mrblack | ca22002822b27562971b1b12bfd61f2f670554ebdb0907270fda4a65f7fd2eed

Analysis

max time kernel
149s
max time network
150s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
01-08-2024 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80d0cac0cd6be8010819fdcd7ac4af46_JaffaCakes118
Size

1.2MB
MD5

80d0cac0cd6be8010819fdcd7ac4af46
SHA1

adb2208a2016c6686c52d440f518098b4cbe3846
SHA256

ca22002822b27562971b1b12bfd61f2f670554ebdb0907270fda4a65f7fd2eed
SHA512

d0f1da32dd1f70ce3f918230c39c3d7a6210998f0a3ea0262805611156e3d37e8af237d14e3bf19eba0d7ea5b154621880fe3eadaea87bfc6e6337c6a5294a48
SSDEEP

24576:e845rGHu6gVJKG75oFpA0VWeX4y2y1q2rJp0:745vRVJKGtSA0VWeoBu9p0

Score

10^/10

mrblack antivm botnet persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 1 IoCs

resource	yara_rule
behavioral1/files/fstream-4.dat	family_mrblack

Executes dropped EXE 2 IoCs

ioc	pid	Process
/usr/bin/bsd-port/getty	1603	getty
/usr/bin/.sshd	1677	.sshd

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/etc/init.d/DbSecuritySpt	80d0cac0cd6be8010819fdcd7ac4af46_JaffaCakes118

Write file to user bin folder 1 TTPs 4 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/usr/bin/bsd-port/getty.lock	80d0cac0cd6be8010819fdcd7ac4af46_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/udevd.lock	80d0cac0cd6be8010819fdcd7ac4af46_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/getty	cp
File opened for modification	/usr/bin/.sshd	cp

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	80d0cac0cd6be8010819fdcd7ac4af46_JaffaCakes118

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc	Process
File opened for reading	/proc/net/dev	80d0cac0cd6be8010819fdcd7ac4af46_JaffaCakes118

Reads runtime system information 12 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/meminfo	80d0cac0cd6be8010819fdcd7ac4af46_JaffaCakes118
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/sys/kernel/version	80d0cac0cd6be8010819fdcd7ac4af46_JaffaCakes118
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/kernel/version	.sshd
File opened for reading	/proc/stat	80d0cac0cd6be8010819fdcd7ac4af46_JaffaCakes118
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/kernel/version	getty
File opened for reading	/proc/filesystems	mkdir

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/moni.lod	.sshd
File opened for modification	/tmp/notify.file	.sshd
File opened for modification	/tmp/gates.lod	.sshd
File opened for modification	/tmp/moni.lod	80d0cac0cd6be8010819fdcd7ac4af46_JaffaCakes118
File opened for modification	/tmp/bill.lock	80d0cac0cd6be8010819fdcd7ac4af46_JaffaCakes118
File opened for modification	/tmp/gates.lod	80d0cac0cd6be8010819fdcd7ac4af46_JaffaCakes118
File opened for modification	/tmp/notify.file	80d0cac0cd6be8010819fdcd7ac4af46_JaffaCakes118

/tmp/80d0cac0cd6be8010819fdcd7ac4af46_JaffaCakes118
/tmp/80d0cac0cd6be8010819fdcd7ac4af46_JaffaCakes118
1⤵
- Modifies init.d
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1573
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt"
  2⤵
  PID:1585
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
    3⤵
    PID:1586
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt"
  2⤵
  PID:1587
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
    3⤵
    PID:1588
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt"
  2⤵
  PID:1589
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
    3⤵
    PID:1590
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt"
  2⤵
  PID:1591
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
    3⤵
    PID:1592
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt"
  2⤵
  PID:1593
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
    3⤵
    PID:1594
- /bin/sh
  sh -c "mkdir -p /usr/bin/bsd-port"
  2⤵
  PID:1595
- - /usr/bin/mkdir
    mkdir -p /usr/bin/bsd-port
    3⤵
    - Reads runtime system information
    PID:1596
- /bin/sh
  sh -c "mkdir -p /usr/bin/bsd-port"
  2⤵
  PID:1597
- - /usr/bin/mkdir
    mkdir -p /usr/bin/bsd-port
    3⤵
    - Reads runtime system information
    PID:1598
- /bin/sh
  sh -c "cp -f /tmp/80d0cac0cd6be8010819fdcd7ac4af46_JaffaCakes118 /usr/bin/bsd-port/getty"
  2⤵
  PID:1599
- - /usr/bin/cp
    cp -f /tmp/80d0cac0cd6be8010819fdcd7ac4af46_JaffaCakes118 /usr/bin/bsd-port/getty
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1600
- /bin/sh
  sh -c /usr/bin/bsd-port/getty
  2⤵
  PID:1602
- - /usr/bin/bsd-port/getty
    /usr/bin/bsd-port/getty
    3⤵
    - Executes dropped EXE
    - Reads runtime system information
    PID:1603
- /bin/sh
  sh -c "mkdir -p /usr/bin"
  2⤵
  PID:1614
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:1615
- /bin/sh
  sh -c "mkdir -p /usr/bin"
  2⤵
  PID:1616
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:1617
- /bin/sh
  sh -c "cp -f /tmp/80d0cac0cd6be8010819fdcd7ac4af46_JaffaCakes118 /usr/bin/.sshd"
  2⤵
  PID:1618
- - /usr/bin/cp
    cp -f /tmp/80d0cac0cd6be8010819fdcd7ac4af46_JaffaCakes118 /usr/bin/.sshd
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1619
- /bin/sh
  sh -c /usr/bin/.sshd
  2⤵
  PID:1676
- - /usr/bin/.sshd
    /usr/bin/.sshd
    3⤵
    - Executes dropped EXE
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1677
- /bin/sh
  sh -c "insmod /tmp/xpacket.ko"
  2⤵
  PID:1680
- - /usr/sbin/insmod
    insmod /tmp/xpacket.ko
    3⤵
    - Reads runtime system information
    PID:1681

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/DbSecuritySpt

Filesize
64B

MD5
b91749bd06daa887ecb234c911815770

SHA1
81dfe6b6f25b6ace7e2c1badf041ce213cfeab53

SHA256
a1a99cff84d78513daff9503f3e456d2a92434ea6398892028ce45f2e4d50664

SHA512
0284e8b5cf72390e4c064f5f39b2ce226ec7cbcd4aacb35cc51e41d434e4f9f70ddc353bedecb15b02fb30c4d9572f4da028407b43e5f7a8b15323578fb51d95

Download Submit
/tmp/gates.lod

Filesize
4B

MD5
0d4f4805c36dc6853edfa4c7e1638b48

SHA1
0dd8e2fe2969e0722430655502c0c0607a5b30be

SHA256
ef4cf73add6b6f476ece3477b6235878bc8a0de65fe7f561200ebac7f18db18a

SHA512
d0db9c1410d20e92c528bcc5d9973cec935bc4b87940bc8d15e100849034156c6670c60e3faa71c633ad03bf1c490550330ecbb336a2139d8cbcf99f00588b54

Download Submit
/tmp/moni.lod

Filesize
4B

MD5
2cb6b10338a7fc4117a80da24b582060

SHA1
504db50882d21b88a1d62f72f7ea7ccab9c77799

SHA256
18bed1232c7d6375b760860a0c1904bf560a92b8cec0965fda4c244bb5c55e49

SHA512
8e5afcf51b32ffd2a6b922356223fe7902af68d2e137bec6ed56c95d240fd6f3f298fbeb14020891291c7250d156c5a55269e56250446c75957179f3e0a89a77

Download Submit
/tmp/notify.file

Filesize
51B

MD5
2ff4cc8a325a9fc4f878a60d077d7722

SHA1
2bbd77bf94d682ebfc279a4b7255fbe5df070da3

SHA256
e0e6415236f93c0bcd38e86f4237c68b88b4ef232707846f75012cbce7f955da

SHA512
7a883be6c374fa7a82c384d6f491a64eac429016aade07559cf5a49240646595bf0a0997acd84d68f8e807f246acb4833ab6f4b453e98f58f9b80a5b97d22117

Download Submit
/usr/bin/bsd-port/getty

Filesize
1.2MB

MD5
80d0cac0cd6be8010819fdcd7ac4af46

SHA1
adb2208a2016c6686c52d440f518098b4cbe3846

SHA256
ca22002822b27562971b1b12bfd61f2f670554ebdb0907270fda4a65f7fd2eed

SHA512
d0f1da32dd1f70ce3f918230c39c3d7a6210998f0a3ea0262805611156e3d37e8af237d14e3bf19eba0d7ea5b154621880fe3eadaea87bfc6e6337c6a5294a48

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads