mrblack | e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f

Analysis

max time kernel
149s
max time network
148s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240611-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
18-09-2024 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118
Size

1.1MB
MD5

e97790c1200e6d5c8f4eed64f1736a5d
SHA1

8df8579b3303221b0aa9955f0e11ab6d24525a1a
SHA256

e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f
SHA512

0cb76a4ac2c5787282f31bed1a0a2599258d85890d60cc6a1538548f304b56668840295b99d862a721baa3309e7dc3366b2dbd2819ed39900cc2165dc23a7f70
SSDEEP

24576:4vRE7caCfKGPqVEDNLFxKsfazI+gIGYuuCol7r:4vREKfPqVE5jKsfazRHGVo7r

Score

10^/10

mrblack antivm botnet defense_evasion discovery persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/fstream-4.dat	family_mrblack

File and Directory Permissions Modification 1 TTPs 8 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodshchmodshchmodshchmodsh

pid	Process
1513	chmod
1518	sh
1519	chmod
1524	sh
1525	chmod
1503	sh
1504	chmod
1512	sh

Executes dropped EXE 2 IoCs

Processes:

agentacpid

ioc	pid	Process
/usr/bin/bsd-port/agent	1466	agent
/usr/bin/acpid	1474	acpid

Modifies init.d 2 TTPs 2 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

Processes:

e97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118agent

description	ioc	Process
File opened for modification	/etc/init.d/DbSecurityMdt	e97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118
File opened for modification	/etc/init.d/selinux	agent

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

Processes:

agent

description	ioc	Process
File opened for reading	/proc/net/route	agent

Write file to user bin folder 10 IoCs

persistence

Processes:

cpcpcpagente97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118cpcpcp

description	ioc	Process
File opened for modification	/usr/bin/dpkgd/lsof	cp
File opened for modification	/usr/bin/dpkgd/ps	cp
File opened for modification	/usr/bin/ps	cp
File opened for modification	/usr/bin/bsd-port/conf.n	agent
File opened for modification	/usr/bin/bsd-port/agent.conf	e97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/udevd.conf	e97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/agent.conf	agent
File opened for modification	/usr/bin/bsd-port/agent	cp
File opened for modification	/usr/bin/acpid	cp
File opened for modification	/usr/bin/lsof	cp

Writes file to system bin folder 2 IoCs

Processes:

cpcp

description	ioc	Process
File opened for modification	/bin/lsof	cp
File opened for modification	/bin/ps	cp

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

agente97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118

description	ioc	Process
File opened for reading	/proc/cpuinfo	agent
File opened for reading	/proc/cpuinfo	e97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118

Reads system network configuration 1 TTPs 4 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

Processes:

e97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118agent

description	ioc	Process
File opened for reading	/proc/net/dev	e97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118
File opened for reading	/proc/net/dev	agent
File opened for reading	/proc/net/route	agent
File opened for reading	/proc/net/arp	agent

Reads runtime system information 24 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

e97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118mkdirmkdircpmkdirinsmodacpidcpcpcpcpcpmkdirinsmodmkdircpmkdiragentmkdircp

description	ioc	Process
File opened for reading	/proc/sys/kernel/version	e97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/sys/kernel/version	acpid
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/stat	e97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118
File opened for reading	/proc/meminfo	e97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/sys/kernel/version	agent
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/stat	agent
File opened for reading	/proc/meminfo	agent

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

Processes:

e97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118acpid

description	ioc	Process
File opened for modification	/tmp/notify.file	e97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118
File opened for modification	/tmp/moni.note	acpid
File opened for modification	/tmp/notify.file	acpid
File opened for modification	/tmp/gates.note	acpid
File opened for modification	/tmp/moni.note	e97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118
File opened for modification	/tmp/bill.note	e97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118
File opened for modification	/tmp/gates.note	e97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118

/tmp/e97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118
/tmp/e97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118
1⤵
- Modifies init.d
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1409
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecurityMdt /etc/rc1.d/S97DbSecurityMdt"
  2⤵
  PID:1450
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecurityMdt /etc/rc1.d/S97DbSecurityMdt
    3⤵
    PID:1451
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecurityMdt /etc/rc2.d/S97DbSecurityMdt"
  2⤵
  PID:1452
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecurityMdt /etc/rc2.d/S97DbSecurityMdt
    3⤵
    PID:1453
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecurityMdt /etc/rc3.d/S97DbSecurityMdt"
  2⤵
  PID:1454
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecurityMdt /etc/rc3.d/S97DbSecurityMdt
    3⤵
    PID:1455
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecurityMdt /etc/rc4.d/S97DbSecurityMdt"
  2⤵
  PID:1456
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecurityMdt /etc/rc4.d/S97DbSecurityMdt
    3⤵
    PID:1457
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecurityMdt /etc/rc5.d/S97DbSecurityMdt"
  2⤵
  PID:1458
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecurityMdt /etc/rc5.d/S97DbSecurityMdt
    3⤵
    PID:1459
- /bin/sh
  sh -c "mkdir -p /usr/bin/bsd-port"
  2⤵
  PID:1460
- - /usr/bin/mkdir
    mkdir -p /usr/bin/bsd-port
    3⤵
    - Reads runtime system information
    PID:1461
- /bin/sh
  sh -c "cp -f /tmp/e97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118 /usr/bin/bsd-port/agent"
  2⤵
  PID:1462
- - /usr/bin/cp
    cp -f /tmp/e97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118 /usr/bin/bsd-port/agent
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1463
- /bin/sh
  sh -c /usr/bin/bsd-port/agent
  2⤵
  PID:1465
- - /usr/bin/bsd-port/agent
    /usr/bin/bsd-port/agent
    3⤵
    - Executes dropped EXE
    - Modifies init.d
    - Reads system routing table
    - Write file to user bin folder
    - Checks CPU configuration
    - Reads system network configuration
    - Reads runtime system information
    PID:1466
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"
      4⤵
      PID:1483
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
        5⤵
        
        PID:1484
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"
      4⤵
      PID:1485
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
        5⤵
        
        PID:1486
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"
      4⤵
      PID:1488
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
        5⤵
        
        PID:1489
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"
      4⤵
      PID:1490
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
        5⤵
        
        PID:1491
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"
      4⤵
      PID:1492
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
        5⤵
        
        PID:1493
  - - /bin/sh
      sh -c "mkdir -p /usr/bin/dpkgd"
      4⤵
      PID:1494
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin/dpkgd
        5⤵
        Reads runtime system information
        
        PID:1495
  - - /bin/sh
      sh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"
      4⤵
      PID:1496
    - - /usr/bin/cp
        
        cp -f /bin/lsof /usr/bin/dpkgd/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1497
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1499
    - - /usr/bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1500
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/agent /bin/lsof"
      4⤵
      PID:1501
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/agent /bin/lsof
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:1502
  - - /bin/sh
      sh -c "chmod 0755 /bin/lsof"
      4⤵
      File and Directory Permissions Modification
      PID:1503
    - - /usr/bin/chmod
        
        chmod 0755 /bin/lsof
        5⤵
        File and Directory Permissions Modification
        
        PID:1504
  - - /bin/sh
      sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"
      4⤵
      PID:1506
    - - /usr/bin/cp
        
        cp -f /bin/ps /usr/bin/dpkgd/ps
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1507
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1508
    - - /usr/bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1509
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/agent /bin/ps"
      4⤵
      PID:1510
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/agent /bin/ps
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:1511
  - - /bin/sh
      sh -c "chmod 0755 /bin/ps"
      4⤵
      File and Directory Permissions Modification
      PID:1512
    - - /usr/bin/chmod
        
        chmod 0755 /bin/ps
        5⤵
        File and Directory Permissions Modification
        
        PID:1513
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:1514
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:1515
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/agent /usr/bin/lsof"
      4⤵
      PID:1516
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/agent /usr/bin/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1517
  - - /bin/sh
      sh -c "chmod 0755 /usr/bin/lsof"
      4⤵
      File and Directory Permissions Modification
      PID:1518
    - - /usr/bin/chmod
        
        chmod 0755 /usr/bin/lsof
        5⤵
        File and Directory Permissions Modification
        
        PID:1519
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:1520
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:1521
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/agent /usr/bin/ps"
      4⤵
      PID:1522
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/agent /usr/bin/ps
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1523
  - - /bin/sh
      sh -c "chmod 0755 /usr/bin/ps"
      4⤵
      File and Directory Permissions Modification
      PID:1524
    - - /usr/bin/chmod
        
        chmod 0755 /usr/bin/ps
        5⤵
        File and Directory Permissions Modification
        
        PID:1525
  - - /bin/sh
      sh -c "insmod /usr/lib/xpacket.ko"
      4⤵
      PID:1526
    - - /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        5⤵
        Reads runtime system information
        
        PID:1527
- /bin/sh
  sh -c "mkdir -p /usr/bin"
  2⤵
  PID:1468
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:1469
- /bin/sh
  sh -c "cp -f /tmp/e97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118 /usr/bin/acpid"
  2⤵
  PID:1470
- - /usr/bin/cp
    cp -f /tmp/e97790c1200e6d5c8f4eed64f1736a5d_JaffaCakes118 /usr/bin/acpid
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1471
- /bin/sh
  sh -c /usr/bin/acpid
  2⤵
  PID:1473
- - /usr/bin/acpid
    /usr/bin/acpid
    3⤵
    - Executes dropped EXE
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1474
- /bin/sh
  sh -c "insmod /usr/lib/xpacket.ko"
  2⤵
  PID:1477
- - /usr/sbin/insmod
    insmod /usr/lib/xpacket.ko
    3⤵
    - Reads runtime system information
    PID:1478

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/DbSecurityMdt

Filesize
64B

MD5
b96b2d7b4dd1afcd5bfd4b680a6dcdae

SHA1
10147be68f0d0c6e67bda33bb0380b0494412f15

SHA256
fb0fb1dff6549d7eab8e00d7b3d3c5725cf20efa68668128d3b3c9bba060394a

SHA512
ef05bb17b8b7c690b383e2033f36f52c69df2d725c7522c718cb434c70bd3a779e6120fde3d88342859552a3fdb73d638fb42601ca5af75675b131dbc21c8b57

Download Submit
/etc/init.d/selinux

Filesize
36B

MD5
c6a80f08539a4c3176762f514976dd24

SHA1
bbc5826b01d20f5c4d315ff5dbc3f216760c64ef

SHA256
ea47e885ae227059ce55d020335f7869c565ec6d85f484497e83cd4998149d5d

SHA512
9a1e3b0142876305fe389e07880bd586e97bf709273a66299d9128ff2861459104054d4e5d836aecdf73f2c11886fa3a2a8498741adb3211b96116658b856175

Download Submit
/tmp/gates.note

Filesize
4B

MD5
512c5cad6c37edb98ae91c8a76c3a291

SHA1
8d93c9b0486a80bc7b6909df5440d0c190eccd4e

SHA256
4103f0a4e707b1c7bebbc42809ab0ace8dd3f56d844d7903bfe9f95a2ccc6972

SHA512
e57d0f76f2ca0d41959c6878e7004b0027e3ef0f75d9cfbb03bab02b5171a541c92297536b6af90ca5634cf085659ed2c4a371ee163bc29609e05e29bb0cee08

Download Submit
/tmp/moni.note

Filesize
4B

MD5
571d3a9420bfd9219f65b643d0003bf4

SHA1
e74f0f1f0934fe0ab10af864e8ea13c69913a897

SHA256
d3fb4415d5c03cf6544957b7a7a66041c95b447ee149f0e4479f8ac2e48969ea

SHA512
5244a768479585826c67a30f83372d12012b38681e727070674ca4c477308b8e78ac0f70ce9781b99614ac336aa4382af0635cb2ce35218e633152a9147efbb9

Download Submit
/tmp/notify.file

Filesize
51B

MD5
89b0cfbafa961e82ca0a999914822d1b

SHA1
d988cc9683a0b6d2543ffd2ee3b4392b688caebb

SHA256
ef39d3be7c549ae352ec2615e40bc1f4b40a8e0b18babfa22440ca701ee44fa1

SHA512
56c0d06047a587b78644045dfbd59dc868a1ca0f80fea9008998f0694fe5642ad244ab1487657c7168b99d260847f3a1081114f0be352823c50e20d1ffd61f40

Download Submit
/usr/bin/bsd-port/agent

Filesize
1.1MB

MD5
e97790c1200e6d5c8f4eed64f1736a5d

SHA1
8df8579b3303221b0aa9955f0e11ab6d24525a1a

SHA256
e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f

SHA512
0cb76a4ac2c5787282f31bed1a0a2599258d85890d60cc6a1538548f304b56668840295b99d862a721baa3309e7dc3366b2dbd2819ed39900cc2165dc23a7f70

Download Submit
/usr/bin/bsd-port/conf.n

Filesize
69B

MD5
e7ae230fbaf67e16d3c2550f1d426a55

SHA1
b501c3af59d7b127eb1e789942052c60a08ebe6c

SHA256
10efaf4aa654022f82e3e63f84d85a713c6e4848289b8be892d4a6846c0cd624

SHA512
c23c16e78ad65e8d14a4f3c90d1a8eface1fabaa4c12b69e0c791505a2d560edb671c1bbd6839b7feb4b0e5a62bd9d01eb8e9ef2218a372d46d165b35d9adbcf

Download Submit
/usr/bin/dpkgd/lsof

Filesize
171KB

MD5
061386937ec7acf924438a2643a32be0

SHA1
01a044b9e58839bea3e58c66cb32acc16241bf91

SHA256
8a26bbae9eb85aa98ef29cfe5b0a291234db6eb394c3e0c2841983dcf7dda959

SHA512
2de2e56ac4c32f47b4a1945ccfb0db378e6d59019ee8004e3e5d2ec8935efb5aa8ee14b8a0b21c61a267e195d42a3232a6dcade8720de06118fd579277f59db7

Download Submit
/usr/bin/dpkgd/ps

Filesize
134KB

MD5
d194576b899af45b1d2a448612ec21e5

SHA1
492f7d8f28cd4397ce22fcf0d8bf3304ea93465a

SHA256
a8cf81f3a1137c999c3cf336507ce120b3065e633ade01db6280d427b7d986ca

SHA512
b323babd9580b91772cde29c9f22ae75b27f5ce8ce0268a48ca41713c3545dd72409932a5c48f6af66ac6e43127eb5461d1f686bd667fa1b0e56a1564db3c539

Download Submit