Analysis
-
max time kernel
149s -
max time network
148s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240418-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240418-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
06-05-2024 02:01
Behavioral task
behavioral1
Sample
a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
Resource
ubuntu2004-amd64-20240418-en
General
-
Target
a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
-
Size
1.1MB
-
MD5
f57f99f56834d73211bac97f4ec2dc5c
-
SHA1
314fff2c301fb120ce100e812e3ef4b31580551d
-
SHA256
a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60
-
SHA512
c2785a0b3231ccd5c217f6ec38aa8ca3ece2cc3a3364a3271582ba49cf9ac8a5dfd163765c6284ba72c9bd4e711cc059ba328e6a7ad0b1adeb7e85447b9350a8
-
SSDEEP
24576:4vRE7caCfKGPqVEDNLFxKsfa1I+gIGYuuCol7r:4vREKfPqVE5jKsfa1RHGVo7r
Malware Config
Signatures
-
MrBlack trojan 1 IoCs
Processes:
resource yara_rule /usr/bin/bsd-port/recei family_mrblack -
Executes dropped EXE 2 IoCs
Processes:
receioracleioc pid process /usr/bin/bsd-port/recei 1931 recei /usr/bin/oracle 1995 oracle -
Processes:
receia7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elfdescription ioc process File opened for modification /etc/init.d/selinux recei File opened for modification /etc/init.d/VsystemsshMmt a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf -
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
Processes:
a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elfdescription ioc process File opened for reading /proc/net/route a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf -
Write file to user bin folder 1 TTPs 9 IoCs
Processes:
cpcpa7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elfcpreceicpcpcpdescription ioc process File opened for modification /usr/bin/dpkgd/ps cp File opened for modification /usr/bin/lsof cp File opened for modification /usr/bin/bsd-port/udevd.conf a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf File opened for modification /usr/bin/dpkgd/lsof cp File opened for modification /usr/bin/bsd-port/recei.conf recei File opened for modification /usr/bin/oracle cp File opened for modification /usr/bin/ps cp File opened for modification /usr/bin/bsd-port/recei.conf a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf File opened for modification /usr/bin/bsd-port/recei cp -
Writes file to system bin folder 1 TTPs 2 IoCs
Processes:
cpcpdescription ioc process File opened for modification /bin/lsof cp File opened for modification /bin/ps cp -
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
receia7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elfdescription ioc process File opened for reading /proc/cpuinfo recei File opened for reading /proc/cpuinfo a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf -
Reads system network configuration 1 TTPs 4 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elfreceidescription ioc process File opened for reading /proc/net/dev a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf File opened for reading /proc/net/route a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf File opened for reading /proc/net/arp a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf File opened for reading /proc/net/dev recei -
Reads runtime system information 24 IoCs
Reads data from /proc virtual filesystem.
Processes:
a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elfcporaclecpmkdircpreceicpmkdirmkdircpcpmkdircpinsmodmkdirinsmodmkdirmkdircpdescription ioc process File opened for reading /proc/sys/kernel/version a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf File opened for reading /proc/filesystems cp File opened for reading /proc/sys/kernel/version oracle File opened for reading /proc/stat a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/meminfo recei File opened for reading /proc/filesystems cp File opened for reading /proc/stat recei File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mkdir File opened for reading /proc/meminfo a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf File opened for reading /proc/filesystems cp File opened for reading /proc/cmdline insmod File opened for reading /proc/sys/kernel/version recei File opened for reading /proc/filesystems mkdir File opened for reading /proc/cmdline insmod File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp -
Writes file to tmp directory 8 IoCs
Malware often drops required files in the /tmp directory.
Processes:
oraclea7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elfdescription ioc process File opened for modification /tmp/appd.log oracle File opened for modification /tmp/notify.file oracle File opened for modification /tmp/Dest.cfg oracle File opened for modification /tmp/appd.log a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf File opened for modification /tmp/appd.conf a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf File opened for modification /tmp/Dest.cfg a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf File opened for modification /tmp/notify.file a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf File opened for modification /tmp/conf.n a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
Processes
-
/tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf/tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf1⤵
- Modifies init.d
- Reads system routing table
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1525 -
/bin/shsh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc1.d/S97VsystemsshMmt"2⤵PID:1915
-
/usr/bin/lnln -s /etc/init.d/VsystemsshMmt /etc/rc1.d/S97VsystemsshMmt3⤵PID:1916
-
-
-
/bin/shsh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc2.d/S97VsystemsshMmt"2⤵PID:1917
-
/usr/bin/lnln -s /etc/init.d/VsystemsshMmt /etc/rc2.d/S97VsystemsshMmt3⤵PID:1918
-
-
-
/bin/shsh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc3.d/S97VsystemsshMmt"2⤵PID:1919
-
/usr/bin/lnln -s /etc/init.d/VsystemsshMmt /etc/rc3.d/S97VsystemsshMmt3⤵PID:1920
-
-
-
/bin/shsh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc4.d/S97VsystemsshMmt"2⤵PID:1921
-
/usr/bin/lnln -s /etc/init.d/VsystemsshMmt /etc/rc4.d/S97VsystemsshMmt3⤵PID:1922
-
-
-
/bin/shsh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc5.d/S97VsystemsshMmt"2⤵PID:1923
-
/usr/bin/lnln -s /etc/init.d/VsystemsshMmt /etc/rc5.d/S97VsystemsshMmt3⤵PID:1924
-
-
-
/bin/shsh -c "mkdir -p /usr/bin/bsd-port"2⤵PID:1925
-
/usr/bin/mkdirmkdir -p /usr/bin/bsd-port3⤵
- Reads runtime system information
PID:1926
-
-
-
/bin/shsh -c "cp -f /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf /usr/bin/bsd-port/recei"2⤵PID:1927
-
/usr/bin/cpcp -f /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf /usr/bin/bsd-port/recei3⤵
- Write file to user bin folder
- Reads runtime system information
PID:1928
-
-
-
/bin/shsh -c /usr/bin/bsd-port/recei2⤵PID:1930
-
/usr/bin/bsd-port/recei/usr/bin/bsd-port/recei3⤵
- Executes dropped EXE
- Modifies init.d
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
PID:1931 -
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"4⤵PID:1975
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc1.d/S99selinux5⤵PID:1976
-
-
-
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"4⤵PID:1977
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc2.d/S99selinux5⤵PID:1978
-
-
-
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"4⤵PID:1979
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc3.d/S99selinux5⤵PID:1980
-
-
-
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"4⤵PID:1981
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc4.d/S99selinux5⤵PID:1982
-
-
-
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"4⤵PID:1983
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc5.d/S99selinux5⤵PID:1984
-
-
-
/bin/shsh -c "mkdir -p /usr/bin/dpkgd"4⤵PID:1985
-
/usr/bin/mkdirmkdir -p /usr/bin/dpkgd5⤵
- Reads runtime system information
PID:1986
-
-
-
/bin/shsh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"4⤵PID:1987
-
/usr/bin/cpcp -f /bin/lsof /usr/bin/dpkgd/lsof5⤵
- Write file to user bin folder
- Reads runtime system information
PID:1988
-
-
-
/bin/shsh -c "mkdir -p /bin"4⤵PID:1989
-
/usr/bin/mkdirmkdir -p /bin5⤵
- Reads runtime system information
PID:1990
-
-
-
/bin/shsh -c "cp -f /usr/bin/bsd-port/recei /bin/lsof"4⤵PID:1991
-
/usr/bin/cpcp -f /usr/bin/bsd-port/recei /bin/lsof5⤵
- Writes file to system bin folder
- Reads runtime system information
PID:1992
-
-
-
/bin/shsh -c "chmod 0755 /bin/lsof"4⤵PID:1999
-
/usr/bin/chmodchmod 0755 /bin/lsof5⤵PID:2000
-
-
-
/bin/shsh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"4⤵PID:2001
-
/usr/bin/cpcp -f /bin/ps /usr/bin/dpkgd/ps5⤵
- Write file to user bin folder
- Reads runtime system information
PID:2002
-
-
-
/bin/shsh -c "mkdir -p /bin"4⤵PID:2005
-
/usr/bin/mkdirmkdir -p /bin5⤵
- Reads runtime system information
PID:2006
-
-
-
/bin/shsh -c "cp -f /usr/bin/bsd-port/recei /bin/ps"4⤵PID:2008
-
/usr/bin/cpcp -f /usr/bin/bsd-port/recei /bin/ps5⤵
- Writes file to system bin folder
- Reads runtime system information
PID:2009
-
-
-
/bin/shsh -c "chmod 0755 /bin/ps"4⤵PID:2012
-
/usr/bin/chmodchmod 0755 /bin/ps5⤵PID:2013
-
-
-
/bin/shsh -c "mkdir -p /usr/bin"4⤵PID:2014
-
/usr/bin/mkdirmkdir -p /usr/bin5⤵
- Reads runtime system information
PID:2015
-
-
-
/bin/shsh -c "cp -f /usr/bin/bsd-port/recei /usr/bin/lsof"4⤵PID:2016
-
/usr/bin/cpcp -f /usr/bin/bsd-port/recei /usr/bin/lsof5⤵
- Write file to user bin folder
- Reads runtime system information
PID:2017
-
-
-
/bin/shsh -c "chmod 0755 /usr/bin/lsof"4⤵PID:2019
-
/usr/bin/chmodchmod 0755 /usr/bin/lsof5⤵PID:2020
-
-
-
/bin/shsh -c "mkdir -p /usr/bin"4⤵PID:2022
-
/usr/bin/mkdirmkdir -p /usr/bin5⤵
- Reads runtime system information
PID:2023
-
-
-
/bin/shsh -c "cp -f /usr/bin/bsd-port/recei /usr/bin/ps"4⤵PID:2024
-
/usr/bin/cpcp -f /usr/bin/bsd-port/recei /usr/bin/ps5⤵
- Write file to user bin folder
- Reads runtime system information
PID:2025
-
-
-
/bin/shsh -c "chmod 0755 /usr/bin/ps"4⤵PID:2026
-
/usr/bin/chmodchmod 0755 /usr/bin/ps5⤵PID:2027
-
-
-
/bin/shsh -c "insmod /usr/lib/xpacket.ko"4⤵PID:2028
-
/usr/sbin/insmodinsmod /usr/lib/xpacket.ko5⤵
- Reads runtime system information
PID:2029
-
-
-
-
-
/bin/shsh -c "mkdir -p /usr/bin"2⤵PID:1933
-
/usr/bin/mkdirmkdir -p /usr/bin3⤵
- Reads runtime system information
PID:1934
-
-
-
/bin/shsh -c "cp -f /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf /usr/bin/oracle"2⤵PID:1935
-
/usr/bin/cpcp -f /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf /usr/bin/oracle3⤵
- Write file to user bin folder
- Reads runtime system information
PID:1936
-
-
-
/bin/shsh -c /usr/bin/oracle2⤵PID:1994
-
/usr/bin/oracle/usr/bin/oracle3⤵
- Executes dropped EXE
- Reads runtime system information
- Writes file to tmp directory
PID:1995
-
-
-
/bin/shsh -c "insmod /usr/lib/xpacket.ko"2⤵PID:1997
-
/usr/sbin/insmodinsmod /usr/lib/xpacket.ko3⤵
- Reads runtime system information
PID:1998
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86B
MD594441f26a96fed150c54c0730980e833
SHA1fd7c55a6d22e821e8d16f3ff7071e5543eb952af
SHA25694806a3bb573a02242cbcc3a39def2f453d13d4cd5ff2e70182e1e7274fcf19a
SHA512a2d8c41534d13ce651bdf56d25216eee11f045fcc4c12906b29cb259152750d598171fa9051eb52c629e1742bf5366b915d94c9b05ce11679112e9e8ae9e6c64
-
Filesize
36B
MD557cde9c165195cfb90c212057795ed49
SHA1d77d9895306eb09ad9b54588fb7998c79c671563
SHA2563e3488e9c63dfadffd594301e2192418b158238bfb8f83d6702123d72892cf36
SHA512de9af53a508167cbbb820a99c2742918ec5b8c83877b77e43e4b441019311685647f47fb4666ba53ecef4e6a2d5514eb67981d471ddf173b04848609b3c0c00d
-
Filesize
4B
MD5e60e81c4cbe5171cd654662d9887aec2
SHA187496e984d6e0cc5d47f38cf3076e21af2bd4815
SHA25670c023a77b3abc66277f31588f4f38c720a1217ba41a7cf799950027020223cf
SHA512fb44bc7cb45d81d6c6e709e6dabe2ed4a92ca50fff2e3f9ffa28e3ceb09baee4915316edc5bec81e319d620c1ed99e0b11c51aef557c676a1929e1624ff94970
-
Filesize
73B
MD5fbd31737dca441cd054904845fe35f96
SHA137d9a9392ceb7d28bf399491e3d08701b44bbb85
SHA256a5d433d18ca0be1eda233343ce1b7864e8c0fb8560e592047663bbea9c52948a
SHA5122f3ff8f59b15c4dbb939749fbe585a78ab7fa69addbf28d561815c692c36ec51b70e46e3393d02cebc48ac40098fac25f2a6c81f763c684ce4863efae813381b
-
Filesize
1.1MB
MD5f57f99f56834d73211bac97f4ec2dc5c
SHA1314fff2c301fb120ce100e812e3ef4b31580551d
SHA256a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60
SHA512c2785a0b3231ccd5c217f6ec38aa8ca3ece2cc3a3364a3271582ba49cf9ac8a5dfd163765c6284ba72c9bd4e711cc059ba328e6a7ad0b1adeb7e85447b9350a8
-
Filesize
171KB
MD5061386937ec7acf924438a2643a32be0
SHA101a044b9e58839bea3e58c66cb32acc16241bf91
SHA2568a26bbae9eb85aa98ef29cfe5b0a291234db6eb394c3e0c2841983dcf7dda959
SHA5122de2e56ac4c32f47b4a1945ccfb0db378e6d59019ee8004e3e5d2ec8935efb5aa8ee14b8a0b21c61a267e195d42a3232a6dcade8720de06118fd579277f59db7
-
Filesize
134KB
MD5d194576b899af45b1d2a448612ec21e5
SHA1492f7d8f28cd4397ce22fcf0d8bf3304ea93465a
SHA256a8cf81f3a1137c999c3cf336507ce120b3065e633ade01db6280d427b7d986ca
SHA512b323babd9580b91772cde29c9f22ae75b27f5ce8ce0268a48ca41713c3545dd72409932a5c48f6af66ac6e43127eb5461d1f686bd667fa1b0e56a1564db3c539