mrblack | 617efd09ffd19d1f70a0f9b3aed510ad76f5d8d4667176335350c9553c23dc6a

Analysis

max time kernel
149s
max time network
151s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
15-09-2024 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118
Size

1.1MB
MD5

e33d0c06bb431b3e421ef4b5b9327197
SHA1

cfdd11cd560b4867cf1124f5baa64ea35e604ebf
SHA256

617efd09ffd19d1f70a0f9b3aed510ad76f5d8d4667176335350c9553c23dc6a
SHA512

007bd45140f374b5c1bbd0b851a8b9b28fb7cf0bbb9accea5052daa388c6289b3c980d1e07539818bfe9d10af0872e8ca855ebfd5cea8f3b3a130017ecff8880
SSDEEP

24576:4vRE7caCfKGPqVEDNLFxKsfaMI+gIGYuuCol7r:4vREKfPqVE5jKsfaMRHGVo7r

Score

10^/10

mrblack antivm botnet defense_evasion discovery persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/fstream-4.dat	family_mrblack

File and Directory Permissions Modification 1 TTPs 8 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

shchmodshchmodshchmodshchmod

pid	Process
1634	sh
1635	chmod
1642	sh
1643	chmod
1649	sh
1650	chmod
1655	sh
1656	chmod

Executes dropped EXE 2 IoCs

Processes:

receioracle

ioc	pid	Process
/usr/bin/bsd-port/recei	1597	recei
/usr/bin/oracle	1605	oracle

Modifies init.d 2 TTPs 2 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

Processes:

e33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118recei

description	ioc	Process
File opened for modification	/etc/init.d/VsystemsshMmt	e33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118
File opened for modification	/etc/init.d/selinux	recei

Write file to user bin folder 9 IoCs

persistence

Processes:

e33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118cpcpreceicpcpcpcp

description	ioc	Process
File opened for modification	/usr/bin/bsd-port/recei.conf	e33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/recei	cp
File opened for modification	/usr/bin/oracle	cp
File opened for modification	/usr/bin/bsd-port/recei.conf	recei
File opened for modification	/usr/bin/bsd-port/udevd.conf	e33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118
File opened for modification	/usr/bin/dpkgd/lsof	cp
File opened for modification	/usr/bin/dpkgd/ps	cp
File opened for modification	/usr/bin/lsof	cp
File opened for modification	/usr/bin/ps	cp

Writes file to system bin folder 2 IoCs

Processes:

cpcp

description	ioc	Process
File opened for modification	/bin/lsof	cp
File opened for modification	/bin/ps	cp

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

e33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118recei

description	ioc	Process
File opened for reading	/proc/cpuinfo	e33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118
File opened for reading	/proc/cpuinfo	recei

Reads system network configuration 1 TTPs 2 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

Processes:

e33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118recei

description	ioc	Process
File opened for reading	/proc/net/dev	e33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118
File opened for reading	/proc/net/dev	recei

Reads runtime system information 24 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

receimkdirinsmode33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118cporaclecpmkdirinsmodcpmkdircpcpmkdircpmkdircpmkdirmkdircp

description	ioc	Process
File opened for reading	/proc/sys/kernel/version	recei
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/sys/kernel/version	e33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/kernel/version	oracle
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/stat	e33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/meminfo	e33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/stat	recei
File opened for reading	/proc/meminfo	recei

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

Processes:

oraclee33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118

description	ioc	Process
File opened for modification	/tmp/Dest.cfg	oracle
File opened for modification	/tmp/appd.log	e33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118
File opened for modification	/tmp/appd.conf	e33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118
File opened for modification	/tmp/Dest.cfg	e33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118
File opened for modification	/tmp/notify.file	e33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118
File opened for modification	/tmp/appd.log	oracle
File opened for modification	/tmp/notify.file	oracle

/tmp/e33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118
/tmp/e33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118
1⤵
- Modifies init.d
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1569
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc1.d/S97VsystemsshMmt"
  2⤵
  PID:1581
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMmt /etc/rc1.d/S97VsystemsshMmt
    3⤵
    PID:1582
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc2.d/S97VsystemsshMmt"
  2⤵
  PID:1583
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMmt /etc/rc2.d/S97VsystemsshMmt
    3⤵
    PID:1584
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc3.d/S97VsystemsshMmt"
  2⤵
  PID:1585
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMmt /etc/rc3.d/S97VsystemsshMmt
    3⤵
    PID:1586
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc4.d/S97VsystemsshMmt"
  2⤵
  PID:1587
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMmt /etc/rc4.d/S97VsystemsshMmt
    3⤵
    PID:1588
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc5.d/S97VsystemsshMmt"
  2⤵
  PID:1589
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMmt /etc/rc5.d/S97VsystemsshMmt
    3⤵
    PID:1590
- /bin/sh
  sh -c "mkdir -p /usr/bin/bsd-port"
  2⤵
  PID:1591
- - /usr/bin/mkdir
    mkdir -p /usr/bin/bsd-port
    3⤵
    - Reads runtime system information
    PID:1592
- /bin/sh
  sh -c "cp -f /tmp/e33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118 /usr/bin/bsd-port/recei"
  2⤵
  PID:1593
- - /usr/bin/cp
    cp -f /tmp/e33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118 /usr/bin/bsd-port/recei
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1594
- /bin/sh
  sh -c /usr/bin/bsd-port/recei
  2⤵
  PID:1596
- - /usr/bin/bsd-port/recei
    /usr/bin/bsd-port/recei
    3⤵
    - Executes dropped EXE
    - Modifies init.d
    - Write file to user bin folder
    - Checks CPU configuration
    - Reads system network configuration
    - Reads runtime system information
    PID:1597
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"
      4⤵
      PID:1613
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
        5⤵
        
        PID:1614
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"
      4⤵
      PID:1615
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
        5⤵
        
        PID:1616
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"
      4⤵
      PID:1617
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
        5⤵
        
        PID:1618
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"
      4⤵
      PID:1619
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
        5⤵
        
        PID:1620
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"
      4⤵
      PID:1621
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
        5⤵
        
        PID:1622
  - - /bin/sh
      sh -c "mkdir -p /usr/bin/dpkgd"
      4⤵
      PID:1624
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin/dpkgd
        5⤵
        Reads runtime system information
        
        PID:1625
  - - /bin/sh
      sh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"
      4⤵
      PID:1626
    - - /usr/bin/cp
        
        cp -f /bin/lsof /usr/bin/dpkgd/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1627
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1629
    - - /usr/bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1630
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/recei /bin/lsof"
      4⤵
      PID:1631
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/recei /bin/lsof
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:1632
  - - /bin/sh
      sh -c "chmod 0755 /bin/lsof"
      4⤵
      File and Directory Permissions Modification
      PID:1634
    - - /usr/bin/chmod
        
        chmod 0755 /bin/lsof
        5⤵
        File and Directory Permissions Modification
        
        PID:1635
  - - /bin/sh
      sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"
      4⤵
      PID:1636
    - - /usr/bin/cp
        
        cp -f /bin/ps /usr/bin/dpkgd/ps
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1637
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1638
    - - /usr/bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1639
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/recei /bin/ps"
      4⤵
      PID:1640
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/recei /bin/ps
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:1641
  - - /bin/sh
      sh -c "chmod 0755 /bin/ps"
      4⤵
      File and Directory Permissions Modification
      PID:1642
    - - /usr/bin/chmod
        
        chmod 0755 /bin/ps
        5⤵
        File and Directory Permissions Modification
        
        PID:1643
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:1644
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:1645
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/recei /usr/bin/lsof"
      4⤵
      PID:1646
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/recei /usr/bin/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1647
  - - /bin/sh
      sh -c "chmod 0755 /usr/bin/lsof"
      4⤵
      File and Directory Permissions Modification
      PID:1649
    - - /usr/bin/chmod
        
        chmod 0755 /usr/bin/lsof
        5⤵
        File and Directory Permissions Modification
        
        PID:1650
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:1651
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:1652
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/recei /usr/bin/ps"
      4⤵
      PID:1653
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/recei /usr/bin/ps
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1654
  - - /bin/sh
      sh -c "chmod 0755 /usr/bin/ps"
      4⤵
      File and Directory Permissions Modification
      PID:1655
    - - /usr/bin/chmod
        
        chmod 0755 /usr/bin/ps
        5⤵
        File and Directory Permissions Modification
        
        PID:1656
  - - /bin/sh
      sh -c "insmod /usr/lib/xpacket.ko"
      4⤵
      PID:1657
    - - /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        5⤵
        Reads runtime system information
        
        PID:1658
- /bin/sh
  sh -c "mkdir -p /usr/bin"
  2⤵
  PID:1599
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:1600
- /bin/sh
  sh -c "cp -f /tmp/e33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118 /usr/bin/oracle"
  2⤵
  PID:1601
- - /usr/bin/cp
    cp -f /tmp/e33d0c06bb431b3e421ef4b5b9327197_JaffaCakes118 /usr/bin/oracle
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1602
- /bin/sh
  sh -c /usr/bin/oracle
  2⤵
  PID:1604
- - /usr/bin/oracle
    /usr/bin/oracle
    3⤵
    - Executes dropped EXE
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1605
- /bin/sh
  sh -c "insmod /usr/lib/xpacket.ko"
  2⤵
  PID:1607
- - /usr/sbin/insmod
    insmod /usr/lib/xpacket.ko
    3⤵
    - Reads runtime system information
    PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/VsystemsshMmt

Filesize
64B

MD5
07fb6b9592e84446db8ca421087302ab

SHA1
1902a52ad702681a78c2674e9932000742d4f323

SHA256
6f1c278045ebd6e253bb6a431efd4d0233f055cf51dc3adae5f01d3289403e29

SHA512
1886c5404ab547048045c357ed65e3a2f97dcd3ddea0bc3e8a5269f5320e9c1ced8753d6e69aa0e7f93f1653231edc19aaf80805035969043c77fbcef4a374b4

Download Submit
/etc/init.d/selinux

Filesize
36B

MD5
57cde9c165195cfb90c212057795ed49

SHA1
d77d9895306eb09ad9b54588fb7998c79c671563

SHA256
3e3488e9c63dfadffd594301e2192418b158238bfb8f83d6702123d72892cf36

SHA512
de9af53a508167cbbb820a99c2742918ec5b8c83877b77e43e4b441019311685647f47fb4666ba53ecef4e6a2d5514eb67981d471ddf173b04848609b3c0c00d

Download Submit
/tmp/Dest.cfg

Filesize
4B

MD5
7949e456002b28988d38185bd30e77fd

SHA1
8eac9d03673ad3fa86c1c815275470ec81580e0a

SHA256
3a481e728390d89c6843c180dc18ca8d693de5f5421e6240711c5dad483c72b3

SHA512
86ffa374c2572cf61c670ec5469b80a9f71db097a87e45393aac98ac96a1c019325f360ccbaa6509acd366045c871b0e2ce76503942603228cf87b5c18105586

Download Submit
/tmp/notify.file

Filesize
51B

MD5
3bce2b4909160b413ace66e0ecc314e1

SHA1
83151d0ed5b8d8fa72d9e53f286e8bce9e7700d9

SHA256
279ed2ad71d5879edbdd25d9de4fec7b98d9a3077dc1892268d1b3d1fd3e0343

SHA512
bc7d26c0b80c8dfdf4a770a718076e936d2f4936930324736a09a874ec7bf1368705152a6218189161b0cba703e36d4bc40e58a18fa89770d953d54e5f9c4d91

Download Submit
/usr/bin/bsd-port/recei

Filesize
1.1MB

MD5
e33d0c06bb431b3e421ef4b5b9327197

SHA1
cfdd11cd560b4867cf1124f5baa64ea35e604ebf

SHA256
617efd09ffd19d1f70a0f9b3aed510ad76f5d8d4667176335350c9553c23dc6a

SHA512
007bd45140f374b5c1bbd0b851a8b9b28fb7cf0bbb9accea5052daa388c6289b3c980d1e07539818bfe9d10af0872e8ca855ebfd5cea8f3b3a130017ecff8880

Download Submit
/usr/bin/dpkgd/lsof

Filesize
163KB

MD5
ab57b66cc531ae0f996963223e632b60

SHA1
bf7e5becd33f21c2539f5a75ffa0ab61c49c8795

SHA256
2484863a7bfda7f97b90bfd5dfceed4ec9f27dd51f9c5158c8daabbf4309b1df

SHA512
908acef13f3c1d80b7169ec3b16bb67006013453348fff75550bc3c6c2137e798b21d7990edbd5be63d756d9c41b06160aebf38aa80547e4bafa3a62596057f6

Download Submit
/usr/bin/dpkgd/ps

Filesize
138KB

MD5
8146139c2ad7e550b1d1f49480997446

SHA1
074db8890c3227bd8a588417f5b9bde637bcf3af

SHA256
207df9d438f75185ab3af2ab1173d104831a6631c28ef40d38b2ab43de27b40f

SHA512
b6d71d537f593b9af833e6f798e412e95fc486a313414ed8cca9639f61be7ac9dca700e9f861c0d07c7f65b3783127a67f829f422472cad8938ba01d397ab9de

Download Submit