mrblack | 0e8b7406cefebfc76b5ca5b48c77e88bbaea2aaef89fbf947f164d017ff15743

Analysis

max time kernel
149s
max time network
148s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240418-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240418-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
06-05-2024 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
Size

1.1MB
MD5

f57f99f56834d73211bac97f4ec2dc5c
SHA1

314fff2c301fb120ce100e812e3ef4b31580551d
SHA256

a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60
SHA512

c2785a0b3231ccd5c217f6ec38aa8ca3ece2cc3a3364a3271582ba49cf9ac8a5dfd163765c6284ba72c9bd4e711cc059ba328e6a7ad0b1adeb7e85447b9350a8
SSDEEP

24576:4vRE7caCfKGPqVEDNLFxKsfa1I+gIGYuuCol7r:4vREKfPqVE5jKsfa1RHGVo7r

Score

10^/10

mrblack antivm botnet persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 1 IoCs

Processes:

resource	yara_rule
/usr/bin/bsd-port/recei	family_mrblack

Executes dropped EXE 2 IoCs

Processes:

receioracle

ioc pid process

/usr/bin/bsd-port/recei 1931 recei
/usr/bin/oracle 1995 oracle

ioc	pid	process
/usr/bin/bsd-port/recei	1931	recei
/usr/bin/oracle	1995	oracle

Modifies init.d 1 TTPs 2 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

Processes:

receia7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf

description	ioc	process
File opened for modification	/etc/init.d/selinux	recei
File opened for modification	/etc/init.d/VsystemsshMmt	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf

Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.

System Network Configuration Discovery
T1016

Processes:

a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf

description ioc process

File opened for reading /proc/net/route a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf

description	ioc	process
File opened for reading	/proc/net/route	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf

Write file to user bin folder 1 TTPs 9 IoCs

Hijack Execution Flow

T1574

Processes:

cpcpa7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elfcpreceicpcpcp

description	ioc	process
File opened for modification	/usr/bin/dpkgd/ps	cp
File opened for modification	/usr/bin/lsof	cp
File opened for modification	/usr/bin/bsd-port/udevd.conf	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
File opened for modification	/usr/bin/dpkgd/lsof	cp
File opened for modification	/usr/bin/bsd-port/recei.conf	recei
File opened for modification	/usr/bin/oracle	cp
File opened for modification	/usr/bin/ps	cp
File opened for modification	/usr/bin/bsd-port/recei.conf	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
File opened for modification	/usr/bin/bsd-port/recei	cp

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

cpcp

description ioc process

File opened for modification /bin/lsof cp
File opened for modification /bin/ps cp

description	ioc	process
File opened for modification	/bin/lsof	cp
File opened for modification	/bin/ps	cp

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

Processes:

receia7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf

description	ioc	process
File opened for reading	/proc/cpuinfo	recei
File opened for reading	/proc/cpuinfo	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf

Reads system network configuration 1 TTPs 4 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

Processes:

a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elfrecei

description	ioc	process
File opened for reading	/proc/net/dev	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
File opened for reading	/proc/net/route	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
File opened for reading	/proc/net/arp	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
File opened for reading	/proc/net/dev	recei

Reads runtime system information 24 IoCs

Reads data from /proc virtual filesystem.

Processes:

a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elfcporaclecpmkdircpreceicpmkdirmkdircpcpmkdircpinsmodmkdirinsmodmkdirmkdircp

description	ioc	process
File opened for reading	/proc/sys/kernel/version	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/kernel/version	oracle
File opened for reading	/proc/stat	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/meminfo	recei
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/stat	recei
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/meminfo	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/sys/kernel/version	recei
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

Processes:

oraclea7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf

description	ioc	process
File opened for modification	/tmp/appd.log	oracle
File opened for modification	/tmp/notify.file	oracle
File opened for modification	/tmp/Dest.cfg	oracle
File opened for modification	/tmp/appd.log	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
File opened for modification	/tmp/appd.conf	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
File opened for modification	/tmp/Dest.cfg	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
File opened for modification	/tmp/notify.file	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
File opened for modification	/tmp/conf.n	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf

/tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
/tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
1⤵
- Modifies init.d
- Reads system routing table
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1525
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc1.d/S97VsystemsshMmt"
  2⤵
  PID:1915
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMmt /etc/rc1.d/S97VsystemsshMmt
    3⤵
    PID:1916
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc2.d/S97VsystemsshMmt"
  2⤵
  PID:1917
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMmt /etc/rc2.d/S97VsystemsshMmt
    3⤵
    PID:1918
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc3.d/S97VsystemsshMmt"
  2⤵
  PID:1919
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMmt /etc/rc3.d/S97VsystemsshMmt
    3⤵
    PID:1920
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc4.d/S97VsystemsshMmt"
  2⤵
  PID:1921
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMmt /etc/rc4.d/S97VsystemsshMmt
    3⤵
    PID:1922
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc5.d/S97VsystemsshMmt"
  2⤵
  PID:1923
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMmt /etc/rc5.d/S97VsystemsshMmt
    3⤵
    PID:1924
- /bin/sh
  sh -c "mkdir -p /usr/bin/bsd-port"
  2⤵
  PID:1925
- - /usr/bin/mkdir
    mkdir -p /usr/bin/bsd-port
    3⤵
    - Reads runtime system information
    PID:1926
- /bin/sh
  sh -c "cp -f /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf /usr/bin/bsd-port/recei"
  2⤵
  PID:1927
- - /usr/bin/cp
    cp -f /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf /usr/bin/bsd-port/recei
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1928
- /bin/sh
  sh -c /usr/bin/bsd-port/recei
  2⤵
  PID:1930
- - /usr/bin/bsd-port/recei
    /usr/bin/bsd-port/recei
    3⤵
    - Executes dropped EXE
    - Modifies init.d
    - Write file to user bin folder
    - Checks CPU configuration
    - Reads system network configuration
    - Reads runtime system information
    PID:1931
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"
      4⤵
      PID:1975
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
        5⤵
        
        PID:1976
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"
      4⤵
      PID:1977
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
        5⤵
        
        PID:1978
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"
      4⤵
      PID:1979
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
        5⤵
        
        PID:1980
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"
      4⤵
      PID:1981
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
        5⤵
        
        PID:1982
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"
      4⤵
      PID:1983
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
        5⤵
        
        PID:1984
  - - /bin/sh
      sh -c "mkdir -p /usr/bin/dpkgd"
      4⤵
      PID:1985
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin/dpkgd
        5⤵
        Reads runtime system information
        
        PID:1986
  - - /bin/sh
      sh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"
      4⤵
      PID:1987
    - - /usr/bin/cp
        
        cp -f /bin/lsof /usr/bin/dpkgd/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1988
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1989
    - - /usr/bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1990
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/recei /bin/lsof"
      4⤵
      PID:1991
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/recei /bin/lsof
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:1992
  - - /bin/sh
      sh -c "chmod 0755 /bin/lsof"
      4⤵
      PID:1999
    - - /usr/bin/chmod
        
        chmod 0755 /bin/lsof
        5⤵
        
        PID:2000
  - - /bin/sh
      sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"
      4⤵
      PID:2001
    - - /usr/bin/cp
        
        cp -f /bin/ps /usr/bin/dpkgd/ps
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:2002
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:2005
    - - /usr/bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:2006
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/recei /bin/ps"
      4⤵
      PID:2008
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/recei /bin/ps
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:2009
  - - /bin/sh
      sh -c "chmod 0755 /bin/ps"
      4⤵
      PID:2012
    - - /usr/bin/chmod
        
        chmod 0755 /bin/ps
        5⤵
        
        PID:2013
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:2014
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:2015
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/recei /usr/bin/lsof"
      4⤵
      PID:2016
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/recei /usr/bin/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:2017
  - - /bin/sh
      sh -c "chmod 0755 /usr/bin/lsof"
      4⤵
      PID:2019
    - - /usr/bin/chmod
        
        chmod 0755 /usr/bin/lsof
        5⤵
        
        PID:2020
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:2022
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:2023
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/recei /usr/bin/ps"
      4⤵
      PID:2024
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/recei /usr/bin/ps
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:2025
  - - /bin/sh
      sh -c "chmod 0755 /usr/bin/ps"
      4⤵
      PID:2026
    - - /usr/bin/chmod
        
        chmod 0755 /usr/bin/ps
        5⤵
        
        PID:2027
  - - /bin/sh
      sh -c "insmod /usr/lib/xpacket.ko"
      4⤵
      PID:2028
    - - /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        5⤵
        Reads runtime system information
        
