mrblack | 8e5946630ea113f1e9caf1e3678fc74d2414ff90b759544b62d3b9be674ffd76

Analysis

max time kernel
149s
max time network
150s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240611-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
10-09-2024 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7799f78f82dc2d31735ac344aa95611_JaffaCakes118
Size

1.1MB
MD5

d7799f78f82dc2d31735ac344aa95611
SHA1

41c47481d77860552cf47692f10240838fe6ce50
SHA256

8e5946630ea113f1e9caf1e3678fc74d2414ff90b759544b62d3b9be674ffd76
SHA512

0bf31f30eea64e443bb410b09c0d10a3233c85a16db9aa4769b1c073417f824ce72665171508f35d0aae2533f345944ea1c26bf24e7b035e3492628dde2619eb
SSDEEP

24576:4vRE7caCfKGPqVEDNLFxKsfaEI+gIGYuuCol7r:4vREKfPqVE5jKsfaERHGVo7r

Score

10^/10

mrblack antivm botnet defense_evasion discovery persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 1 IoCs

resource	yara_rule
behavioral1/files/fstream-4.dat	family_mrblack

File and Directory Permissions Modification 1 TTPs 8 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1501	sh
1502	chmod
1481	sh
1482	chmod
1489	sh
1490	chmod
1495	sh
1496	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/usr/bin/bsd-port/knerl	1443	knerl
/usr/bin/pythno	1451	pythno

Modifies init.d 2 TTPs 2 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

description	ioc	Process
File opened for modification	/etc/init.d/VsystemsshMdt	d7799f78f82dc2d31735ac344aa95611_JaffaCakes118
File opened for modification	/etc/init.d/selinux	knerl

Write file to user bin folder 9 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/bin/bsd-port/knerl	cp
File opened for modification	/usr/bin/pythno	cp
File opened for modification	/usr/bin/lsof	cp
File opened for modification	/usr/bin/ps	cp
File opened for modification	/usr/bin/bsd-port/knerl.conf	d7799f78f82dc2d31735ac344aa95611_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/udevd.conf	d7799f78f82dc2d31735ac344aa95611_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/knerl.conf	knerl
File opened for modification	/usr/bin/dpkgd/lsof	cp
File opened for modification	/usr/bin/dpkgd/ps	cp

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/bin/lsof	cp
File opened for modification	/bin/ps	cp

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	d7799f78f82dc2d31735ac344aa95611_JaffaCakes118
File opened for reading	/proc/cpuinfo	knerl

Reads system network configuration 1 TTPs 2 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/dev	d7799f78f82dc2d31735ac344aa95611_JaffaCakes118
File opened for reading	/proc/net/dev	knerl

Reads runtime system information 24 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/sys/kernel/version	knerl
File opened for reading	/proc/stat	d7799f78f82dc2d31735ac344aa95611_JaffaCakes118
File opened for reading	/proc/meminfo	d7799f78f82dc2d31735ac344aa95611_JaffaCakes118
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/kernel/version	pythno
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/stat	knerl
File opened for reading	/proc/sys/kernel/version	d7799f78f82dc2d31735ac344aa95611_JaffaCakes118
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/meminfo	knerl
File opened for reading	/proc/cmdline	insmod

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/apsh.conf	d7799f78f82dc2d31735ac344aa95611_JaffaCakes118
File opened for modification	/tmp/vga.conf	d7799f78f82dc2d31735ac344aa95611_JaffaCakes118
File opened for modification	/tmp/notify.file	d7799f78f82dc2d31735ac344aa95611_JaffaCakes118
File opened for modification	/tmp/idus.log	pythno
File opened for modification	/tmp/notify.file	pythno
File opened for modification	/tmp/vga.conf	pythno
File opened for modification	/tmp/idus.log	d7799f78f82dc2d31735ac344aa95611_JaffaCakes118

/tmp/d7799f78f82dc2d31735ac344aa95611_JaffaCakes118
/tmp/d7799f78f82dc2d31735ac344aa95611_JaffaCakes118
1⤵
- Modifies init.d
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1386
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt"
  2⤵
  PID:1427
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt
    3⤵
    PID:1428
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt"
  2⤵
  PID:1429
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt
    3⤵
    PID:1430
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt"
  2⤵
  PID:1431
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt
    3⤵
    PID:1432
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt"
  2⤵
  PID:1433
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt
    3⤵
    PID:1434
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt"
  2⤵
  PID:1435
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt
    3⤵
    PID:1436
- /bin/sh
  sh -c "mkdir -p /usr/bin/bsd-port"
  2⤵
  PID:1437
- - /usr/bin/mkdir
    mkdir -p /usr/bin/bsd-port
    3⤵
    - Reads runtime system information
    PID:1438
- /bin/sh
  sh -c "cp -f /tmp/d7799f78f82dc2d31735ac344aa95611_JaffaCakes118 /usr/bin/bsd-port/knerl"
  2⤵
  PID:1439
- - /usr/bin/cp
    cp -f /tmp/d7799f78f82dc2d31735ac344aa95611_JaffaCakes118 /usr/bin/bsd-port/knerl
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1440
- /bin/sh
  sh -c /usr/bin/bsd-port/knerl
  2⤵
  PID:1442
- - /usr/bin/bsd-port/knerl
    /usr/bin/bsd-port/knerl
    3⤵
    - Executes dropped EXE
    - Modifies init.d
    - Write file to user bin folder
    - Checks CPU configuration
    - Reads system network configuration
    - Reads runtime system information
    PID:1443
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"
      4⤵
      PID:1463
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
        5⤵
        
        PID:1464
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"
      4⤵
      PID:1465
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
        5⤵
        
        PID:1466
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"
      4⤵
      PID:1467
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
        5⤵
        
        PID:1468
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"
      4⤵
      PID:1469
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
        5⤵
        
        PID:1470
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"
      4⤵
      PID:1471
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
        5⤵
        
        PID:1472
  - - /bin/sh
      sh -c "mkdir -p /usr/bin/dpkgd"
      4⤵
      PID:1473
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin/dpkgd
        5⤵
        Reads runtime system information
        
        PID:1474
  - - /bin/sh
      sh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"
      4⤵
      PID:1475
    - - /usr/bin/cp
        
        cp -f /bin/lsof /usr/bin/dpkgd/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1476
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1477
    - - /usr/bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1478
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/knerl /bin/lsof"
      4⤵
      PID:1479
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/knerl /bin/lsof
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:1480
  - - /bin/sh
      sh -c "chmod 0755 /bin/lsof"
      4⤵
      File and Directory Permissions Modification
      PID:1481
    - - /usr/bin/chmod
        
        chmod 0755 /bin/lsof
        5⤵
        File and Directory Permissions Modification
        
        PID:1482
  - - /bin/sh
      sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"
      4⤵
      PID:1483
    - - /usr/bin/cp
        
        cp -f /bin/ps /usr/bin/dpkgd/ps
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1484
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1485
    - - /usr/bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1486
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/knerl /bin/ps"
      4⤵
      PID:1487
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/knerl /bin/ps
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:1488
  - - /bin/sh
      sh -c "chmod 0755 /bin/ps"
      4⤵
      File and Directory Permissions Modification
      PID:1489
    - - /usr/bin/chmod
        
        chmod 0755 /bin/ps
        5⤵
        File and Directory Permissions Modification
        
        PID:1490
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:1491
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:1492
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof"
      4⤵
      PID:1493
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1494
  - - /bin/sh
      sh -c "chmod 0755 /usr/bin/lsof"
      4⤵
      File and Directory Permissions Modification
      PID:1495
    - - /usr/bin/chmod
        
        chmod 0755 /usr/bin/lsof
        5⤵
        File and Directory Permissions Modification
        
        PID:1496
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:1497
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:1498
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/knerl /usr/bin/ps"
      4⤵
      PID:1499
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/knerl /usr/bin/ps
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1500
  - - /bin/sh
      sh -c "chmod 0755 /usr/bin/ps"
      4⤵
      File and Directory Permissions Modification
      PID:1501
    - - /usr/bin/chmod
        
        chmod 0755 /usr/bin/ps
        5⤵
        File and Directory Permissions Modification
        
        PID:1502
  - - /bin/sh
      sh -c "insmod /usr/lib/xpacket.ko"
      4⤵
      PID:1503
    - - /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        5⤵
        Reads runtime system information
        
        PID:1504
- /bin/sh
  sh -c "mkdir -p /usr/bin"
  2⤵
  PID:1445
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:1446
- /bin/sh
  sh -c "cp -f /tmp/d7799f78f82dc2d31735ac344aa95611_JaffaCakes118 /usr/bin/pythno"
  2⤵
  PID:1447
- - /usr/bin/cp
    cp -f /tmp/d7799f78f82dc2d31735ac344aa95611_JaffaCakes118 /usr/bin/pythno
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1448
- /bin/sh
  sh -c /usr/bin/pythno
  2⤵
  PID:1450
- - /usr/bin/pythno
    /usr/bin/pythno
    3⤵
    - Executes dropped EXE
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1451
- /bin/sh
  sh -c "insmod /usr/lib/xpacket.ko"
  2⤵
  PID:1454
- - /usr/sbin/insmod
    insmod /usr/lib/xpacket.ko
    3⤵
    - Reads runtime system information
    PID:1455

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/VsystemsshMdt

Filesize
64B

MD5
eca6fee7962036e7cfdb9c5bdbaa1497

SHA1
7e0ebb9cd3ff9af2ec1e55eb09965387e26270ca

SHA256
c1bac10ebd6d2dccce75ed9709e60cc609cad21689ea6223fb3321285612e07c

SHA512
f17c5fec0036cbed6165b60aba63ff0e9f91b89d5ab1747077eb47160fa02cdf2255976caee325c3c02dbcbcffb3e9384df871956764fb15be305622f2367488

Download Submit
/etc/init.d/selinux

Filesize
36B

MD5
caa27b819c9303446f702929874a00e8

SHA1
d24199c0e376edea3f822b215148cc0dc78364bf

SHA256
da9b535a14c6d9152857e211f14fb8da9056e84ba1b8d4dc27ab79c98264050b

SHA512
dcd9413eb2cb24d77f637edfc00ca0bb42229a1a3b0d84e29eff94a7b91aee6ee8c126c286a4b4103e01834d1c6aec9de09ffab3927e8de8015421005f31446e

Download Submit
/tmp/idus.log

Filesize
4B

MD5
6786f3c62fbf9021694f6e51cc07fe3c

SHA1
fe5fe4af3281ec07715498f052a7350c26c151c0

SHA256
abe6c5838bf22b825feb81d89e93c837871fcef0dbc4cd106fe1d4fb19f1d335

SHA512
1906bef0432d52bff2e317db1b661271b28bf8886bb2d2e6b73d20224bc044c6913d1bcbfda3a47f6864716b15bb9b0829d033f0b3a862458cb285553a0b1226

Download Submit
/tmp/notify.file

Filesize
51B

MD5
98f8a5ff00fb79cb34c296a74c5bad5c

SHA1
2bad1b07122fb190126fb19ccd564fb15c08bfce

SHA256
7595c3529af4a321c2ea7d7ea75962bbf0b02045cb196edd203148b86dc4441b

SHA512
ca64d7f0a98b72cc7bd1abe2f5187c1b6ce278c501b5513284e811aa93927b43ff8fbd967c3b33c5c9daf0ec70c04e5612aef6948f5027084d45152104f77f7f

Download Submit
/tmp/vga.conf

Filesize
4B

MD5
4fa7c62536118cc404dec4a0ca88d4f6

SHA1
8caef7cfd1f24143d5b7f7048b4c1301a29ec767

SHA256
5d6e5dacd1f15ec9e3860fbbaf3666e0a3c6717f6eba7982d43c2d2d626bbd31

SHA512
445d3e68bad99803784637990960c2c0014b766489d949558da3222f35f8765fd1eec7292e4d878ce5b7a381d4ece55ec7b2eff2c09e2d84a09e488f4e6c7cb2

Download Submit
/usr/bin/bsd-port/knerl

Filesize
1.1MB

MD5
d7799f78f82dc2d31735ac344aa95611

SHA1
41c47481d77860552cf47692f10240838fe6ce50

SHA256
8e5946630ea113f1e9caf1e3678fc74d2414ff90b759544b62d3b9be674ffd76

SHA512
0bf31f30eea64e443bb410b09c0d10a3233c85a16db9aa4769b1c073417f824ce72665171508f35d0aae2533f345944ea1c26bf24e7b035e3492628dde2619eb

Download Submit
/usr/bin/dpkgd/lsof

Filesize
171KB

MD5
061386937ec7acf924438a2643a32be0

SHA1
01a044b9e58839bea3e58c66cb32acc16241bf91

SHA256
8a26bbae9eb85aa98ef29cfe5b0a291234db6eb394c3e0c2841983dcf7dda959

SHA512
2de2e56ac4c32f47b4a1945ccfb0db378e6d59019ee8004e3e5d2ec8935efb5aa8ee14b8a0b21c61a267e195d42a3232a6dcade8720de06118fd579277f59db7

Download Submit
/usr/bin/dpkgd/ps

Filesize
134KB

MD5
d194576b899af45b1d2a448612ec21e5

SHA1
492f7d8f28cd4397ce22fcf0d8bf3304ea93465a

SHA256
a8cf81f3a1137c999c3cf336507ce120b3065e633ade01db6280d427b7d986ca

SHA512
b323babd9580b91772cde29c9f22ae75b27f5ce8ce0268a48ca41713c3545dd72409932a5c48f6af66ac6e43127eb5461d1f686bd667fa1b0e56a1564db3c539

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads