mrblack | 48705e816a6587d2a8d3d512c91159456cc7eabc8618d561e6df87f843919b2c

Analysis

max time kernel
149s
max time network
151s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240522.1-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240522.1-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
12-09-2024 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcf77358235d18fb9bb9205650dacc04_JaffaCakes118
Size

1.1MB
MD5

dcf77358235d18fb9bb9205650dacc04
SHA1

4b96e288d6e8f69f769435c7f8fddff67ab54ec5
SHA256

48705e816a6587d2a8d3d512c91159456cc7eabc8618d561e6df87f843919b2c
SHA512

2166d6a9795c9b875adb1004a19a8ba7ea8945ca614a268e06549b5843ec46a20e5af79ec5660be1b5c04bec791677aab780eb0c944699a297772746f4191744
SSDEEP

24576:4vRE7caCfKGPqVEDNLFxKsfahI+gIGYuuCol7r:4vREKfPqVE5jKsfahRHGVo7r

Score

10^/10

mrblack antivm botnet defense_evasion discovery persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/fstream-4.dat	family_mrblack

File and Directory Permissions Modification 1 TTPs 8 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodshchmodshchmodshchmodsh

pid	Process
1654	chmod
1630	sh
1631	chmod
1639	sh
1640	chmod
1647	sh
1648	chmod
1653	sh

Executes dropped EXE 2 IoCs

Processes:

getty.sshd

ioc	pid	Process
/usr/bin/bsd-port/getty	1595	getty
/usr/bin/.sshd	1603	.sshd

Modifies init.d 2 TTPs 2 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

Processes:

dcf77358235d18fb9bb9205650dacc04_JaffaCakes118getty

description	ioc	Process
File opened for modification	/etc/init.d/DbSecuritySpt	dcf77358235d18fb9bb9205650dacc04_JaffaCakes118
File opened for modification	/etc/init.d/selinux	getty

Write file to user bin folder 9 IoCs

persistence

Processes:

cpcpgettycpcpcpdcf77358235d18fb9bb9205650dacc04_JaffaCakes118cp

description	ioc	Process
File opened for modification	/usr/bin/.sshd	cp
File opened for modification	/usr/bin/ps	cp
File opened for modification	/usr/bin/bsd-port/getty.lock	getty
File opened for modification	/usr/bin/dpkgd/lsof	cp
File opened for modification	/usr/bin/dpkgd/ps	cp
File opened for modification	/usr/bin/lsof	cp
File opened for modification	/usr/bin/bsd-port/getty.lock	dcf77358235d18fb9bb9205650dacc04_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/udevd.lock	dcf77358235d18fb9bb9205650dacc04_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/getty	cp

Writes file to system bin folder 2 IoCs

Processes:

cpcp

description	ioc	Process
File opened for modification	/bin/lsof	cp
File opened for modification	/bin/ps	cp

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

dcf77358235d18fb9bb9205650dacc04_JaffaCakes118getty

description	ioc	Process
File opened for reading	/proc/cpuinfo	dcf77358235d18fb9bb9205650dacc04_JaffaCakes118
File opened for reading	/proc/cpuinfo	getty

Reads system network configuration 1 TTPs 2 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

Processes:

dcf77358235d18fb9bb9205650dacc04_JaffaCakes118getty

description	ioc	Process
File opened for reading	/proc/net/dev	dcf77358235d18fb9bb9205650dacc04_JaffaCakes118
File opened for reading	/proc/net/dev	getty

Reads runtime system information 24 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

mkdircpmkdirmkdirinsmoddcf77358235d18fb9bb9205650dacc04_JaffaCakes118insmodcpcpcp.sshdcpcpgettymkdirmkdircpmkdirmkdircp

description	ioc	Process
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/meminfo	dcf77358235d18fb9bb9205650dacc04_JaffaCakes118
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/stat	dcf77358235d18fb9bb9205650dacc04_JaffaCakes118
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/kernel/version	.sshd
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/meminfo	getty
File opened for reading	/proc/sys/kernel/version	dcf77358235d18fb9bb9205650dacc04_JaffaCakes118
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/sys/kernel/version	getty
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/stat	getty
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

Processes:

dcf77358235d18fb9bb9205650dacc04_JaffaCakes118.sshd

description	ioc	Process
File opened for modification	/tmp/notify.file	dcf77358235d18fb9bb9205650dacc04_JaffaCakes118
File opened for modification	/tmp/moni.lock	.sshd
File opened for modification	/tmp/notify.file	.sshd
File opened for modification	/tmp/gates.lock	.sshd
File opened for modification	/tmp/moni.lock	dcf77358235d18fb9bb9205650dacc04_JaffaCakes118
File opened for modification	/tmp/bill.lock	dcf77358235d18fb9bb9205650dacc04_JaffaCakes118
File opened for modification	/tmp/gates.lock	dcf77358235d18fb9bb9205650dacc04_JaffaCakes118

/tmp/dcf77358235d18fb9bb9205650dacc04_JaffaCakes118
/tmp/dcf77358235d18fb9bb9205650dacc04_JaffaCakes118
1⤵
- Modifies init.d
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1553
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt"
  2⤵
  PID:1579
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
    3⤵
    PID:1580
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt"
  2⤵
  PID:1581
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
    3⤵
    PID:1582
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt"
  2⤵
  PID:1583
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
    3⤵
    PID:1584
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt"
  2⤵
  PID:1585
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
    3⤵
    PID:1586
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt"
  2⤵
  PID:1587
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
    3⤵
    PID:1588
- /bin/sh
  sh -c "mkdir -p /usr/bin/bsd-port"
  2⤵
  PID:1589
- - /usr/bin/mkdir
    mkdir -p /usr/bin/bsd-port
    3⤵
    - Reads runtime system information
    PID:1590
- /bin/sh
  sh -c "cp -f /tmp/dcf77358235d18fb9bb9205650dacc04_JaffaCakes118 /usr/bin/bsd-port/getty"
  2⤵
  PID:1591
- - /usr/bin/cp
    cp -f /tmp/dcf77358235d18fb9bb9205650dacc04_JaffaCakes118 /usr/bin/bsd-port/getty
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1592
- /bin/sh
  sh -c /usr/bin/bsd-port/getty
  2⤵
  PID:1594
- - /usr/bin/bsd-port/getty
    /usr/bin/bsd-port/getty
    3⤵
    - Executes dropped EXE
    - Modifies init.d
    - Write file to user bin folder
    - Checks CPU configuration
    - Reads system network configuration
    - Reads runtime system information
    PID:1595
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"
      4⤵
      PID:1610
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
        5⤵
        
        PID:1611
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"
      4⤵
      PID:1612
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
        5⤵
        
        PID:1613
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"
      4⤵
      PID:1614
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
        5⤵
        
        PID:1615
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"
      4⤵
      PID:1616
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
        5⤵
        
        PID:1617
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"
      4⤵
      PID:1618
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
        5⤵
        
        PID:1619
  - - /bin/sh
      sh -c "mkdir -p /usr/bin/dpkgd"
      4⤵
      PID:1621
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin/dpkgd
        5⤵
        Reads runtime system information
        
        PID:1622
  - - /bin/sh
      sh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"
      4⤵
      PID:1623
    - - /usr/bin/cp
        
        cp -f /bin/lsof /usr/bin/dpkgd/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1624
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1625
    - - /usr/bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1626
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/getty /bin/lsof"
      4⤵
      PID:1627
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/getty /bin/lsof
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:1628
  - - /bin/sh
      sh -c "chmod 0755 /bin/lsof"
      4⤵
      File and Directory Permissions Modification
      PID:1630
    - - /usr/bin/chmod
        
        chmod 0755 /bin/lsof
        5⤵
        File and Directory Permissions Modification
        
        PID:1631
  - - /bin/sh
      sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"
      4⤵
      PID:1632
    - - /usr/bin/cp
        
        cp -f /bin/ps /usr/bin/dpkgd/ps
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1633
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1634
    - - /usr/bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1635
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/getty /bin/ps"
      4⤵
      PID:1636
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/getty /bin/ps
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:1638
  - - /bin/sh
      sh -c "chmod 0755 /bin/ps"
      4⤵
      File and Directory Permissions Modification
      PID:1639
    - - /usr/bin/chmod
        
        chmod 0755 /bin/ps
        5⤵
        File and Directory Permissions Modification
        
        PID:1640
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:1641
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:1642
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/lsof"
      4⤵
      PID:1643
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/getty /usr/bin/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1644
  - - /bin/sh
      sh -c "chmod 0755 /usr/bin/lsof"
      4⤵
      File and Directory Permissions Modification
      PID:1647
    - - /usr/bin/chmod
        
        chmod 0755 /usr/bin/lsof
        5⤵
        File and Directory Permissions Modification
        
        PID:1648
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:1649
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:1650
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/ps"
      4⤵
      PID:1651
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/getty /usr/bin/ps
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1652
  - - /bin/sh
      sh -c "chmod 0755 /usr/bin/ps"
      4⤵
      File and Directory Permissions Modification
      PID:1653
    - - /usr/bin/chmod
        
        chmod 0755 /usr/bin/ps
        5⤵
        File and Directory Permissions Modification
        
        PID:1654
  - - /bin/sh
      sh -c "insmod /usr/lib/xpacket.ko"
      4⤵
      PID:1655
    - - /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        5⤵
        Reads runtime system information
        
        PID:1656
- /bin/sh
  sh -c "mkdir -p /usr/bin"
  2⤵
  PID:1597
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:1598
- /bin/sh
  sh -c "cp -f /tmp/dcf77358235d18fb9bb9205650dacc04_JaffaCakes118 /usr/bin/.sshd"
  2⤵
  PID:1599
- - /usr/bin/cp
    cp -f /tmp/dcf77358235d18fb9bb9205650dacc04_JaffaCakes118 /usr/bin/.sshd
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1600
- /bin/sh
  sh -c /usr/bin/.sshd
  2⤵
  PID:1602
- - /usr/bin/.sshd
    /usr/bin/.sshd
    3⤵
    - Executes dropped EXE
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1603
- /bin/sh
  sh -c "insmod /usr/lib/xpacket.ko"
  2⤵
  PID:1605
- - /usr/sbin/insmod
    insmod /usr/lib/xpacket.ko
    3⤵
    - Reads runtime system information
    PID:1606

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/DbSecuritySpt

Filesize
64B

MD5
8ced51ccaeddbac49438dffecd9fec35

SHA1
b0ef55d7eb7f39e0118ed30bb62a87ad1c86576b

SHA256
638bac28d5cce7a9ab3624596296ccb8046bb98f7b6f461a7ac9e4d9adb1e1ce

SHA512
b156fd8446d1a1f184252509c27882990f2607a03819420236d0ba754445114990f1a8e3e02f2116e5dc09bd0e5a26e05779a1936aa938df4ea0b06932fd045c

Download Submit
/etc/init.d/selinux

Filesize
36B

MD5
993cc15058142d96c3daf7852c3d5ee8

SHA1
0950b8b391b04dd3895ea33cd3141543ebd2525d

SHA256
8171d077918611803d93088409f220c66fae1c670b297e1aa5d8cbd548ce9208

SHA512
0c4256c00a3710f97e92581b552682b36b62afc35fe72622c491323c618c19ea62611ac04ccafc3dfcde2254a2ebbd93b69b66795b16e36332293bed83adb928

Download Submit
/tmp/gates.lock

Filesize
4B

MD5
98986c005e5def2da341b4e0627d4712

SHA1
ba2e8aa59e4161ee5807078f7226c405fde751a6

SHA256
6fb4775fed7293b1da12333ce782e879cefce4ca3b83e12628b1a54e062606b6

SHA512
039aae6dbb53263f8868d777e1b3766bee4488c2d9812c3eb5ae692d7be4cea0314860458b3b32440627133cf4a2b1e63c5773120b90b028220db0eca878c09c

Download Submit
/tmp/moni.lock

Filesize
4B

MD5
a368b0de8b91cfb3f91892fbf1ebd4b2

SHA1
422237776eebac1e9ce55eb11b9635704dfe1507

SHA256
361603c11612df16fcb9d48b4c22430535c8e53fe3b3c5a6a39bdf7e0543f65c

SHA512
94e2b403307ffc6882c873e8cf18965c1973d5c6a546628bd4368a56fb70410a6a6138994def58d0304ad265649ab4a3bdb85fc5a9b476d33945c94054ae1663

Download Submit
/tmp/notify.file

Filesize
51B

MD5
8f610870f7481f97832dcba64994b560

SHA1
d96477f0de6f2da23565581d3807ed894af53709

SHA256
ad719bbf87ff450c4df6cbd064698e997467b9fb8799c9d5940ae41978889cc6

SHA512
7fac35dd926bc69a4223e9948b2418df5150f9672723438ba4df1272ac062937135cc9e8586acf8df395844de8de1acbcad658f96e1301fc92abc38f38acffcc

Download Submit
/usr/bin/bsd-port/getty

Filesize
1.1MB

MD5
dcf77358235d18fb9bb9205650dacc04

SHA1
4b96e288d6e8f69f769435c7f8fddff67ab54ec5

SHA256
48705e816a6587d2a8d3d512c91159456cc7eabc8618d561e6df87f843919b2c

SHA512
2166d6a9795c9b875adb1004a19a8ba7ea8945ca614a268e06549b5843ec46a20e5af79ec5660be1b5c04bec791677aab780eb0c944699a297772746f4191744

Download Submit
/usr/bin/dpkgd/lsof

Filesize
163KB

MD5
ab57b66cc531ae0f996963223e632b60

SHA1
bf7e5becd33f21c2539f5a75ffa0ab61c49c8795

SHA256
2484863a7bfda7f97b90bfd5dfceed4ec9f27dd51f9c5158c8daabbf4309b1df

SHA512
908acef13f3c1d80b7169ec3b16bb67006013453348fff75550bc3c6c2137e798b21d7990edbd5be63d756d9c41b06160aebf38aa80547e4bafa3a62596057f6

Download Submit
/usr/bin/dpkgd/ps

Filesize
138KB

MD5
8146139c2ad7e550b1d1f49480997446

SHA1
074db8890c3227bd8a588417f5b9bde637bcf3af

SHA256
207df9d438f75185ab3af2ab1173d104831a6631c28ef40d38b2ab43de27b40f

SHA512
b6d71d537f593b9af833e6f798e412e95fc486a313414ed8cca9639f61be7ac9dca700e9f861c0d07c7f65b3783127a67f829f422472cad8938ba01d397ab9de

Download Submit