mrblack | 9d0e5980097d18b384ccac755e546e789337be8512693ae2bbda017447974f70

Analysis

max time kernel
149s
max time network
150s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
09-09-2024 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5e40f3e2d31e6c6c00d715a028db5bf_JaffaCakes118
Size

1.1MB
MD5

d5e40f3e2d31e6c6c00d715a028db5bf
SHA1

3ba1bf5b985ab75bbfcd4c36ba3b4f34da2c4179
SHA256

9d0e5980097d18b384ccac755e546e789337be8512693ae2bbda017447974f70
SHA512

660ddf2da470991da7443c284c9fe9087f3913308a3e511429c463a1a0f12bc43b661d52456fdba2695ea3498ac8d18f4bf33285d0b55bd7243b217fe1c69245
SSDEEP

24576:4vRE7caCfKGPqVEDNLFxKsfaqI+gIGYuuCol7r:4vREKfPqVE5jKsfaqRHGVo7r

Score

10^/10

mrblack antivm botnet defense_evasion discovery persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 1 IoCs

resource	yara_rule
behavioral1/files/fstream-4.dat	family_mrblack

File and Directory Permissions Modification 1 TTPs 8 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1633	chmod
1639	sh
1640	chmod
1646	sh
1647	chmod
1622	sh
1623	chmod
1632	sh

Executes dropped EXE 2 IoCs

ioc	pid	Process
/usr/bin/bsd-port/knerl	1590	knerl
/usr/bin/.sshd	1610	.sshd

Modifies init.d 2 TTPs 2 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

description	ioc	Process
File opened for modification	/etc/init.d/QsystemsshMmt	d5e40f3e2d31e6c6c00d715a028db5bf_JaffaCakes118
File opened for modification	/etc/init.d/selinux	knerl

Write file to user bin folder 9 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/bin/bsd-port/udevd.conf	d5e40f3e2d31e6c6c00d715a028db5bf_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/knerl	cp
File opened for modification	/usr/bin/.sshd	cp
File opened for modification	/usr/bin/dpkgd/lsof	cp
File opened for modification	/usr/bin/dpkgd/ps	cp
File opened for modification	/usr/bin/lsof	cp
File opened for modification	/usr/bin/bsd-port/knerl.conf	d5e40f3e2d31e6c6c00d715a028db5bf_JaffaCakes118
File opened for modification	/usr/bin/ps	cp
File opened for modification	/usr/bin/bsd-port/knerl.conf	knerl

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/bin/ps	cp
File opened for modification	/bin/lsof	cp

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	d5e40f3e2d31e6c6c00d715a028db5bf_JaffaCakes118
File opened for reading	/proc/cpuinfo	knerl

Reads system network configuration 1 TTPs 2 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/dev	d5e40f3e2d31e6c6c00d715a028db5bf_JaffaCakes118
File opened for reading	/proc/net/dev	knerl

Reads runtime system information 24 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/stat	d5e40f3e2d31e6c6c00d715a028db5bf_JaffaCakes118
File opened for reading	/proc/meminfo	d5e40f3e2d31e6c6c00d715a028db5bf_JaffaCakes118
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/stat	knerl
File opened for reading	/proc/sys/kernel/version	knerl
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/kernel/version	.sshd
File opened for reading	/proc/meminfo	knerl
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/sys/kernel/version	d5e40f3e2d31e6c6c00d715a028db5bf_JaffaCakes118
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/Dest.cfg	.sshd
File opened for modification	/tmp/appq.log	d5e40f3e2d31e6c6c00d715a028db5bf_JaffaCakes118
File opened for modification	/tmp/appq.conf	d5e40f3e2d31e6c6c00d715a028db5bf_JaffaCakes118
File opened for modification	/tmp/Dest.cfg	d5e40f3e2d31e6c6c00d715a028db5bf_JaffaCakes118
File opened for modification	/tmp/notify.file	d5e40f3e2d31e6c6c00d715a028db5bf_JaffaCakes118
File opened for modification	/tmp/appq.log	.sshd
File opened for modification	/tmp/notify.file	.sshd

