mrblack | 13b31c857ca874127126dc16929e7a281f97d2dc84650fb5898bd41572efc7a8

Analysis

max time kernel
149s
max time network
150s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240729-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
20-09-2024 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118
Size

1.1MB
MD5

ecd85f48177089d1e7672cf04d91b8ec
SHA1

1de79f6fd9322ce3a3716e24bda666a7b97ed293
SHA256

13b31c857ca874127126dc16929e7a281f97d2dc84650fb5898bd41572efc7a8
SHA512

5de0f0aebd0b9daaa06cc2cd1773bb6fe39f5dc1d7d58f423b77d73a966575cc70958275aee8ccbbadfcd07841e99b92d6d84c5fc4a7864a6af5c23e4750ca0c
SSDEEP

24576:4vRE7caCfKGPqVEDNLFxKsfaJI+gIGYuuCol7r:4vREKfPqVE5jKsfaJRHGVo7r

Score

10^/10

mrblack antivm botnet defense_evasion discovery persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/fstream-4.dat	family_mrblack

File and Directory Permissions Modification 1 TTPs 8 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodshchmodshchmodshchmodsh

pid	Process
1506	chmod
1511	sh
1512	chmod
1517	sh
1518	chmod
1496	sh
1498	chmod
1505	sh

Executes dropped EXE 2 IoCs

Processes:

gettylibsw

ioc	pid	Process
/usr/bin/bsd-port/getty	1459	getty
/usr/bin/libsw	1467	libsw

Modifies init.d 2 TTPs 2 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

Processes:

ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118getty

description	ioc	Process
File opened for modification	/etc/init.d/DbSecuritySpt	ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118
File opened for modification	/etc/init.d/selinux	getty

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

Processes:

ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118

description	ioc	Process
File opened for reading	/proc/net/route	ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118

Write file to user bin folder 9 IoCs

persistence

Processes:

cpcpcpcpcpecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118gettycp

description	ioc	Process
File opened for modification	/usr/bin/bsd-port/getty	cp
File opened for modification	/usr/bin/libsw	cp
File opened for modification	/usr/bin/dpkgd/ps	cp
File opened for modification	/usr/bin/lsof	cp
File opened for modification	/usr/bin/ps	cp
File opened for modification	/usr/bin/bsd-port/getty.lock	ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/udevd.lock	ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/getty.lock	getty
File opened for modification	/usr/bin/dpkgd/lsof	cp

Writes file to system bin folder 2 IoCs

Processes:

cpcp

description	ioc	Process
File opened for modification	/bin/lsof	cp
File opened for modification	/bin/ps	cp

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118getty

description	ioc	Process
File opened for reading	/proc/cpuinfo	ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118
File opened for reading	/proc/cpuinfo	getty

Reads system network configuration 1 TTPs 4 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

Processes:

ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118getty

description	ioc	Process
File opened for reading	/proc/net/dev	ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118
File opened for reading	/proc/net/route	ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118
File opened for reading	/proc/net/arp	ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118
File opened for reading	/proc/net/dev	getty

Reads runtime system information 24 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

mkdirmkdirmkdircpmkdircpgettyecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118cpinsmodlibswinsmodcpcpcpcpcpmkdirmkdirmkdir

description	ioc	Process
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/stat	getty
File opened for reading	/proc/meminfo	getty
File opened for reading	/proc/sys/kernel/version	ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118
File opened for reading	/proc/stat	ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/sys/kernel/version	libsw
File opened for reading	/proc/meminfo	ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/kernel/version	getty
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

Processes:

libswecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118

description	ioc	Process
File opened for modification	/tmp/notify.file	libsw
File opened for modification	/tmp/gates.lock	libsw
File opened for modification	/tmp/moni.lock	ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118
File opened for modification	/tmp/bill.lock	ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118
File opened for modification	/tmp/gates.lock	ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118
File opened for modification	/tmp/notify.file	ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118
File opened for modification	/tmp/conf.n	ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118
File opened for modification	/tmp/moni.lock	libsw

/tmp/ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118
/tmp/ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118
1⤵
- Modifies init.d
- Reads system routing table
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1402
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt"
  2⤵
  PID:1443
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
    3⤵
    PID:1444
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt"
  2⤵
  PID:1445
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
    3⤵
    PID:1446
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt"
  2⤵
  PID:1447
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
    3⤵
    PID:1448
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt"
  2⤵
  PID:1449
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
    3⤵
    PID:1450
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt"
  2⤵
  PID:1451
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
    3⤵
    PID:1452
- /bin/sh
  sh -c "mkdir -p /usr/bin/bsd-port"
  2⤵
  PID:1453
- - /usr/bin/mkdir
    mkdir -p /usr/bin/bsd-port
    3⤵
    - Reads runtime system information
    PID:1454
- /bin/sh
  sh -c "cp -f /tmp/ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118 /usr/bin/bsd-port/getty"
  2⤵
  PID:1455
- - /usr/bin/cp
    cp -f /tmp/ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118 /usr/bin/bsd-port/getty
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1456
- /bin/sh
  sh -c /usr/bin/bsd-port/getty
  2⤵
  PID:1458
- - /usr/bin/bsd-port/getty
    /usr/bin/bsd-port/getty
    3⤵
    - Executes dropped EXE
    - Modifies init.d
    - Write file to user bin folder
    - Checks CPU configuration
    - Reads system network configuration
    - Reads runtime system information
    PID:1459
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"
      4⤵
      PID:1478
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
        5⤵
        
