mrblack | 05191758a35557c1f23e127e9f2a24e4a49e4cc15f92d91c2690ad7680a5c181

Analysis

max time kernel
150s
max time network
149s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240611-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
07-09-2024 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d29fc981913105d3ba98af225322aebd_JaffaCakes118
Size

1.1MB
MD5

d29fc981913105d3ba98af225322aebd
SHA1

f115d9ccaf90bbcda643557fe657d3191d90cfdf
SHA256

05191758a35557c1f23e127e9f2a24e4a49e4cc15f92d91c2690ad7680a5c181
SHA512

6121b032f705e9110a11ff3db6597e1c8248e58d0601ac6bac458816b2682c0683d3e7e99754dcfdd90833decf57f5f3ab763ad4500bb01517d03eb030cb69aa
SSDEEP

24576:4vRE7caCfKGPqVEDNLFxKsfatI+gIGYuuCol7r:4vREKfPqVE5jKsfatRHGVo7r

Score

10^/10

mrblack antivm botnet discovery persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 1 IoCs

Processes:

resource	yara_rule
/usr/bin/bsd-port/getty	family_mrblack

Executes dropped EXE 2 IoCs

Processes:

getty.swhd

ioc pid process

/usr/bin/bsd-port/getty 1468 getty
/usr/bin/.swhd 1476 .swhd
Modifies init.d 2 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

RC Scripts
T1037.004

Processes:

d29fc981913105d3ba98af225322aebd_JaffaCakes118

description ioc process

File opened for modification /etc/init.d/DbSecuritySpt d29fc981913105d3ba98af225322aebd_JaffaCakes118

ioc	pid	process
/usr/bin/bsd-port/getty	1468	getty
/usr/bin/.swhd	1476	.swhd

description	ioc	process
File opened for modification	/etc/init.d/DbSecuritySpt	d29fc981913105d3ba98af225322aebd_JaffaCakes118

Write file to user bin folder 4 IoCs

persistence

Processes:

d29fc981913105d3ba98af225322aebd_JaffaCakes118cpcp

description	ioc	process
File opened for modification	/usr/bin/bsd-port/getty.lock	d29fc981913105d3ba98af225322aebd_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/udevd.lock	d29fc981913105d3ba98af225322aebd_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/getty	cp
File opened for modification	/usr/bin/.swhd	cp

Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

System Checks
T1497.001

Processes:

d29fc981913105d3ba98af225322aebd_JaffaCakes118

description ioc process

File opened for reading /proc/cpuinfo d29fc981913105d3ba98af225322aebd_JaffaCakes118
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
discovery

Internet Connection Discovery
T1016.001

Processes:

d29fc981913105d3ba98af225322aebd_JaffaCakes118

description ioc process

File opened for reading /proc/net/dev d29fc981913105d3ba98af225322aebd_JaffaCakes118

description	ioc	process
File opened for reading	/proc/cpuinfo	d29fc981913105d3ba98af225322aebd_JaffaCakes118

description	ioc	process
File opened for reading	/proc/net/dev	d29fc981913105d3ba98af225322aebd_JaffaCakes118

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

d29fc981913105d3ba98af225322aebd_JaffaCakes118insmodcpgettycp.swhdmkdirmkdir

description	ioc	process
File opened for reading	/proc/meminfo	d29fc981913105d3ba98af225322aebd_JaffaCakes118
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/kernel/version	getty
File opened for reading	/proc/stat	d29fc981913105d3ba98af225322aebd_JaffaCakes118
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/kernel/version	.swhd
File opened for reading	/proc/sys/kernel/version	d29fc981913105d3ba98af225322aebd_JaffaCakes118
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

Processes:

d29fc981913105d3ba98af225322aebd_JaffaCakes118.swhd

description	ioc	process
File opened for modification	/tmp/notify.file	d29fc981913105d3ba98af225322aebd_JaffaCakes118
File opened for modification	/tmp/moni.lock	.swhd
File opened for modification	/tmp/notify.file	.swhd
File opened for modification	/tmp/gates.lock	.swhd
File opened for modification	/tmp/moni.lock	d29fc981913105d3ba98af225322aebd_JaffaCakes118
File opened for modification	/tmp/bill.lock	d29fc981913105d3ba98af225322aebd_JaffaCakes118
File opened for modification	/tmp/gates.lock	d29fc981913105d3ba98af225322aebd_JaffaCakes118

/tmp/d29fc981913105d3ba98af225322aebd_JaffaCakes118
/tmp/d29fc981913105d3ba98af225322aebd_JaffaCakes118
1⤵
- Modifies init.d
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1405
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt"
  2⤵
  PID:1452
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
    3⤵
    PID:1453
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt"
  2⤵
  PID:1454
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
    3⤵
    PID:1455
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt"
  2⤵
  PID:1456
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
    3⤵
    PID:1457
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt"
  2⤵
  PID:1458
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
    3⤵
    PID:1459
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt"
  2⤵
  PID:1460
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
    3⤵
    PID:1461
- /bin/sh
  sh -c "mkdir -p /usr/bin/bsd-port"
  2⤵
  PID:1462
- - /usr/bin/mkdir
    mkdir -p /usr/bin/bsd-port
    3⤵
    - Reads runtime system information
    PID:1463
- /bin/sh
  sh -c "cp -f /tmp/d29fc981913105d3ba98af225322aebd_JaffaCakes118 /usr/bin/bsd-port/getty"
  2⤵
  PID:1464
- - /usr/bin/cp
    cp -f /tmp/d29fc981913105d3ba98af225322aebd_JaffaCakes118 /usr/bin/bsd-port/getty
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1465
- /bin/sh
  sh -c /usr/bin/bsd-port/getty
  2⤵
  PID:1467
- - /usr/bin/bsd-port/getty
    /usr/bin/bsd-port/getty
    3⤵
    - Executes dropped EXE
    - Reads runtime system information
    PID:1468
- /bin/sh
  sh -c "mkdir -p /usr/bin"
  2⤵
  PID:1470
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:1471
- /bin/sh
  sh -c "cp -f /tmp/d29fc981913105d3ba98af225322aebd_JaffaCakes118 /usr/bin/.swhd"
  2⤵
  PID:1472
- - /usr/bin/cp
    cp -f /tmp/d29fc981913105d3ba98af225322aebd_JaffaCakes118 /usr/bin/.swhd
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1473
- /bin/sh
  sh -c /usr/bin/.swhd
  2⤵
  PID:1475
- - /usr/bin/.swhd
    /usr/bin/.swhd
    3⤵
    - Executes dropped EXE
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1476
- /bin/sh
  sh -c "insmod /usr/lib/xpacket.ko"
  2⤵
  PID:1479
- - /usr/sbin/insmod
    insmod /usr/lib/xpacket.ko
    3⤵
    - Reads runtime system information
    PID:1481

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Defense Evasion

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/DbSecuritySpt

Filesize
64B

MD5
4883d8ae357cfe46687d4363989724ff

SHA1
fe0862f2a097505c21d0edb3dad9d1a883a9c6f7

SHA256
c3c917da349e14f9d48dcee837664200ad546c79d57272eb0c7cc599469c1200

SHA512
b3b721ed5f17d9f9457ed43224009a1531a7fef4be093d017df8650e935c7589932677a7e43d9e87b817e283a56ec08dbdf2aa1be33409fa1a383a28fc1115b3

Download Submit
/tmp/gates.lock

Filesize
4B

MD5
b7087c1f4f89e63af8d46f3b20271153

SHA1
21ff0c98f5fd5754371c16c4cc6ac33571e2735c

SHA256
1326c6c44cc5e89cc510c9d2a17dd02c9105a377df60cf64d953c1eb4b06b00d

SHA512
7cb4c294b3fe885308f24e76b1e03a26a7f1699154b38f742964d8d4f890a2d2f03f0c021288545fb1b2312291eac71e3f2f9a6224162392d6ff597236782de9

Download Submit
/tmp/moni.lock

Filesize
4B

MD5
78b9cab19959e4af8ff46156ee460c74

SHA1
7c8d848f32fa1c53815556ee08aa8ee5994c5a51

SHA256
e5ce886c0b0869006dc9a2da28fcd4f1f291f4a90835b75edb74587b66e5acc9

SHA512
adf7e3718491f26a2853ea8e397727be1f0cb8abcae556f9e2acfeab0ccfdef721614361a09c84d9cfbcea9533d1d6a93be3f870611a13d8e0cbf9ca192e2987

Download Submit
/tmp/notify.file

Filesize
51B

MD5
f5322422f18e44d82937ec88af46c88a

SHA1
8b378f820e6cb4aa3d0a0ec404b4ee6b10e4cd4c

SHA256
4104926210e9c54053c3893e06cc9bd6df4166618a50610eec1cb167d35eb7e4

SHA512
24459f8978b0a8a869593865739cf5abee7a31f41b61e26ca760ed53a7c7ab5f4641e12719253656ee383600ce13409f14798eacc1e2bc37d05945c898c41123

Download Submit
/usr/bin/bsd-port/getty

Filesize
1.1MB

MD5
d29fc981913105d3ba98af225322aebd

SHA1
f115d9ccaf90bbcda643557fe657d3191d90cfdf

SHA256
05191758a35557c1f23e127e9f2a24e4a49e4cc15f92d91c2690ad7680a5c181

SHA512
6121b032f705e9110a11ff3db6597e1c8248e58d0601ac6bac458816b2682c0683d3e7e99754dcfdd90833decf57f5f3ab763ad4500bb01517d03eb030cb69aa

Download Submit