/tmp/d5e40f3e2d31e6c6c00d715a028db5bf_JaffaCakes118
/tmp/d5e40f3e2d31e6c6c00d715a028db5bf_JaffaCakes118
1⤵
- Modifies init.d
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1563
- /bin/sh
  sh -c "ln -s /etc/init.d/QsystemsshMmt /etc/rc1.d/S97QsystemsshMmt"
  2⤵
  PID:1574
- - /usr/bin/ln
    ln -s /etc/init.d/QsystemsshMmt /etc/rc1.d/S97QsystemsshMmt
    3⤵
    PID:1575
- /bin/sh
  sh -c "ln -s /etc/init.d/QsystemsshMmt /etc/rc2.d/S97QsystemsshMmt"
  2⤵
  PID:1576
- - /usr/bin/ln
    ln -s /etc/init.d/QsystemsshMmt /etc/rc2.d/S97QsystemsshMmt
    3⤵
    PID:1577
- /bin/sh
  sh -c "ln -s /etc/init.d/QsystemsshMmt /etc/rc3.d/S97QsystemsshMmt"
  2⤵
  PID:1578
- - /usr/bin/ln
    ln -s /etc/init.d/QsystemsshMmt /etc/rc3.d/S97QsystemsshMmt
    3⤵
    PID:1579
- /bin/sh
  sh -c "ln -s /etc/init.d/QsystemsshMmt /etc/rc4.d/S97QsystemsshMmt"
  2⤵
  PID:1580
- - /usr/bin/ln
    ln -s /etc/init.d/QsystemsshMmt /etc/rc4.d/S97QsystemsshMmt
    3⤵
    PID:1581
- /bin/sh
  sh -c "ln -s /etc/init.d/QsystemsshMmt /etc/rc5.d/S97QsystemsshMmt"
  2⤵
  PID:1582
- - /usr/bin/ln
    ln -s /etc/init.d/QsystemsshMmt /etc/rc5.d/S97QsystemsshMmt
    3⤵
    PID:1583
- /bin/sh
  sh -c "mkdir -p /usr/bin/bsd-port"
  2⤵
  PID:1584
- - /usr/bin/mkdir
    mkdir -p /usr/bin/bsd-port
    3⤵
    - Reads runtime system information
    PID:1585
- /bin/sh
  sh -c "cp -f /tmp/d5e40f3e2d31e6c6c00d715a028db5bf_JaffaCakes118 /usr/bin/bsd-port/knerl"
  2⤵
  PID:1586
- - /usr/bin/cp
    cp -f /tmp/d5e40f3e2d31e6c6c00d715a028db5bf_JaffaCakes118 /usr/bin/bsd-port/knerl
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1587
- /bin/sh
  sh -c /usr/bin/bsd-port/knerl
  2⤵
  PID:1589
- - /usr/bin/bsd-port/knerl
    /usr/bin/bsd-port/knerl
    3⤵
    - Executes dropped EXE
    - Modifies init.d
    - Write file to user bin folder
    - Checks CPU configuration
    - Reads system network configuration
    - Reads runtime system information
    PID:1590
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"
      4⤵
      PID:1596
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
        5⤵
        
        PID:1597
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"
      4⤵
      PID:1598
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
        5⤵
        
        PID:1599
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"
      4⤵
      PID:1600
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
        5⤵
        
        PID:1601
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"
      4⤵
      PID:1602
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
        5⤵
        
        PID:1603
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"
      4⤵
      PID:1604
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
        5⤵
        
        PID:1605
  - - /bin/sh
      sh -c "mkdir -p /usr/bin/dpkgd"
      4⤵
      PID:1606
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin/dpkgd
        5⤵
        Reads runtime system information
        
        PID:1607
  - - /bin/sh
      sh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"
      4⤵
      PID:1614
    - - /usr/bin/cp
        
        cp -f /bin/lsof /usr/bin/dpkgd/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1615
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1618
    - - /usr/bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1619
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/knerl /bin/lsof"
      4⤵
      PID:1620
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/knerl /bin/lsof
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:1621
  - - /bin/sh
      sh -c "chmod 0755 /bin/lsof"
      4⤵
      File and Directory Permissions Modification
      PID:1622
    - - /usr/bin/chmod
        
        chmod 0755 /bin/lsof
        5⤵
        File and Directory Permissions Modification
        
        PID:1623
  - - /bin/sh
      sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"
      4⤵
      PID:1625
    - - /usr/bin/cp
        
        cp -f /bin/ps /usr/bin/dpkgd/ps
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1626
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1627
    - - /usr/bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1628
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/knerl /bin/ps"
      4⤵
      PID:1629
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/knerl /bin/ps
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:1630
  - - /bin/sh
      sh -c "chmod 0755 /bin/ps"
      4⤵
      File and Directory Permissions Modification
      PID:1632
    - - /usr/bin/chmod
        
        chmod 0755 /bin/ps
        5⤵
        File and Directory Permissions Modification
        
        PID:1633
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:1634
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:1635
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof"
      4⤵
      PID:1636
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1637
  - - /bin/sh
      sh -c "chmod 0755 /usr/bin/lsof"
      4⤵
      File and Directory Permissions Modification
      PID:1639
    - - /usr/bin/chmod
        
        chmod 0755 /usr/bin/lsof
        5⤵
        File and Directory Permissions Modification
        
        PID:1640
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:1641
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:1642
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/knerl /usr/bin/ps"
      4⤵
      PID:1643
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/knerl /usr/bin/ps
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1645
  - - /bin/sh
      sh -c "chmod 0755 /usr/bin/ps"
      4⤵
      File and Directory Permissions Modification
      PID:1646
    - - /usr/bin/chmod
        
        chmod 0755 /usr/bin/ps
        5⤵
        File and Directory Permissions Modification
        
        PID:1647
  - - /bin/sh
      sh -c "insmod /usr/lib/xpacket.ko"
      4⤵
      PID:1648
    - - /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        5⤵
        Reads runtime system information
        
        PID:1649
- /bin/sh
  sh -c "mkdir -p /usr/bin"
  2⤵
  PID:1592
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:1593
- /bin/sh
  sh -c "cp -f /tmp/d5e40f3e2d31e6c6c00d715a028db5bf_JaffaCakes118 /usr/bin/.sshd"
  2⤵
  PID:1594
- - /usr/bin/cp
    cp -f /tmp/d5e40f3e2d31e6c6c00d715a028db5bf_JaffaCakes118 /usr/bin/.sshd
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1595
- /bin/sh
  sh -c /usr/bin/.sshd
  2⤵
  PID:1609
- - /usr/bin/.sshd
    /usr/bin/.sshd
    3⤵
    - Executes dropped EXE
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1610
- /bin/sh
  sh -c "insmod /usr/lib/xpacket.ko"
  2⤵
  PID:1612
- - /usr/sbin/insmod
    insmod /usr/lib/xpacket.ko
    3⤵
    - Reads runtime system information
    PID:1613

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/QsystemsshMmt

Filesize
64B

MD5
b8ac25970e0fe7bd61609c35c80865cb

SHA1
f90efc6bec05c89945feddcf38c9b09d12c5bbf4

SHA256
64ddcc8638ead53cc1ee944da1fa4dd566fb993e4351d19e9b293923396c7035

SHA512
885d61b320c56dbbbf9baac084d112b794f7ca9cf2e500c3e0abf378b92308cbcd62dbb090cad13666b31e7d41718c83a8adf9c1184512678bd31d4dfee74bbd

Download Submit
/etc/init.d/selinux

Filesize
36B

MD5
caa27b819c9303446f702929874a00e8

SHA1
d24199c0e376edea3f822b215148cc0dc78364bf

SHA256
da9b535a14c6d9152857e211f14fb8da9056e84ba1b8d4dc27ab79c98264050b

SHA512
dcd9413eb2cb24d77f637edfc00ca0bb42229a1a3b0d84e29eff94a7b91aee6ee8c126c286a4b4103e01834d1c6aec9de09ffab3927e8de8015421005f31446e

Download Submit
/tmp/Dest.cfg

Filesize
4B

MD5
facf9f743b083008a894eee7baa16469

SHA1
fe286d02f80118de47f2226c2fce9f7be0bc04f0

SHA256
2163909115c0f6f1e638bd2c2279387cbe37cc327150a7b5cddfde3d1cd4ef0e

SHA512
7bd3d1d347d68f23d612a3ec7a1d2f4094874162441bae20122876ea980bbb76a3c46d5d2e393975ea0659fb2b58046a311d7660f226482a57a74e9ffd9b0f36

Download Submit
/tmp/notify.file

Filesize
51B

MD5
2daefadd00bf576ee013edfd2ef7406e

SHA1
5cc2f89760627053d4202c2014c19fad5c37074c

SHA256
4a917b21a442c6e2c04cb7f5407f7e24f1ec806590eabee975f9e3cde990623e

SHA512
f357b353bd9b418aa23e1e5a1184c2728b47db51f9cecf8a07d166a5db00b870384fb7adf1f47d50c773c9862f4169aa7e27131c26008aecae39c6941e7e4b77

Download Submit
/usr/bin/bsd-port/knerl

Filesize
1.1MB

MD5
d5e40f3e2d31e6c6c00d715a028db5bf

SHA1
3ba1bf5b985ab75bbfcd4c36ba3b4f34da2c4179

SHA256
9d0e5980097d18b384ccac755e546e789337be8512693ae2bbda017447974f70

SHA512
660ddf2da470991da7443c284c9fe9087f3913308a3e511429c463a1a0f12bc43b661d52456fdba2695ea3498ac8d18f4bf33285d0b55bd7243b217fe1c69245

Download Submit
/usr/bin/dpkgd/lsof

Filesize
163KB

MD5
ab57b66cc531ae0f996963223e632b60

SHA1
bf7e5becd33f21c2539f5a75ffa0ab61c49c8795

SHA256
2484863a7bfda7f97b90bfd5dfceed4ec9f27dd51f9c5158c8daabbf4309b1df

SHA512
908acef13f3c1d80b7169ec3b16bb67006013453348fff75550bc3c6c2137e798b21d7990edbd5be63d756d9c41b06160aebf38aa80547e4bafa3a62596057f6

Download Submit
/usr/bin/dpkgd/ps

Filesize
138KB

MD5
8146139c2ad7e550b1d1f49480997446

SHA1
074db8890c3227bd8a588417f5b9bde637bcf3af

SHA256
207df9d438f75185ab3af2ab1173d104831a6631c28ef40d38b2ab43de27b40f

SHA512
b6d71d537f593b9af833e6f798e412e95fc486a313414ed8cca9639f61be7ac9dca700e9f861c0d07c7f65b3783127a67f829f422472cad8938ba01d397ab9de

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads