /tmp/be9ce96a9612ff32bc0deae2ffed9f15116b644ec106d1906fe44a6776595291.elf /usr/bin/.sshd
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1560

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"
1⤵
PID:1669
- /usr/bin/ln
  ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
  2⤵
  PID:1672

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"
1⤵
PID:1673
- /usr/bin/ln
  ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
  2⤵
  PID:1674

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"
1⤵
PID:1675
- /usr/bin/ln
  ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
  2⤵
  PID:1677

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"
1⤵
PID:1679
- /usr/bin/ln
  ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
  2⤵
  PID:1684

/bin/sh
sh -c /usr/bin/.sshd
1⤵
PID:1681
- /usr/bin/.sshd
  /usr/bin/.sshd
  2⤵
  - Executes dropped EXE
  - Reads runtime system information
  PID:1682

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"
1⤵
PID:1685
- /usr/bin/ln
  ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
  2⤵
  PID:1686

/bin/sh
sh -c "mkdir -p /usr/bin/dpkgd"
1⤵
PID:1687
- /usr/bin/mkdir
  mkdir -p /usr/bin/dpkgd
  2⤵
  - Reads runtime system information
  PID:1688

/bin/sh
sh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"
1⤵
PID:1691
- /usr/bin/cp
  cp -f /bin/lsof /usr/bin/dpkgd/lsof
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1692

/bin/sh
sh -c "mkdir -p /bin"
1⤵
PID:1695
- /usr/bin/mkdir
  mkdir -p /bin
  2⤵
  - Reads runtime system information
  PID:1696

/bin/sh
sh -c "mkdir -p /bin"
1⤵
PID:1698
- /usr/bin/mkdir
  mkdir -p /bin
  2⤵
  - Reads runtime system information
  PID:1699

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/getty /bin/lsof"
1⤵
PID:1700
- /usr/bin/cp
  cp -f /usr/bin/bsd-port/getty /bin/lsof
  2⤵
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1701

/bin/sh
sh -c "chmod 0755 /bin/lsof"
1⤵
PID:1702
- /usr/bin/chmod
  chmod 0755 /bin/lsof
  2⤵
  PID:1703

/bin/sh
sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"
1⤵
PID:1704
- /usr/bin/cp
  cp -f /bin/ps /usr/bin/dpkgd/ps
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1705

/bin/sh
sh -c "mkdir -p /bin"
1⤵
PID:1706
- /usr/bin/mkdir
  mkdir -p /bin
  2⤵
  - Reads runtime system information
  PID:1707

/bin/sh
sh -c "mkdir -p /bin"
1⤵
PID:1708
- /usr/bin/mkdir
  mkdir -p /bin
  2⤵
  - Reads runtime system information
  PID:1709

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/getty /bin/ps"
1⤵
PID:1710
- /usr/bin/cp
  cp -f /usr/bin/bsd-port/getty /bin/ps
  2⤵
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1711

/bin/sh
sh -c "chmod 0755 /bin/ps"
1⤵
PID:1713
- /usr/bin/chmod
  chmod 0755 /bin/ps
  2⤵
  PID:1714

/bin/sh
sh -c "cp -f /bin/ss /usr/bin/dpkgd/ss"
1⤵
PID:1715
- /usr/bin/cp
  cp -f /bin/ss /usr/bin/dpkgd/ss
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1716

/bin/sh
sh -c "mkdir -p /bin"
1⤵
PID:1717
- /usr/bin/mkdir
  mkdir -p /bin
  2⤵
  - Reads runtime system information
  PID:1720

/bin/sh
sh -c "mkdir -p /bin"
1⤵
PID:1722
- /usr/bin/mkdir
  mkdir -p /bin
  2⤵
  - Reads runtime system information
  PID:1723

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/getty /bin/ss"
1⤵
PID:1725
- /usr/bin/cp
  cp -f /usr/bin/bsd-port/getty /bin/ss
  2⤵
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1726

/bin/sh
sh -c "chmod 0755 /bin/ss"
1⤵
PID:1728
- /usr/bin/chmod
  chmod 0755 /bin/ss
  2⤵
  PID:1729

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1731
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1732

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1733
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1734

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/lsof"
1⤵
PID:1735
- /usr/bin/cp
  cp -f /usr/bin/bsd-port/getty /usr/bin/lsof
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1736

/bin/sh
sh -c "chmod 0755 /usr/bin/lsof"
1⤵
PID:1738
- /usr/bin/chmod
  chmod 0755 /usr/bin/lsof
  2⤵
  PID:1739

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1741
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1742

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1744
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1745

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/ps"
1⤵
PID:1747
- /usr/bin/cp
  cp -f /usr/bin/bsd-port/getty /usr/bin/ps
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1748

/bin/sh
sh -c "chmod 0755 /usr/bin/ps"
1⤵
PID:1751
- /usr/bin/chmod
  chmod 0755 /usr/bin/ps
  2⤵
  PID:1752

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1753
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1754

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1756
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1757

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/ss"
1⤵
PID:1760
- /usr/bin/cp
  cp -f /usr/bin/bsd-port/getty /usr/bin/ss
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1761

/bin/sh
sh -c "chmod 0755 /usr/bin/ss"
1⤵
PID:1762
- /usr/bin/chmod
  chmod 0755 /usr/bin/ss
  2⤵
  PID:1763

/bin/sh
sh -c "insmod /usr/bin/bsd-port/xpacket.ko"
1⤵
PID:1850
- /usr/sbin/insmod
  insmod /usr/bin/bsd-port/xpacket.ko
  2⤵
  - Reads runtime system information
  PID:1851

/bin/sh
sh -c "insmod /tmp/xpacket.ko"
1⤵
PID:1854
- /usr/sbin/insmod
  insmod /tmp/xpacket.ko
  2⤵
  - Reads runtime system information
  PID:1855

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/DbSecuritySpt

Filesize
86B

MD5
2566e7cf0a924622be39a81c3cd496ac

SHA1
a78a3a411636127b2f39f49423e3ff369ce7e0dd

SHA256
3b4ac7b17cadf1647e3121b80b92393a0273989b413957e75b57094778bff5ee

SHA512
abd318ea82a6aaaf5c6b233f104298ee2cac1fc7213a9843033cd95c4405b081e5fe927b8352710261ac2b0710e534958262ea74e1d777d08b22ba4ff7132366

Download Submit
/etc/init.d/selinux

Filesize
36B

MD5
993cc15058142d96c3daf7852c3d5ee8

SHA1
0950b8b391b04dd3895ea33cd3141543ebd2525d

SHA256
8171d077918611803d93088409f220c66fae1c670b297e1aa5d8cbd548ce9208

SHA512
0c4256c00a3710f97e92581b552682b36b62afc35fe72622c491323c618c19ea62611ac04ccafc3dfcde2254a2ebbd93b69b66795b16e36332293bed83adb928

Download Submit
/tmp/gates.lod

Filesize
4B

MD5
4e8412ad48562e3c9934f45c3e144d48

SHA1
7bf016f5b104573db99f54a0715d7f0fdf7705f4

SHA256
f525eef4f03ab81983392564bc44fea01267b8cd44fc5fd45f1974cb9a6bcd46

SHA512
f7a8033c1cfc1fea47a0b2b794d1f76ede673dc09250664b464c7591339d5e104a3caf2a0c970a378bd154cc1c7824306c048e1c50c9b90fab32a769aec09495

Download Submit
/tmp/moni.lod

Filesize
4B

MD5
96a93ba89a5b5c6c226e49b88973f46e

SHA1
e971df1ea5c46fdfda0e5d4c6b9d222bff01a19b

SHA256
e50b6b02d6d90ddc9e3801a28ee7aaee2bb527371de05a11f294dddaac62d513

SHA512
b717ce3882bf03a04cdd74c75cd59f9fbf82f018b5867451c6d31ae3fa2672e53e0ced4885804443f6b5137f912383bb5835ea0f2624159e9765bba7a7474fc6

Download Submit
/tmp/notify.file

Filesize
73B

MD5
71ac2431ef135ea0bb3a82deb9d83fa4

SHA1
971275333911a515887072862df9543864d43cff

SHA256
ac6016f4790b500a4500be5ef7e04d091c8955dab66aff13a2f5595ed6e4d88e

SHA512
c34a7945abf442603d5c8875b76d928622423ffdedb0896809e049945303a8646982558343af216d4ad204002a3d11ebbc1cbc4ac096ec905e5e4951d612bc0e

Download Submit
/usr/bin/bsd-port/getty

Filesize
1.2MB

MD5
5ac9924723ee51a34999132cbd369213

SHA1
8bb17a17dc4a7885978c0161d7be2b0274a42466

SHA256
be9ce96a9612ff32bc0deae2ffed9f15116b644ec106d1906fe44a6776595291

SHA512
f0d1a0ca422c99b37c286b8d6b7b15ad48c6fc0991974623dfbe9c580499e868d36c771aa2d57b1784d515c4cc5524e846e20f5b252f6079b6f71c35c8ae389a

Download Submit
/usr/bin/dpkgd/lsof

Filesize
171KB

MD5
061386937ec7acf924438a2643a32be0

SHA1
01a044b9e58839bea3e58c66cb32acc16241bf91

SHA256
8a26bbae9eb85aa98ef29cfe5b0a291234db6eb394c3e0c2841983dcf7dda959

SHA512
2de2e56ac4c32f47b4a1945ccfb0db378e6d59019ee8004e3e5d2ec8935efb5aa8ee14b8a0b21c61a267e195d42a3232a6dcade8720de06118fd579277f59db7

Download Submit
/usr/bin/dpkgd/ps

Filesize
134KB

MD5
d194576b899af45b1d2a448612ec21e5

SHA1
492f7d8f28cd4397ce22fcf0d8bf3304ea93465a

SHA256
a8cf81f3a1137c999c3cf336507ce120b3065e633ade01db6280d427b7d986ca

SHA512
b323babd9580b91772cde29c9f22ae75b27f5ce8ce0268a48ca41713c3545dd72409932a5c48f6af66ac6e43127eb5461d1f686bd667fa1b0e56a1564db3c539

Download Submit
/usr/bin/dpkgd/ss

Filesize
164KB

MD5
51d83131b398a97dd38555ba57084721

SHA1
7d392a87f7db787dfa85fbcdf2a5ba6f0b59b4ed

SHA256
e429f9d16a4cd64593b94dee8309a427fe8ca57765bf0d2e7b822efd123fe768

SHA512
adc7137df75410c2535986c1e86c2e92e58f9bee70094f72f1f7adf3db125720ce281eb3f48474b0e192d672e96cbb1bc6e1ef6b26b10bf76a412c4516948216

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads