mrblack | 89681a305db16332df54709f9adcdf6e95561b658ba4f6a3da2a1026312fb2be

Analysis

max time kernel
149s
max time network
145s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
15-09-2024 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1dc8adf1bf1ebceb2b95c5d4fa02232_JaffaCakes118
Size

1.1MB
MD5

e1dc8adf1bf1ebceb2b95c5d4fa02232
SHA1

496972d3b4f446ebbce8b3743f3546f14c5fd6cd
SHA256

89681a305db16332df54709f9adcdf6e95561b658ba4f6a3da2a1026312fb2be
SHA512

bd77d2d38725f5eeee3e7df4ee8556e58c785ef99ad728a9928bac1d4dc6d72c0c0d6dc684dcafaf7bc6fadede268d271125c1b06ad2fd6ad75928248a80490d
SSDEEP

24576:4vRE7caCfKGPqVEDNLFxKsfaoI+gIGYuuCol7r:4vREKfPqVE5jKsfaoRHGVo7r

Score

10^/10

mrblack antivm botnet defense_evasion discovery persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 1 IoCs

resource	yara_rule
behavioral1/files/fstream-4.dat	family_mrblack

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1558	sh
1559	chmod
1566	sh
1567	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/usr/bin/bsd-port/getty	1521	getty
/usr/bin/.sshd	1529	.sshd

Modifies init.d 2 TTPs 2 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

description	ioc	Process
File opened for modification	/etc/init.d/DbSecuritySpt	e1dc8adf1bf1ebceb2b95c5d4fa02232_JaffaCakes118
File opened for modification	/etc/init.d/selinux	getty

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	e1dc8adf1bf1ebceb2b95c5d4fa02232_JaffaCakes118

Write file to user bin folder 8 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/bin/.sshd	cp
File opened for modification	/usr/bin/bsd-port/getty.lock	getty
File opened for modification	/usr/bin/dpkgd/ps	cp
File opened for modification	/usr/bin/dpkgd/lsof	cp
File opened for modification	/usr/bin/lsof	cp
File opened for modification	/usr/bin/bsd-port/getty.lock	e1dc8adf1bf1ebceb2b95c5d4fa02232_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/udevd.lock	e1dc8adf1bf1ebceb2b95c5d4fa02232_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/getty	cp

Writes file to system bin folder 1 IoCs

description	ioc	Process
File opened for modification	/bin/ps	cp

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	e1dc8adf1bf1ebceb2b95c5d4fa02232_JaffaCakes118
File opened for reading	/proc/cpuinfo	getty

Reads system network configuration 1 TTPs 4 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/dev	e1dc8adf1bf1ebceb2b95c5d4fa02232_JaffaCakes118
File opened for reading	/proc/net/route	e1dc8adf1bf1ebceb2b95c5d4fa02232_JaffaCakes118
File opened for reading	/proc/net/arp	e1dc8adf1bf1ebceb2b95c5d4fa02232_JaffaCakes118
File opened for reading	/proc/net/dev	getty

Reads runtime system information 17 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/meminfo	getty
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/stat	e1dc8adf1bf1ebceb2b95c5d4fa02232_JaffaCakes118
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/meminfo	e1dc8adf1bf1ebceb2b95c5d4fa02232_JaffaCakes118
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/stat	getty

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/notify.file	.sshd
File opened for modification	/tmp/gates.lock	.sshd
File opened for modification	/tmp/moni.lock	e1dc8adf1bf1ebceb2b95c5d4fa02232_JaffaCakes118
File opened for modification	/tmp/bill.lock	e1dc8adf1bf1ebceb2b95c5d4fa02232_JaffaCakes118
File opened for modification	/tmp/gates.lock	e1dc8adf1bf1ebceb2b95c5d4fa02232_JaffaCakes118
File opened for modification	/tmp/notify.file	e1dc8adf1bf1ebceb2b95c5d4fa02232_JaffaCakes118
File opened for modification	/tmp/conf.n	e1dc8adf1bf1ebceb2b95c5d4fa02232_JaffaCakes118
File opened for modification	/tmp/moni.lock	.sshd

