mrblack | ea096e487a5853558cc9f00936a167a915e97375c4892fe8111252da61d7cfbf

Analysis

max time kernel
149s
max time network
153s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
14-09-2024 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df76bc434765108eecd8cbfb6a8bde76_JaffaCakes118
Size

1.1MB
MD5

df76bc434765108eecd8cbfb6a8bde76
SHA1

566a6dd2fd0b0352b7b0867ac72817f9a66fda1c
SHA256

ea096e487a5853558cc9f00936a167a915e97375c4892fe8111252da61d7cfbf
SHA512

8e809ab6686de36c0d670aa5217f346377e4074dc49cb802702ab643fba20b325bc65da0961be6e4b98a237f84f59074953b1b34f7fc60bf0db391661803158d
SSDEEP

24576:4vRE7caCfKGPqVEDNLFxKsfadI+gIGYuuCol7r:4vREKfPqVE5jKsfadRHGVo7r

Score

10^/10

mrblack antivm botnet discovery persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/fstream-4.dat	family_mrblack

Executes dropped EXE 2 IoCs

Processes:

getty.swhd

ioc	pid	Process
/usr/bin/bsd-port/getty	1637	getty
/usr/bin/.swhd	1645	.swhd

Modifies init.d 2 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

Processes:

df76bc434765108eecd8cbfb6a8bde76_JaffaCakes118

description	ioc	Process
File opened for modification	/etc/init.d/DbSecuritySpt	df76bc434765108eecd8cbfb6a8bde76_JaffaCakes118

Write file to user bin folder 4 IoCs

persistence

Processes:

df76bc434765108eecd8cbfb6a8bde76_JaffaCakes118cpcp

description	ioc	Process
File opened for modification	/usr/bin/bsd-port/getty.lock	df76bc434765108eecd8cbfb6a8bde76_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/udevd.lock	df76bc434765108eecd8cbfb6a8bde76_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/getty	cp
File opened for modification	/usr/bin/.swhd	cp

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

df76bc434765108eecd8cbfb6a8bde76_JaffaCakes118

description	ioc	Process
File opened for reading	/proc/cpuinfo	df76bc434765108eecd8cbfb6a8bde76_JaffaCakes118

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

Processes:

df76bc434765108eecd8cbfb6a8bde76_JaffaCakes118

description	ioc	Process
File opened for reading	/proc/net/dev	df76bc434765108eecd8cbfb6a8bde76_JaffaCakes118

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

mkdircpgettydf76bc434765108eecd8cbfb6a8bde76_JaffaCakes118mkdircp.swhdinsmod

description	ioc	Process
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/kernel/version	getty
File opened for reading	/proc/stat	df76bc434765108eecd8cbfb6a8bde76_JaffaCakes118
File opened for reading	/proc/sys/kernel/version	df76bc434765108eecd8cbfb6a8bde76_JaffaCakes118
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/kernel/version	.swhd
File opened for reading	/proc/meminfo	df76bc434765108eecd8cbfb6a8bde76_JaffaCakes118
File opened for reading	/proc/cmdline	insmod

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

Processes:

df76bc434765108eecd8cbfb6a8bde76_JaffaCakes118.swhd

description	ioc	Process
File opened for modification	/tmp/gates.lock	df76bc434765108eecd8cbfb6a8bde76_JaffaCakes118
File opened for modification	/tmp/notify.file	df76bc434765108eecd8cbfb6a8bde76_JaffaCakes118
File opened for modification	/tmp/moni.lock	.swhd
File opened for modification	/tmp/notify.file	.swhd
File opened for modification	/tmp/gates.lock	.swhd
File opened for modification	/tmp/moni.lock	df76bc434765108eecd8cbfb6a8bde76_JaffaCakes118
File opened for modification	/tmp/bill.lock	df76bc434765108eecd8cbfb6a8bde76_JaffaCakes118

/tmp/df76bc434765108eecd8cbfb6a8bde76_JaffaCakes118
/tmp/df76bc434765108eecd8cbfb6a8bde76_JaffaCakes118
1⤵
- Modifies init.d
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1595
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt"
  2⤵
  PID:1615
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
    3⤵
    PID:1616
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt"
  2⤵
  PID:1617
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
    3⤵
    PID:1618
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt"
  2⤵
  PID:1619
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
    3⤵
    PID:1620
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt"
  2⤵
  PID:1621
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
    3⤵
    PID:1622
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt"
  2⤵
  PID:1623
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
    3⤵
    PID:1624
- /bin/sh
  sh -c "mkdir -p /usr/bin/bsd-port"
  2⤵
  PID:1631
- - /usr/bin/mkdir
    mkdir -p /usr/bin/bsd-port
    3⤵
    - Reads runtime system information
    PID:1632
- /bin/sh
  sh -c "cp -f /tmp/df76bc434765108eecd8cbfb6a8bde76_JaffaCakes118 /usr/bin/bsd-port/getty"
  2⤵
  PID:1633
- - /usr/bin/cp
    cp -f /tmp/df76bc434765108eecd8cbfb6a8bde76_JaffaCakes118 /usr/bin/bsd-port/getty
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1634
- /bin/sh
  sh -c /usr/bin/bsd-port/getty
  2⤵
  PID:1636
- - /usr/bin/bsd-port/getty
    /usr/bin/bsd-port/getty
    3⤵
    - Executes dropped EXE
    - Reads runtime system information
    PID:1637
- /bin/sh
  sh -c "mkdir -p /usr/bin"
  2⤵
  PID:1639
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:1640
- /bin/sh
  sh -c "cp -f /tmp/df76bc434765108eecd8cbfb6a8bde76_JaffaCakes118 /usr/bin/.swhd"
  2⤵
  PID:1641
- - /usr/bin/cp
    cp -f /tmp/df76bc434765108eecd8cbfb6a8bde76_JaffaCakes118 /usr/bin/.swhd
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1642
- /bin/sh
  sh -c /usr/bin/.swhd
  2⤵
  PID:1644
- - /usr/bin/.swhd
    /usr/bin/.swhd
    3⤵
    - Executes dropped EXE
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1645
- /bin/sh
  sh -c "insmod /usr/lib/xpacket.ko"
  2⤵
  PID:1647
- - /usr/sbin/insmod
    insmod /usr/lib/xpacket.ko
    3⤵
    - Reads runtime system information
    PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Defense Evasion

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/DbSecuritySpt

Filesize
64B

MD5
c48a01794847c75a13250942c64a03fb

SHA1
494bf171e2fae59dbcd08e54f2f239a33fd20198

SHA256
d166f646fa65c18758b688a68552ffba58cceede919e5353100f33a8c307b470

SHA512
d5848e3c5876969124bf7f84a7712541f570477fdb21426f6c82babcb07d7eb2cac70497e36fdeb0bbc780a62c980fb212de9f9217ba34418e0545d99bf4aeab

Download Submit
/tmp/gates.lock

Filesize
4B

MD5
309fee4e541e51de2e41f21bebb342aa

SHA1
ee8abc188469df780d869b862fde433a2327678e

SHA256
a19fbf8bf0530ca46179b803a8234f56276f21c0e7dc2f84c682924b95de5801

SHA512
3fb050c47892b04da1c6021ebb875e271716d181db95965a26350151429613e986e7c7e26060ecd2cb508f5492ba655a52ccba8b2f95a0c88237553165fe8971

Download Submit
/tmp/moni.lock

Filesize
4B

MD5
e4873aa9a05cc5ed839561d121516766

SHA1
cc0152ff71fc8243f70c8e8478bd7de2aa387e2c

SHA256
c4c9f099e7a471df3389eeb1a1487cf95b5a46e997bf9614e3229114b6787dc6

SHA512
1186c52e6c56d3b4d4c9d587c4cd2c627c00752dfd8973ccb340117308ecdc7e3fa64ad00be8538f5cd52ca5a80a27b1d362a69345f8fbbe862fa3e9fba0cd2d

Download Submit
/tmp/notify.file

Filesize
51B

MD5
69bb1dbdff563af0c2d129379a456901

SHA1
22d01ca5979b26ccf1e0172c1ad810fbb1dd8996

SHA256
6f1ef7cb45456c1ddae9d8880d86223a68ded892d2f79c967161f7eb9a99b56d

SHA512
59353b32c72f85bda2f967ac999a26295b84eb489ed5faea1cf9f78e44f9f2086e243a0f5df895a1daef46f5dd91beb9bf0164817a952d06ff036d72028e7c9e

Download Submit
/usr/bin/bsd-port/getty

Filesize
1.1MB

MD5
df76bc434765108eecd8cbfb6a8bde76

SHA1
566a6dd2fd0b0352b7b0867ac72817f9a66fda1c

SHA256
ea096e487a5853558cc9f00936a167a915e97375c4892fe8111252da61d7cfbf

SHA512
8e809ab6686de36c0d670aa5217f346377e4074dc49cb802702ab643fba20b325bc65da0961be6e4b98a237f84f59074953b1b34f7fc60bf0db391661803158d

Download Submit