        PID:2029
- /bin/sh
  sh -c "mkdir -p /usr/bin"
  2⤵
  PID:1933
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:1934
- /bin/sh
  sh -c "cp -f /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf /usr/bin/oracle"
  2⤵
  PID:1935
- - /usr/bin/cp
    cp -f /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf /usr/bin/oracle
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1936
- /bin/sh
  sh -c /usr/bin/oracle
  2⤵
  PID:1994
- - /usr/bin/oracle
    /usr/bin/oracle
    3⤵
    - Executes dropped EXE
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1995
- /bin/sh
  sh -c "insmod /usr/lib/xpacket.ko"
  2⤵
  PID:1997
- - /usr/sbin/insmod
    insmod /usr/lib/xpacket.ko
    3⤵
    - Reads runtime system information
    PID:1998

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/VsystemsshMmt

Filesize
86B

MD5
94441f26a96fed150c54c0730980e833

SHA1
fd7c55a6d22e821e8d16f3ff7071e5543eb952af

SHA256
94806a3bb573a02242cbcc3a39def2f453d13d4cd5ff2e70182e1e7274fcf19a

SHA512
a2d8c41534d13ce651bdf56d25216eee11f045fcc4c12906b29cb259152750d598171fa9051eb52c629e1742bf5366b915d94c9b05ce11679112e9e8ae9e6c64

Download Submit
/etc/init.d/selinux

Filesize
36B

MD5
57cde9c165195cfb90c212057795ed49

SHA1
d77d9895306eb09ad9b54588fb7998c79c671563

SHA256
3e3488e9c63dfadffd594301e2192418b158238bfb8f83d6702123d72892cf36

SHA512
de9af53a508167cbbb820a99c2742918ec5b8c83877b77e43e4b441019311685647f47fb4666ba53ecef4e6a2d5514eb67981d471ddf173b04848609b3c0c00d

Download Submit
/tmp/Dest.cfg

Filesize
4B

MD5
e60e81c4cbe5171cd654662d9887aec2

SHA1
87496e984d6e0cc5d47f38cf3076e21af2bd4815

SHA256
70c023a77b3abc66277f31588f4f38c720a1217ba41a7cf799950027020223cf

SHA512
fb44bc7cb45d81d6c6e709e6dabe2ed4a92ca50fff2e3f9ffa28e3ceb09baee4915316edc5bec81e319d620c1ed99e0b11c51aef557c676a1929e1624ff94970

Download Submit
/tmp/notify.file

Filesize
73B

MD5
fbd31737dca441cd054904845fe35f96

SHA1
37d9a9392ceb7d28bf399491e3d08701b44bbb85

SHA256
a5d433d18ca0be1eda233343ce1b7864e8c0fb8560e592047663bbea9c52948a

SHA512
2f3ff8f59b15c4dbb939749fbe585a78ab7fa69addbf28d561815c692c36ec51b70e46e3393d02cebc48ac40098fac25f2a6c81f763c684ce4863efae813381b

Download Submit
/usr/bin/bsd-port/recei

Filesize
1.1MB

MD5
f57f99f56834d73211bac97f4ec2dc5c

SHA1
314fff2c301fb120ce100e812e3ef4b31580551d

SHA256
a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60

SHA512
c2785a0b3231ccd5c217f6ec38aa8ca3ece2cc3a3364a3271582ba49cf9ac8a5dfd163765c6284ba72c9bd4e711cc059ba328e6a7ad0b1adeb7e85447b9350a8

Download Submit
/usr/bin/dpkgd/lsof

Filesize
171KB

MD5
061386937ec7acf924438a2643a32be0

SHA1
01a044b9e58839bea3e58c66cb32acc16241bf91

SHA256
8a26bbae9eb85aa98ef29cfe5b0a291234db6eb394c3e0c2841983dcf7dda959

SHA512
2de2e56ac4c32f47b4a1945ccfb0db378e6d59019ee8004e3e5d2ec8935efb5aa8ee14b8a0b21c61a267e195d42a3232a6dcade8720de06118fd579277f59db7

Download Submit
/usr/bin/dpkgd/ps

Filesize
134KB

MD5
d194576b899af45b1d2a448612ec21e5

SHA1
492f7d8f28cd4397ce22fcf0d8bf3304ea93465a

SHA256
a8cf81f3a1137c999c3cf336507ce120b3065e633ade01db6280d427b7d986ca

SHA512
b323babd9580b91772cde29c9f22ae75b27f5ce8ce0268a48ca41713c3545dd72409932a5c48f6af66ac6e43127eb5461d1f686bd667fa1b0e56a1564db3c539

Download Submit