Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    ubuntu-20.04_amd64
  • resource
    ubuntu2004-amd64-20240418-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2004-amd64-20240418-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
  • submitted
    06-05-2024 02:01

General

  • Target

    a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf

  • Size

    1.1MB

  • MD5

    f57f99f56834d73211bac97f4ec2dc5c

  • SHA1

    314fff2c301fb120ce100e812e3ef4b31580551d

  • SHA256

    a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60

  • SHA512

    c2785a0b3231ccd5c217f6ec38aa8ca3ece2cc3a3364a3271582ba49cf9ac8a5dfd163765c6284ba72c9bd4e711cc059ba328e6a7ad0b1adeb7e85447b9350a8

  • SSDEEP

    24576:4vRE7caCfKGPqVEDNLFxKsfa1I+gIGYuuCol7r:4vREKfPqVE5jKsfa1RHGVo7r

Malware Config

Signatures

  • MrBlack Trojan

    IoT botnet which infects routers to be used for DDoS attacks.

  • MrBlack trojan 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Modifies init.d 1 TTPs 2 IoCs

    Adds/modifies system service, likely for persistence.

  • Reads system routing table 1 TTPs 1 IoCs

    Gets active network interfaces from /proc virtual filesystem.

  • Write file to user bin folder 1 TTPs 9 IoCs
  • Writes file to system bin folder 1 TTPs 2 IoCs
  • Checks CPU configuration 1 TTPs 2 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads system network configuration 1 TTPs 4 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 24 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 8 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
    /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
    1⤵
    • Modifies init.d
    • Reads system routing table
    • Write file to user bin folder
    • Checks CPU configuration
    • Reads system network configuration
    • Reads runtime system information
    • Writes file to tmp directory
    PID:1525
    • /bin/sh
      sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc1.d/S97VsystemsshMmt"
      2⤵
        PID:1915
        • /usr/bin/ln
          ln -s /etc/init.d/VsystemsshMmt /etc/rc1.d/S97VsystemsshMmt
          3⤵
            PID:1916
        • /bin/sh
          sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc2.d/S97VsystemsshMmt"
          2⤵
            PID:1917
            • /usr/bin/ln
              ln -s /etc/init.d/VsystemsshMmt /etc/rc2.d/S97VsystemsshMmt
              3⤵
                PID:1918
            • /bin/sh
              sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc3.d/S97VsystemsshMmt"
              2⤵
                PID:1919
                • /usr/bin/ln
                  ln -s /etc/init.d/VsystemsshMmt /etc/rc3.d/S97VsystemsshMmt
                  3⤵
                    PID:1920
                • /bin/sh
                  sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc4.d/S97VsystemsshMmt"
                  2⤵
                    PID:1921
                    • /usr/bin/ln
                      ln -s /etc/init.d/VsystemsshMmt /etc/rc4.d/S97VsystemsshMmt
                      3⤵
                        PID:1922
                    • /bin/sh
                      sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc5.d/S97VsystemsshMmt"
                      2⤵
                        PID:1923
                        • /usr/bin/ln
                          ln -s /etc/init.d/VsystemsshMmt /etc/rc5.d/S97VsystemsshMmt
                          3⤵
                            PID:1924
                        • /bin/sh
                          sh -c "mkdir -p /usr/bin/bsd-port"
                          2⤵
                            PID:1925
                            • /usr/bin/mkdir
                              mkdir -p /usr/bin/bsd-port
                              3⤵
                              • Reads runtime system information
                              PID:1926
                          • /bin/sh
                            sh -c "cp -f /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf /usr/bin/bsd-port/recei"
                            2⤵
                              PID:1927
                              • /usr/bin/cp
                                cp -f /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf /usr/bin/bsd-port/recei
                                3⤵
                                • Write file to user bin folder
                                • Reads runtime system information
                                PID:1928
                            • /bin/sh
                              sh -c /usr/bin/bsd-port/recei
                              2⤵
                                PID:1930
                                • /usr/bin/bsd-port/recei
                                  /usr/bin/bsd-port/recei
                                  3⤵
                                  • Executes dropped EXE
                                  • Modifies init.d
                                  • Write file to user bin folder
                                  • Checks CPU configuration
                                  • Reads system network configuration
                                  • Reads runtime system information
                                  PID:1931
                                  • /bin/sh
                                    sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"
                                    4⤵
                                      PID:1975
                                      • /usr/bin/ln
                                        ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
                                        5⤵
                                          PID:1976
                                      • /bin/sh
                                        sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"
                                        4⤵
                                          PID:1977
                                          • /usr/bin/ln
                                            ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
                                            5⤵
                                              PID:1978
                                          • /bin/sh
                                            sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"
                                            4⤵
                                              PID:1979
                                              • /usr/bin/ln
                                                ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
                                                5⤵
                                                  PID:1980
                                              • /bin/sh
                                                sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"
                                                4⤵
                                                  PID:1981
                                                  • /usr/bin/ln
                                                    ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
                                                    5⤵
                                                      PID:1982
                                                  • /bin/sh
                                                    sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"
                                                    4⤵
                                                      PID:1983
                                                      • /usr/bin/ln
                                                        ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
                                                        5⤵
                                                          PID:1984
                                                      • /bin/sh
                                                        sh -c "mkdir -p /usr/bin/dpkgd"
                                                        4⤵
                                                          PID:1985
                                                          • /usr/bin/mkdir
                                                            mkdir -p /usr/bin/dpkgd
                                                            5⤵
                                                            • Reads runtime system information
                                                            PID:1986
                                                        • /bin/sh
                                                          sh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"
                                                          4⤵
                                                            PID:1987
                                                            • /usr/bin/cp
                                                              cp -f /bin/lsof /usr/bin/dpkgd/lsof
                                                              5⤵
                                                              • Write file to user bin folder
                                                              • Reads runtime system information
                                                              PID:1988
                                                          • /bin/sh
                                                            sh -c "mkdir -p /bin"
                                                            4⤵
                                                              PID:1989
                                                              • /usr/bin/mkdir
                                                                mkdir -p /bin
                                                                5⤵
                                                                • Reads runtime system information
                                                                PID:1990
                                                            • /bin/sh
                                                              sh -c "cp -f /usr/bin/bsd-port/recei /bin/lsof"
                                                              4⤵
                                                                PID:1991
                                                                • /usr/bin/cp
                                                                  cp -f /usr/bin/bsd-port/recei /bin/lsof
                                                                  5⤵
                                                                  • Writes file to system bin folder
                                                                  • Reads runtime system information
                                                                  PID:1992
                                                              • /bin/sh
                                                                sh -c "chmod 0755 /bin/lsof"
                                                                4⤵
                                                                  PID:1999
                                                                  • /usr/bin/chmod
                                                                    chmod 0755 /bin/lsof
                                                                    5⤵
                                                                      PID:2000
                                                                  • /bin/sh
                                                                    sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"
                                                                    4⤵
                                                                      PID:2001
                                                                      • /usr/bin/cp
                                                                        cp -f /bin/ps /usr/bin/dpkgd/ps
                                                                        5⤵
                                                                        • Write file to user bin folder
                                                                        • Reads runtime system information
                                                                        PID:2002
                                                                    • /bin/sh
                                                                      sh -c "mkdir -p /bin"
                                                                      4⤵
                                                                        PID:2005
                                                                        • /usr/bin/mkdir
                                                                          mkdir -p /bin
                                                                          5⤵
                                                                          • Reads runtime system information
                                                                          PID:2006
                                                                      • /bin/sh
                                                                        sh -c "cp -f /usr/bin/bsd-port/recei /bin/ps"
                                                                        4⤵
                                                                          PID:2008
                                                                          • /usr/bin/cp
                                                                            cp -f /usr/bin/bsd-port/recei /bin/ps
                                                                            5⤵
                                                                            • Writes file to system bin folder
                                                                            • Reads runtime system information
                                                                            PID:2009
                                                                        • /bin/sh
                                                                          sh -c "chmod 0755 /bin/ps"
                                                                          4⤵
                                                                            PID:2012
                                                                            • /usr/bin/chmod
                                                                              chmod 0755 /bin/ps
                                                                              5⤵
                                                                                PID:2013
                                                                            • /bin/sh
                                                                              sh -c "mkdir -p /usr/bin"
                                                                              4⤵
                                                                                PID:2014
                                                                                • /usr/bin/mkdir
                                                                                  mkdir -p /usr/bin
                                                                                  5⤵
                                                                                  • Reads runtime system information
                                                                                  PID:2015
                                                                              • /bin/sh
                                                                                sh -c "cp -f /usr/bin/bsd-port/recei /usr/bin/lsof"
                                                                                4⤵
                                                                                  PID:2016
                                                                                  • /usr/bin/cp
                                                                                    cp -f /usr/bin/bsd-port/recei /usr/bin/lsof
                                                                                    5⤵
                                                                                    • Write file to user bin folder
                                                                                    • Reads runtime system information
                                                                                    PID:2017
                                                                                • /bin/sh
                                                                                  sh -c "chmod 0755 /usr/bin/lsof"
                                                                                  4⤵
                                                                                    PID:2019
                                                                                    • /usr/bin/chmod