/tmp/e1dc8adf1bf1ebceb2b95c5d4fa02232_JaffaCakes118
/tmp/e1dc8adf1bf1ebceb2b95c5d4fa02232_JaffaCakes118
1⤵
- Modifies init.d
- Reads system routing table
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1499
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt"
  2⤵
  PID:1505
- - /bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
    3⤵
    PID:1506
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt"
  2⤵
  PID:1507
- - /bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
    3⤵
    PID:1508
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt"
  2⤵
  PID:1509
- - /bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
    3⤵
    PID:1510
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt"
  2⤵
  PID:1511
- - /bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
    3⤵
    PID:1512
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt"
  2⤵
  PID:1513
- - /bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
    3⤵
    PID:1514
- /bin/sh
  sh -c "mkdir -p /usr/bin/bsd-port"
  2⤵
  PID:1515
- - /bin/mkdir
    mkdir -p /usr/bin/bsd-port
    3⤵
    - Reads runtime system information
    PID:1516
- /bin/sh
  sh -c "cp -f /tmp/e1dc8adf1bf1ebceb2b95c5d4fa02232_JaffaCakes118 /usr/bin/bsd-port/getty"
  2⤵
  PID:1517
- - /bin/cp
    cp -f /tmp/e1dc8adf1bf1ebceb2b95c5d4fa02232_JaffaCakes118 /usr/bin/bsd-port/getty
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1518
- /bin/sh
  sh -c /usr/bin/bsd-port/getty
  2⤵
  PID:1520
- - /usr/bin/bsd-port/getty
    /usr/bin/bsd-port/getty
    3⤵
    - Executes dropped EXE
    - Modifies init.d
    - Write file to user bin folder
    - Checks CPU configuration
    - Reads system network configuration
    - Reads runtime system information
    PID:1521
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"
      4⤵
      PID:1538
    - - /bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
        5⤵
        
        PID:1539
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"
      4⤵
      PID:1540
    - - /bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
        5⤵
        
        PID:1541
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"
      4⤵
      PID:1542
    - - /bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
        5⤵
        
        PID:1543
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"
      4⤵
      PID:1544
    - - /bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
        5⤵
        
        PID:1545
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"
      4⤵
      PID:1546
    - - /bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
        5⤵
        
        PID:1548
  - - /bin/sh
      sh -c "mkdir -p /usr/bin/dpkgd"
      4⤵
      PID:1549
    - - /bin/mkdir
        
        mkdir -p /usr/bin/dpkgd
        5⤵
        Reads runtime system information
        
        PID:1550
  - - /bin/sh
      sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"
      4⤵
      PID:1551
    - - /bin/cp
        
        cp -f /bin/ps /usr/bin/dpkgd/ps
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1552
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1553
    - - /bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1554
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/getty /bin/ps"
      4⤵
      PID:1555
    - - /bin/cp
        
        cp -f /usr/bin/bsd-port/getty /bin/ps
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:1557
  - - /bin/sh
      sh -c "chmod 0755 /bin/ps"
      4⤵
      File and Directory Permissions Modification
      PID:1558
    - - /bin/chmod
        
        chmod 0755 /bin/ps
        5⤵
        File and Directory Permissions Modification
        
        PID:1559
  - - /bin/sh
      sh -c "cp -f /usr/bin/lsof /usr/bin/dpkgd/lsof"
      4⤵
      PID:1560
    - - /bin/cp
        
        cp -f /usr/bin/lsof /usr/bin/dpkgd/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1561
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:1562
    - - /bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:1563
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/lsof"
      4⤵
      PID:1564
    - - /bin/cp
        
        cp -f /usr/bin/bsd-port/getty /usr/bin/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1565
  - - /bin/sh
      sh -c "chmod 0755 /usr/bin/lsof"
      4⤵
      File and Directory Permissions Modification
      PID:1566
    - - /bin/chmod
        
        chmod 0755 /usr/bin/lsof
        5⤵
        File and Directory Permissions Modification
        
        PID:1567
  - - /bin/sh
      sh -c "insmod /usr/lib/xpacket.ko"
      4⤵
      PID:1568
    - - /sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        5⤵
        Reads runtime system information
        
        PID:1569
- /bin/sh
  sh -c "mkdir -p /usr/bin"
  2⤵
  PID:1523
- - /bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:1524
- /bin/sh
  sh -c "cp -f /tmp/e1dc8adf1bf1ebceb2b95c5d4fa02232_JaffaCakes118 /usr/bin/.sshd"
  2⤵
  PID:1525
- - /bin/cp
    cp -f /tmp/e1dc8adf1bf1ebceb2b95c5d4fa02232_JaffaCakes118 /usr/bin/.sshd
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1526
- /bin/sh
  sh -c /usr/bin/.sshd
  2⤵
  PID:1528
- - /usr/bin/.sshd
    /usr/bin/.sshd
    3⤵
    - Executes dropped EXE
    - Writes file to tmp directory
    PID:1529
- /bin/sh
  sh -c "insmod /usr/lib/xpacket.ko"
  2⤵
  PID:1531
- - /sbin/insmod
    insmod /usr/lib/xpacket.ko
    3⤵
    - Reads runtime system information
    PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/DbSecuritySpt

Filesize
64B

MD5
8a16604f41077d74147b9cc531455d1f

SHA1
96945c7b6158326994b01a2b93e07082df4d8ac2

SHA256
81bde850f1321a3fb21994e77c073e8a0d93190e764265dd5263815d613a3436

SHA512
682523f06b3abea2f1e397099fd461954b8f7a654b98754d3748ef9be323eafda741e6664cb06fd849bef37306e73a789f7e642d861551a194c896c2ccc2723d

Download Submit
/etc/init.d/selinux

Filesize
36B

MD5
993cc15058142d96c3daf7852c3d5ee8

SHA1
0950b8b391b04dd3895ea33cd3141543ebd2525d

SHA256
8171d077918611803d93088409f220c66fae1c670b297e1aa5d8cbd548ce9208

SHA512
0c4256c00a3710f97e92581b552682b36b62afc35fe72622c491323c618c19ea62611ac04ccafc3dfcde2254a2ebbd93b69b66795b16e36332293bed83adb928

Download Submit
/tmp/gates.lock

Filesize
4B

MD5
cfa5301358b9fcbe7aa45b1ceea088c6

SHA1
7841fb1f92b99194ca818d410cb09430731b6285

SHA256
9f69998560dcfd8016442e0a32e959191df095817a164ce844c64ec5a8b0cc1b

SHA512
9408218f3f1ff887751d736008a5ae64bf36558a70bd7f8011b57ddc5efe28b24bcbeea306c09dea24bcf6bca185c5ea37422d90e9393b27228e8888a019130d

Download Submit
/tmp/moni.lock

Filesize
4B

MD5
cb8acb1dc9821bf74e6ca9068032d623

SHA1
0ad54e429b2b6238550f24701541130b978e4640

SHA256
8ff9538e65e6781d654b811f88161d12455935ffb8f470815063b6ab6cb7fdff

SHA512
355051ba1d636582e623824587c9d5c6e6cc4c98dc830c26b212d61d0d009b91ad062aa99c7c2a3982a3b34091c49e412d7bfaf6d57c80794e7b3c31801dd964

Download Submit
/tmp/notify.file

Filesize
51B

MD5
c502136eaf4ab6e83042cc5b295dd928

SHA1
d148574fc6f7041c52ac5121858e846b284ad416

SHA256
03c1dc18439873bc99858456914fefbb747eb970cafe13d978de1baefd362ea4

SHA512
035d98cd72574c5685c6583c9e7089ae5994f416d21adbd1a81f8b3f32086263f7e5fece1c086f94d1857db1c22568316001732e56b9bdffbe69c46d61927711

Download Submit
/usr/bin/bsd-port/getty

Filesize
1.1MB

MD5
e1dc8adf1bf1ebceb2b95c5d4fa02232

SHA1
496972d3b4f446ebbce8b3743f3546f14c5fd6cd

SHA256
89681a305db16332df54709f9adcdf6e95561b658ba4f6a3da2a1026312fb2be

SHA512
bd77d2d38725f5eeee3e7df4ee8556e58c785ef99ad728a9928bac1d4dc6d72c0c0d6dc684dcafaf7bc6fadede268d271125c1b06ad2fd6ad75928248a80490d

Download Submit
/usr/bin/dpkgd/lsof

Filesize
159KB

MD5
e093dc78225e2a0a25e3b137c1c1e442

SHA1
c29497cfaae729eb576875e4fdfa400640ab16be

SHA256
1190f4dbc7be174de8fd4096c9bf7a28eebfac937d308b7cc533be4a1240d26e

SHA512
fe1cc7a65327732eaaee89f427c10239ba822430e34177842f4681068d78d404b1830d808a2a71b1efcc5f126c6d8c053512237421173aaa150e215a672da6f0

Download Submit
/usr/bin/dpkgd/ps

Filesize
130KB

MD5
558edc26f8a38fa9788220b9af8a73e7

SHA1
3024d44e580e9c67f32f6c585d50e2a6cc9a7cac

SHA256
b76435c80333d2c1fd18e0e7682f1c9dfb5da8d507e93e3c416f54b481c428d5

SHA512
edaa425b441044f015e8f68fffa1664e42372d00dd0e7b0924d24ce947aa8e5f96b3bdc326fa2f8b978e3fcf638a1ceca45a223735db73f1607df66990feb56f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads