mrblack | 59eefbe4e45862763a3cbbc11dcab546d9299c1af083c7687cbb01e95c90c924

General

Target

19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118
Size

1.1MB
MD5

19c71e6ffc70783f1c78b2f3da61461f
SHA1

6f3c70ebdb21c50e41c98e6adf15599d576235aa
SHA256

59eefbe4e45862763a3cbbc11dcab546d9299c1af083c7687cbb01e95c90c924
SHA512

df89ebe8ccad1eb35a482090043312d5640b8d7d4e8a2c135d91053db749d1ddc8335f8a5ea340bb9cc9fa0f9e37e00d028a173dcb14c5f7e3f59309263838ad
SSDEEP

24576:4vRE7caCfKGPqVEDNLFxKsfawI+gIGYuuCol7r:4vREKfPqVE5jKsfawRHGVo7r

Score

10^/10

mrblack antivm botnet persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 1 IoCs

Processes:

resource	yara_rule
/usr/bin/bsd-port/19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118	family_mrblack

Executes dropped EXE 1 IoCs

Processes:

oracle

ioc pid process

/usr/bin/oracle 1538 oracle
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118

description ioc process

File opened for modification /etc/init.d/VsystemsshMmt 19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118

ioc	pid	process
/usr/bin/oracle	1538	oracle

description	ioc	process
File opened for modification	/etc/init.d/VsystemsshMmt	19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118

Write file to user bin folder 1 TTPs 4 IoCs

Hijack Execution Flow

T1574

Processes:

19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118cpcp

description	ioc	process
File opened for modification	/usr/bin/bsd-port/.conf	19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/udevd.conf	19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118	cp
File opened for modification	/usr/bin/oracle	cp

Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118

description ioc process

File opened for reading /proc/cpuinfo 19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118

description ioc process

File opened for reading /proc/net/dev 19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118

description	ioc	process
File opened for reading	/proc/cpuinfo	19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118

description	ioc	process
File opened for reading	/proc/net/dev	19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118

Reads runtime system information 7 IoCs

Reads data from /proc virtual filesystem.

Processes:

mkdircpmkdircp19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118insmod

description	ioc	process
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/stat	19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118
File opened for reading	/proc/meminfo	19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118
File opened for reading	/proc/cmdline	insmod

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

Processes:

19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118oracle

description	ioc	process
File opened for modification	/tmp/notify.file	19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118
File opened for modification	/tmp/appd.log	oracle
File opened for modification	/tmp/notify.file	oracle
File opened for modification	/tmp/Dest.cfg	oracle
File opened for modification	/tmp/appd.log	19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118
File opened for modification	/tmp/appd.conf	19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118
File opened for modification	/tmp/Dest.cfg	19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118

/tmp/19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118
/tmp/19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118
1⤵
- Modifies init.d
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1510

/bin/sh
sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc1.d/S97VsystemsshMmt"
2⤵
PID:1515

/bin/ln
ln -s /etc/init.d/VsystemsshMmt /etc/rc1.d/S97VsystemsshMmt
3⤵
PID:1516

/bin/sh
sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc2.d/S97VsystemsshMmt"
2⤵
PID:1517

/bin/ln
ln -s /etc/init.d/VsystemsshMmt /etc/rc2.d/S97VsystemsshMmt
3⤵
PID:1518

/bin/sh
sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc3.d/S97VsystemsshMmt"
2⤵
PID:1519

/bin/ln
ln -s /etc/init.d/VsystemsshMmt /etc/rc3.d/S97VsystemsshMmt
3⤵
PID:1520

/bin/sh
sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc4.d/S97VsystemsshMmt"
2⤵
PID:1521

/bin/ln
ln -s /etc/init.d/VsystemsshMmt /etc/rc4.d/S97VsystemsshMmt
3⤵
PID:1522

/bin/sh
sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc5.d/S97VsystemsshMmt"
2⤵
PID:1523

/bin/ln
ln -s /etc/init.d/VsystemsshMmt /etc/rc5.d/S97VsystemsshMmt
3⤵
PID:1524

/bin/sh
sh -c "mkdir -p /usr/bin/bsd-port"
2⤵
PID:1525

/bin/mkdir
mkdir -p /usr/bin/bsd-port
3⤵
- Reads runtime system information
PID:1526

/bin/sh
sh -c "cp -f /tmp/19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118 /usr/bin/bsd-port/"
2⤵
PID:1527

/bin/cp
cp -f /tmp/19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118 /usr/bin/bsd-port/
3⤵
- Write file to user bin folder
- Reads runtime system information
PID:1528

/bin/sh
sh -c /usr/bin/bsd-port/
2⤵
PID:1530

/usr/bin/bsd-port
/usr/bin/bsd-port/
3⤵
PID:1531

/bin/sh
sh -c "mkdir -p /usr/bin"
2⤵
PID:1532

/bin/mkdir
mkdir -p /usr/bin
3⤵
- Reads runtime system information
PID:1533

/bin/sh
sh -c "cp -f /tmp/19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118 /usr/bin/oracle"
2⤵
PID:1534

/bin/cp
cp -f /tmp/19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118 /usr/bin/oracle
3⤵
- Write file to user bin folder
- Reads runtime system information
PID:1535

/bin/sh
sh -c /usr/bin/oracle
2⤵
PID:1537

/usr/bin/oracle
/usr/bin/oracle
3⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:1538

/bin/sh
sh -c "insmod /usr/lib/xpacket.ko"
2⤵
PID:1540

/sbin/insmod
insmod /usr/lib/xpacket.ko
3⤵
- Reads runtime system information
PID:1541

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Hijack Execution Flow

1

T1574

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Hijack Execution Flow

1

T1574

Defense Evasion

Hijack Execution Flow

1

T1574

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

System Network Configuration Discovery

1

T1016

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/VsystemsshMmt

Filesize
64B

MD5
3425cd7d9e18114dbcbb34352168231b

SHA1
f8fc0786c6dbc8e9cd9f0daa88fb71a98b85860c

SHA256
d17ac88d905b768ef6b6fa75aa72245bb20e2849634a245570634efdc24b6f99

SHA512
f15003cad8e65f66bf8a5013d340e5abf5474b4fa697fd62de265c64bb668b3414a1fcf303b00f642900f00bf15c8d250a709f932716f7572402b00dd5d41e45

Download Submit
/tmp/Dest.cfg

Filesize
4B

MD5
ebb71045453f38676c40deb9864f811d

SHA1
810bd2adca8109e71a0fa4995bb7a965fd8d905a

SHA256
0d0c9bc37ae955b26c8bfecc22fcd072c4ea5ce95947a5051b5ed7399bff4f2e

SHA512
3a3fc2e1174cf6fa5acf3b1d706c3f21b85915b8f7bc2bae7c5ca6ceb86fc5377e33ff347264e1dd620fcba5fec174ae4b8793e7a9aaaf2b0ec06d85e077efdf

Download Submit
/tmp/notify.file

Filesize
51B

MD5
ebadefd1036b8e393b663588023cb41a

SHA1
7c828a54e316f6d24b14ed5deadf4289b16975b9

SHA256
2e0db741419fefc607fef77d2d64eb8343d9d59ec90822ca4c8667a64309531a

SHA512
3fb22ff594e6154f79d1f6e4e4d9a3eab1debbf43f8f636d5c14b6dfa0b5359984bc22fc64c66768f8558e05edc88b102b71a859b38582bfa8bd0a2bfe352ee2

Download Submit
/usr/bin/bsd-port/19c71e6ffc70783f1c78b2f3da61461f_JaffaCakes118

Filesize
1.1MB

MD5
19c71e6ffc70783f1c78b2f3da61461f

SHA1
6f3c70ebdb21c50e41c98e6adf15599d576235aa

SHA256
59eefbe4e45862763a3cbbc11dcab546d9299c1af083c7687cbb01e95c90c924

SHA512
df89ebe8ccad1eb35a482090043312d5640b8d7d4e8a2c135d91053db749d1ddc8335f8a5ea340bb9cc9fa0f9e37e00d028a173dcb14c5f7e3f59309263838ad

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads