mrblack | eeca533a472175b80747c836cb1dde26633102f72aa6245265f330c6a611894d

Analysis

max time kernel
149s
max time network
150s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240522.1-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240522.1-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
01-08-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8015d5a208ee25ee41d5bf17ab195ce5_JaffaCakes118
Size

1.2MB
MD5

8015d5a208ee25ee41d5bf17ab195ce5
SHA1

98b9759845f154baafd0ceb649c51666a8e6973e
SHA256

eeca533a472175b80747c836cb1dde26633102f72aa6245265f330c6a611894d
SHA512

698be70b3cb9afef2243461ce65cc5d3e4ab6ca8642a602b90d0a9ce518ea39508389778bb1e48050ebe58ce5efbbe185cb47aab8f57ca853ea7135d21b838b0
SSDEEP

24576:e845rGHu6gVJKG75oFpA0VWeX472y1q2rJp0:745vRVJKGtSA0VWeoKu9p0

Score

10^/10

mrblack antivm botnet persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 1 IoCs

resource	yara_rule
behavioral1/files/fstream-4.dat	family_mrblack

Executes dropped EXE 2 IoCs

ioc	pid	Process
/usr/bin/bsd-port/getty	1592	getty
/usr/bin/.sshd	1666	.sshd

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/etc/init.d/DbSecuritySpt	8015d5a208ee25ee41d5bf17ab195ce5_JaffaCakes118

Write file to user bin folder 1 TTPs 4 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/usr/bin/bsd-port/getty.lock	8015d5a208ee25ee41d5bf17ab195ce5_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/udevd.lock	8015d5a208ee25ee41d5bf17ab195ce5_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/getty	cp
File opened for modification	/usr/bin/.sshd	cp

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	8015d5a208ee25ee41d5bf17ab195ce5_JaffaCakes118

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc	Process
File opened for reading	/proc/net/dev	8015d5a208ee25ee41d5bf17ab195ce5_JaffaCakes118

Reads runtime system information 12 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/kernel/version	getty
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/sys/kernel/version	8015d5a208ee25ee41d5bf17ab195ce5_JaffaCakes118
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/sys/kernel/version	.sshd
File opened for reading	/proc/stat	8015d5a208ee25ee41d5bf17ab195ce5_JaffaCakes118
File opened for reading	/proc/meminfo	8015d5a208ee25ee41d5bf17ab195ce5_JaffaCakes118

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/gates.lod	.sshd
File opened for modification	/tmp/moni.lod	8015d5a208ee25ee41d5bf17ab195ce5_JaffaCakes118
File opened for modification	/tmp/bill.lock	8015d5a208ee25ee41d5bf17ab195ce5_JaffaCakes118
File opened for modification	/tmp/gates.lod	8015d5a208ee25ee41d5bf17ab195ce5_JaffaCakes118
File opened for modification	/tmp/notify.file	8015d5a208ee25ee41d5bf17ab195ce5_JaffaCakes118
File opened for modification	/tmp/moni.lod	.sshd
File opened for modification	/tmp/notify.file	.sshd

/tmp/8015d5a208ee25ee41d5bf17ab195ce5_JaffaCakes118
/tmp/8015d5a208ee25ee41d5bf17ab195ce5_JaffaCakes118
1⤵
- Modifies init.d
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1563
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt"
  2⤵
  PID:1574
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
    3⤵
    PID:1575
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt"
  2⤵
  PID:1576
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
    3⤵
    PID:1577
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt"
  2⤵
  PID:1578
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
    3⤵
    PID:1579
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt"
  2⤵
  PID:1580
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
    3⤵
    PID:1581
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt"
  2⤵
  PID:1582
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
    3⤵
    PID:1583
- /bin/sh
  sh -c "mkdir -p /usr/bin/bsd-port"
  2⤵
  PID:1584
- - /usr/bin/mkdir
    mkdir -p /usr/bin/bsd-port
    3⤵
    - Reads runtime system information
    PID:1585
- /bin/sh
  sh -c "mkdir -p /usr/bin/bsd-port"
  2⤵
  PID:1586
- - /usr/bin/mkdir
    mkdir -p /usr/bin/bsd-port
    3⤵
    - Reads runtime system information
    PID:1587
- /bin/sh
  sh -c "cp -f /tmp/8015d5a208ee25ee41d5bf17ab195ce5_JaffaCakes118 /usr/bin/bsd-port/getty"
  2⤵
  PID:1588
- - /usr/bin/cp
    cp -f /tmp/8015d5a208ee25ee41d5bf17ab195ce5_JaffaCakes118 /usr/bin/bsd-port/getty
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1589
- /bin/sh
  sh -c /usr/bin/bsd-port/getty
  2⤵
  PID:1591
- - /usr/bin/bsd-port/getty
    /usr/bin/bsd-port/getty
    3⤵
    - Executes dropped EXE
    - Reads runtime system information
    PID:1592
- /bin/sh
  sh -c "mkdir -p /usr/bin"
  2⤵
  PID:1602
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:1603
- /bin/sh
  sh -c "mkdir -p /usr/bin"
  2⤵
  PID:1604
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:1605
- /bin/sh
  sh -c "cp -f /tmp/8015d5a208ee25ee41d5bf17ab195ce5_JaffaCakes118 /usr/bin/.sshd"
  2⤵
  PID:1607
- - /usr/bin/cp
    cp -f /tmp/8015d5a208ee25ee41d5bf17ab195ce5_JaffaCakes118 /usr/bin/.sshd
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1608
- /bin/sh
  sh -c /usr/bin/.sshd
  2⤵
  PID:1665
- - /usr/bin/.sshd
    /usr/bin/.sshd
    3⤵
    - Executes dropped EXE
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1666
- /bin/sh
  sh -c "insmod /tmp/xpacket.ko"
  2⤵
  PID:1669
- - /usr/sbin/insmod
    insmod /tmp/xpacket.ko
    3⤵
    - Reads runtime system information
    PID:1670

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/DbSecuritySpt

Filesize
64B

MD5
5f759bcc273d31816567b93925d4d552

SHA1
e930e0a161843579f3c13fb265043c51918c993c

SHA256
82eeba2aa5b4a19812ab5813eeacff4404fde869a042a85cdf8ec6f09d871ad9

SHA512
1256186ac7d02626c88430af1a794a64066cd96610569b53adf999a605a79a10477c73ad309bb6631aadabbe36b3b867bd286b777295425b75d3b21b29dc9a43

Download Submit
/tmp/gates.lod

Filesize
4B

MD5
facf9f743b083008a894eee7baa16469

SHA1
fe286d02f80118de47f2226c2fce9f7be0bc04f0

SHA256
2163909115c0f6f1e638bd2c2279387cbe37cc327150a7b5cddfde3d1cd4ef0e

SHA512
7bd3d1d347d68f23d612a3ec7a1d2f4094874162441bae20122876ea980bbb76a3c46d5d2e393975ea0659fb2b58046a311d7660f226482a57a74e9ffd9b0f36

Download Submit
/tmp/moni.lod

Filesize
4B

MD5
158fc2ddd52ec2cf54d3c161f2dd6517

SHA1
a102c5ce73079c1316e4be26ef13be1e437898a4

SHA256
d253d7b7ace4e06589dd90003f047380ddfdcfb29007b4e815caf48ff09b498b

SHA512
e1769805aaad1bd2f4102365a3eb17c708dcada3c9eded48232c850ff8d092da9ed260bcc446200386f56e699110c1b552389a55cffb79f06699215d1a16b370

Download Submit
/tmp/notify.file

Filesize
51B

MD5
26fb711e1eb6e0dc86f4a72cbcf83012

SHA1
822ad3b04f0007870ead8df3777fde637ca7e794

SHA256
f893236005f981d3f7f83c544b7ea62c8e1f482d1e9f7428a3680619c2c457e8

SHA512
8a53df000599623c30ff19ca458884ae7bd48dd1f9fbd862d17981d78e1fdc549d3b481f4a0099353a7cef86e9be1b7b8820c50ab2112e4fad0e4aeb11bfc88f

Download Submit
/usr/bin/bsd-port/getty

Filesize
1.2MB

MD5
8015d5a208ee25ee41d5bf17ab195ce5

SHA1
98b9759845f154baafd0ceb649c51666a8e6973e

SHA256
eeca533a472175b80747c836cb1dde26633102f72aa6245265f330c6a611894d

SHA512
698be70b3cb9afef2243461ce65cc5d3e4ab6ca8642a602b90d0a9ce518ea39508389778bb1e48050ebe58ce5efbbe185cb47aab8f57ca853ea7135d21b838b0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads