mrblack | 856452857b500cca80879789377b60a6721cfe065f1f254a929d06f731eccca0

Analysis

max time kernel
149s
max time network
152s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240522.1-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240522.1-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
09-09-2024 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118
Size

1.2MB
MD5

d6e5833b5fd732ac2ba017b1a6d34d77
SHA1

77a31f0c1fdc7548c20e034c1761515a47a56a79
SHA256

856452857b500cca80879789377b60a6721cfe065f1f254a929d06f731eccca0
SHA512

1109c33635df4c76b3f56cad57fabfd5994d63e88f69533afe1aaa61d80a568dcdcfddda9cf0e763280427cadddaf2bc62d42162d0bcc2c7ba2a5cf1f4cfcf8a
SSDEEP

24576:e845rGHu6gVJKG75oFpA0VWIX4h2y1q2rJp0:745vRVJKGtSA0VWIo4u9p0

Score

10^/10

mrblack antivm botnet discovery persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 1 IoCs

Processes:

resource	yara_rule
/usr/bin/bsd-port/getty	family_mrblack

Executes dropped EXE 2 IoCs

Processes:

getty.sshd

ioc pid process

/usr/bin/bsd-port/getty 1613 getty
/usr/bin/.sshd 1687 .sshd
Modifies init.d 2 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

RC Scripts
T1037.004

Processes:

d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118

description ioc process

File opened for modification /etc/init.d/DbSecuritySpt d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
discovery

Internet Connection Discovery
T1016.001

Processes:

d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118

description ioc process

File opened for reading /proc/net/route d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118

ioc	pid	process
/usr/bin/bsd-port/getty	1613	getty
/usr/bin/.sshd	1687	.sshd

description	ioc	process
File opened for modification	/etc/init.d/DbSecuritySpt	d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118

description	ioc	process
File opened for reading	/proc/net/route	d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118

Write file to user bin folder 4 IoCs

persistence

Processes:

d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118cpcp

description	ioc	process
File opened for modification	/usr/bin/bsd-port/getty.lock	d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/udevd.lock	d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/getty	cp
File opened for modification	/usr/bin/.sshd	cp

Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

System Checks
T1497.001

Processes:

d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118

description ioc process

File opened for reading /proc/cpuinfo d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118

description	ioc	process
File opened for reading	/proc/cpuinfo	d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

Processes:

d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118

description	ioc	process
File opened for reading	/proc/net/dev	d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118
File opened for reading	/proc/net/route	d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118
File opened for reading	/proc/net/arp	d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118

Reads runtime system information 12 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

mkdircpmkdircpinsmodd6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118mkdirgettymkdir.sshd

description	ioc	process
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/meminfo	d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118
File opened for reading	/proc/sys/kernel/version	d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/sys/kernel/version	getty
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/sys/kernel/version	.sshd
File opened for reading	/proc/stat	d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

Processes:

.sshdd6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118

description	ioc	process
File opened for modification	/tmp/moni.lod	.sshd
File opened for modification	/tmp/notify.file	.sshd
File opened for modification	/tmp/conf.n	d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118
File opened for modification	/tmp/gates.lod	.sshd
File opened for modification	/tmp/moni.lod	d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118
File opened for modification	/tmp/bill.lock	d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118
File opened for modification	/tmp/gates.lod	d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118
File opened for modification	/tmp/notify.file	d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118

/tmp/d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118
/tmp/d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118
1⤵
- Modifies init.d
- Reads system routing table
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1569
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt"
  2⤵
  PID:1595
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
    3⤵
    PID:1596
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt"
  2⤵
  PID:1597
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
    3⤵
    PID:1598
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt"
  2⤵
  PID:1599
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
    3⤵
    PID:1600
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt"
  2⤵
  PID:1601
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
    3⤵
    PID:1602
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt"
  2⤵
  PID:1603
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
    3⤵
    PID:1604
- /bin/sh
  sh -c "mkdir -p /usr/bin/bsd-port"
  2⤵
  PID:1605
- - /usr/bin/mkdir
    mkdir -p /usr/bin/bsd-port
    3⤵
    - Reads runtime system information
    PID:1606
- /bin/sh
  sh -c "mkdir -p /usr/bin/bsd-port"
  2⤵
  PID:1607
- - /usr/bin/mkdir
    mkdir -p /usr/bin/bsd-port
    3⤵
    - Reads runtime system information
    PID:1608
- /bin/sh
  sh -c "cp -f /tmp/d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118 /usr/bin/bsd-port/getty"
  2⤵
  PID:1609
- - /usr/bin/cp
    cp -f /tmp/d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118 /usr/bin/bsd-port/getty
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1610
- /bin/sh
  sh -c /usr/bin/bsd-port/getty
  2⤵
  PID:1612
- - /usr/bin/bsd-port/getty
    /usr/bin/bsd-port/getty
    3⤵
    - Executes dropped EXE
    - Reads runtime system information
    PID:1613
- /bin/sh
  sh -c "mkdir -p /usr/bin"
  2⤵
  PID:1624
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:1625
- /bin/sh
  sh -c "mkdir -p /usr/bin"
  2⤵
  PID:1626
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:1627
- /bin/sh
  sh -c "cp -f /tmp/d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118 /usr/bin/.sshd"
  2⤵
  PID:1628
- - /usr/bin/cp
    cp -f /tmp/d6e5833b5fd732ac2ba017b1a6d34d77_JaffaCakes118 /usr/bin/.sshd
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1629
- /bin/sh
  sh -c /usr/bin/.sshd
  2⤵
  PID:1686
- - /usr/bin/.sshd
    /usr/bin/.sshd
    3⤵
    - Executes dropped EXE
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1687
- /bin/sh
  sh -c "insmod /tmp/xpacket.ko"
  2⤵
  PID:1690
- - /usr/sbin/insmod
    insmod /tmp/xpacket.ko
    3⤵
    - Reads runtime system information
    PID:1691

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Defense Evasion

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/DbSecuritySpt

Filesize
64B

MD5
14c3ec21a39436b9cb1117d70333ba48

SHA1
b06e7964be6c0553be6380df57546c90968c7ffd

SHA256
84cb6f001eb8ff9553bcf9d1ed476a908fa6ad13539c8dfa541a1453571d0cdc

SHA512
0c3f46b6a4054fa27ec306865df0dde3a1b21736d8fc67d7ce9043a2a89f3b02ea9a98077855d0fd3022ece678bf82d8764f4fbe9dd4094b3cfe8e4af20fed9d

Download Submit
/tmp/conf.n

Filesize
73B

MD5
8dd6beb4a02b7ac3e6b7c7f81d7e1dcc

SHA1
65e9a38b3be8da33ccf6895f2c1d460cd14932aa

SHA256
1a00d1a79f0fbbca4a6956fe4c648f4c31fed8488c29930aab9c89d4ee7cde8b

SHA512
fb5fcc80271146cf3fd882767865278a14c245859139d0fa578475a81b3ed5f4957a395bc731a8eeebbc84df593171ad2ea27f9a374f050be862691eb3433d9c

Download Submit
/tmp/gates.lod

Filesize
4B

MD5
7949e456002b28988d38185bd30e77fd

SHA1
8eac9d03673ad3fa86c1c815275470ec81580e0a

SHA256
3a481e728390d89c6843c180dc18ca8d693de5f5421e6240711c5dad483c72b3

SHA512
86ffa374c2572cf61c670ec5469b80a9f71db097a87e45393aac98ac96a1c019325f360ccbaa6509acd366045c871b0e2ce76503942603228cf87b5c18105586

Download Submit
/tmp/moni.lod

Filesize
4B

MD5
ae614c557843b1df326cb29c57225459

SHA1
8b89a87165fe948dadea6360f33a38d217f3d244

SHA256
2ed927e972728bc356c12808c31656d17ce6a4afded459165923d4b5c25ffd4f

SHA512
e345e3b75acec87f1f95f935d68bcdf62515e62752ad98a84f465f2fa5b90c2b0715e5d33ddb7a4d5107357118ebdc10234f49f5fcab28f9f424e50aa2f43e68

Download Submit
/tmp/notify.file

Filesize
51B

MD5
b1b6d8ffff5a3b1e9f4b86350e945d32

SHA1
50aa2656fcab57c08e8ad2fce99ae52c7bcec640

SHA256
b47b09cfd2630d2e713fa32ea096e64b7c130762c098d1efd77f33f70457fb8d

SHA512
dea2a5847f995dcdd3b19bb33db9e75a985c7453f8a7df7d9ec6c69a97606371489ca5043f633a241be0f3eb37422ee2dce99c75560ab12b265ac1763f7e8d5f

Download Submit
/usr/bin/bsd-port/getty

Filesize
1.2MB

MD5
d6e5833b5fd732ac2ba017b1a6d34d77

SHA1
77a31f0c1fdc7548c20e034c1761515a47a56a79

SHA256
856452857b500cca80879789377b60a6721cfe065f1f254a929d06f731eccca0

SHA512
1109c33635df4c76b3f56cad57fabfd5994d63e88f69533afe1aaa61d80a568dcdcfddda9cf0e763280427cadddaf2bc62d42162d0bcc2c7ba2a5cf1f4cfcf8a

Download Submit