                                                                                      chmod 0755 /usr/bin/lsof
                                                                                      5⤵
                                                                                        PID:2020
                                                                                    • /bin/sh
                                                                                      sh -c "mkdir -p /usr/bin"
                                                                                      4⤵
                                                                                        PID:2022
                                                                                        • /usr/bin/mkdir
                                                                                          mkdir -p /usr/bin
                                                                                          5⤵
                                                                                          • Reads runtime system information
                                                                                          PID:2023
                                                                                      • /bin/sh
                                                                                        sh -c "cp -f /usr/bin/bsd-port/recei /usr/bin/ps"
                                                                                        4⤵
                                                                                          PID:2024
                                                                                          • /usr/bin/cp
                                                                                            cp -f /usr/bin/bsd-port/recei /usr/bin/ps
                                                                                            5⤵
                                                                                            • Write file to user bin folder
                                                                                            • Reads runtime system information
                                                                                            PID:2025
                                                                                        • /bin/sh
                                                                                          sh -c "chmod 0755 /usr/bin/ps"
                                                                                          4⤵
                                                                                            PID:2026
                                                                                            • /usr/bin/chmod
                                                                                              chmod 0755 /usr/bin/ps
                                                                                              5⤵
                                                                                                PID:2027
                                                                                            • /bin/sh
                                                                                              sh -c "insmod /usr/lib/xpacket.ko"
                                                                                              4⤵
                                                                                                PID:2028
                                                                                                • /usr/sbin/insmod
                                                                                                  insmod /usr/lib/xpacket.ko
                                                                                                  5⤵
                                                                                                  • Reads runtime system information
                                                                                                  PID:2029
                                                                                          • /bin/sh
                                                                                            sh -c "mkdir -p /usr/bin"
                                                                                            2⤵
                                                                                              PID:1933
                                                                                              • /usr/bin/mkdir
                                                                                                mkdir -p /usr/bin
                                                                                                3⤵
                                                                                                • Reads runtime system information
                                                                                                PID:1934
                                                                                            • /bin/sh
                                                                                              sh -c "cp -f /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf /usr/bin/oracle"
                                                                                              2⤵
                                                                                                PID:1935
                                                                                                • /usr/bin/cp
                                                                                                  cp -f /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf /usr/bin/oracle
                                                                                                  3⤵
                                                                                                  • Write file to user bin folder
                                                                                                  • Reads runtime system information
                                                                                                  PID:1936
                                                                                              • /bin/sh
                                                                                                sh -c /usr/bin/oracle
                                                                                                2⤵
                                                                                                  PID:1994
                                                                                                  • /usr/bin/oracle
                                                                                                    /usr/bin/oracle
                                                                                                    3⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Reads runtime system information
                                                                                                    • Writes file to tmp directory
                                                                                                    PID:1995
                                                                                                • /bin/sh
                                                                                                  sh -c "insmod /usr/lib/xpacket.ko"
                                                                                                  2⤵
                                                                                                    PID:1997
                                                                                                    • /usr/sbin/insmod
                                                                                                      insmod /usr/lib/xpacket.ko
                                                                                                      3⤵
                                                                                                      • Reads runtime system information
                                                                                                      PID:1998

                                                                                                Network

                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                Replay Monitor

                                                                                                Loading Replay Monitor...

                                                                                                Downloads

                                                                                                • /etc/init.d/VsystemsshMmt

                                                                                                  Filesize

                                                                                                  86B

                                                                                                  MD5

                                                                                                  94441f26a96fed150c54c0730980e833

                                                                                                  SHA1

                                                                                                  fd7c55a6d22e821e8d16f3ff7071e5543eb952af

                                                                                                  SHA256

                                                                                                  94806a3bb573a02242cbcc3a39def2f453d13d4cd5ff2e70182e1e7274fcf19a

                                                                                                  SHA512

                                                                                                  a2d8c41534d13ce651bdf56d25216eee11f045fcc4c12906b29cb259152750d598171fa9051eb52c629e1742bf5366b915d94c9b05ce11679112e9e8ae9e6c64

                                                                                                • /etc/init.d/selinux

                                                                                                  Filesize

                                                                                                  36B

                                                                                                  MD5

                                                                                                  57cde9c165195cfb90c212057795ed49

                                                                                                  SHA1

                                                                                                  d77d9895306eb09ad9b54588fb7998c79c671563

                                                                                                  SHA256

                                                                                                  3e3488e9c63dfadffd594301e2192418b158238bfb8f83d6702123d72892cf36

                                                                                                  SHA512

                                                                                                  de9af53a508167cbbb820a99c2742918ec5b8c83877b77e43e4b441019311685647f47fb4666ba53ecef4e6a2d5514eb67981d471ddf173b04848609b3c0c00d

                                                                                                • /tmp/Dest.cfg

                                                                                                  Filesize

                                                                                                  4B

                                                                                                  MD5

                                                                                                  e60e81c4cbe5171cd654662d9887aec2

                                                                                                  SHA1

                                                                                                  87496e984d6e0cc5d47f38cf3076e21af2bd4815

                                                                                                  SHA256

                                                                                                  70c023a77b3abc66277f31588f4f38c720a1217ba41a7cf799950027020223cf

                                                                                                  SHA512

                                                                                                  fb44bc7cb45d81d6c6e709e6dabe2ed4a92ca50fff2e3f9ffa28e3ceb09baee4915316edc5bec81e319d620c1ed99e0b11c51aef557c676a1929e1624ff94970

                                                                                                • /tmp/notify.file

                                                                                                  Filesize

                                                                                                  73B

                                                                                                  MD5

                                                                                                  fbd31737dca441cd054904845fe35f96

                                                                                                  SHA1

                                                                                                  37d9a9392ceb7d28bf399491e3d08701b44bbb85

                                                                                                  SHA256

                                                                                                  a5d433d18ca0be1eda233343ce1b7864e8c0fb8560e592047663bbea9c52948a

                                                                                                  SHA512

                                                                                                  2f3ff8f59b15c4dbb939749fbe585a78ab7fa69addbf28d561815c692c36ec51b70e46e3393d02cebc48ac40098fac25f2a6c81f763c684ce4863efae813381b

                                                                                                • /usr/bin/bsd-port/recei

                                                                                                  Filesize

                                                                                                  1.1MB

                                                                                                  MD5

                                                                                                  f57f99f56834d73211bac97f4ec2dc5c

                                                                                                  SHA1

                                                                                                  314fff2c301fb120ce100e812e3ef4b31580551d

                                                                                                  SHA256

                                                                                                  a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60

                                                                                                  SHA512

                                                                                                  c2785a0b3231ccd5c217f6ec38aa8ca3ece2cc3a3364a3271582ba49cf9ac8a5dfd163765c6284ba72c9bd4e711cc059ba328e6a7ad0b1adeb7e85447b9350a8

                                                                                                • /usr/bin/dpkgd/lsof

                                                                                                  Filesize

                                                                                                  171KB

                                                                                                  MD5

                                                                                                  061386937ec7acf924438a2643a32be0

                                                                                                  SHA1

                                                                                                  01a044b9e58839bea3e58c66cb32acc16241bf91

                                                                                                  SHA256

                                                                                                  8a26bbae9eb85aa98ef29cfe5b0a291234db6eb394c3e0c2841983dcf7dda959

                                                                                                  SHA512

                                                                                                  2de2e56ac4c32f47b4a1945ccfb0db378e6d59019ee8004e3e5d2ec8935efb5aa8ee14b8a0b21c61a267e195d42a3232a6dcade8720de06118fd579277f59db7

                                                                                                • /usr/bin/dpkgd/ps

                                                                                                  Filesize

                                                                                                  134KB

                                                                                                  MD5

                                                                                                  d194576b899af45b1d2a448612ec21e5

                                                                                                  SHA1

                                                                                                  492f7d8f28cd4397ce22fcf0d8bf3304ea93465a

                                                                                                  SHA256

                                                                                                  a8cf81f3a1137c999c3cf336507ce120b3065e633ade01db6280d427b7d986ca

                                                                                                  SHA512

                                                                                                  b323babd9580b91772cde29c9f22ae75b27f5ce8ce0268a48ca41713c3545dd72409932a5c48f6af66ac6e43127eb5461d1f686bd667fa1b0e56a1564db3c539