        PID:1479
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"
      4⤵
      PID:1480
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
        5⤵
        
        PID:1481
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"
      4⤵
      PID:1482
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
        5⤵
        
        PID:1483
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"
      4⤵
      PID:1484
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
        5⤵
        
        PID:1485
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"
      4⤵
      PID:1486
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
        5⤵
        
        PID:1487
  - - /bin/sh
      sh -c "mkdir -p /usr/bin/dpkgd"
      4⤵
      PID:1488
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin/dpkgd
        5⤵
        Reads runtime system information
        
        PID:1489
  - - /bin/sh
      sh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"
      4⤵
      PID:1490
    - - /usr/bin/cp
        
        cp -f /bin/lsof /usr/bin/dpkgd/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1491
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1492
    - - /usr/bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1493
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/getty /bin/lsof"
      4⤵
      PID:1494
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/getty /bin/lsof
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:1495
  - - /bin/sh
      sh -c "chmod 0755 /bin/lsof"
      4⤵
      File and Directory Permissions Modification
      PID:1496
    - - /usr/bin/chmod
        
        chmod 0755 /bin/lsof
        5⤵
        File and Directory Permissions Modification
        
        PID:1498
  - - /bin/sh
      sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"
      4⤵
      PID:1499
    - - /usr/bin/cp
        
        cp -f /bin/ps /usr/bin/dpkgd/ps
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1500
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1501
    - - /usr/bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1502
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/getty /bin/ps"
      4⤵
      PID:1503
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/getty /bin/ps
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:1504
  - - /bin/sh
      sh -c "chmod 0755 /bin/ps"
      4⤵
      File and Directory Permissions Modification
      PID:1505
    - - /usr/bin/chmod
        
        chmod 0755 /bin/ps
        5⤵
        File and Directory Permissions Modification
        
        PID:1506
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:1507
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:1508
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/lsof"
      4⤵
      PID:1509
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/getty /usr/bin/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1510
  - - /bin/sh
      sh -c "chmod 0755 /usr/bin/lsof"
      4⤵
      File and Directory Permissions Modification
      PID:1511
    - - /usr/bin/chmod
        
        chmod 0755 /usr/bin/lsof
        5⤵
        File and Directory Permissions Modification
        
        PID:1512
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:1513
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:1514
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/ps"
      4⤵
      PID:1515
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/getty /usr/bin/ps
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1516
  - - /bin/sh
      sh -c "chmod 0755 /usr/bin/ps"
      4⤵
      File and Directory Permissions Modification
      PID:1517
    - - /usr/bin/chmod
        
        chmod 0755 /usr/bin/ps
        5⤵
        File and Directory Permissions Modification
        
        PID:1518
  - - /bin/sh
      sh -c "insmod /usr/lib/xpacket.ko"
      4⤵
      PID:1519
    - - /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        5⤵
        Reads runtime system information
        
        PID:1520
- /bin/sh
  sh -c "mkdir -p /usr/bin"
  2⤵
  PID:1461
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:1462
- /bin/sh
  sh -c "cp -f /tmp/ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118 /usr/bin/libsw"
  2⤵
  PID:1463
- - /usr/bin/cp
    cp -f /tmp/ecd85f48177089d1e7672cf04d91b8ec_JaffaCakes118 /usr/bin/libsw
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1464
- /bin/sh
  sh -c /usr/bin/libsw
  2⤵
  PID:1466
- - /usr/bin/libsw
    /usr/bin/libsw
    3⤵
    - Executes dropped EXE
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1467
- /bin/sh
  sh -c "insmod /usr/lib/xpacket.ko"
  2⤵
  PID:1470
- - /usr/sbin/insmod
    insmod /usr/lib/xpacket.ko
    3⤵
    - Reads runtime system information
    PID:1471

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/DbSecuritySpt

Filesize
64B

MD5
6cc7a6c0451855903aa4c93c0ac909ae

SHA1
650445a84ff26003fa428b8a0ec3bbb23101fc82

SHA256
d35021078324e29879263b1055f9a3b99e4a75e9a085f209dcc369044d1f97cd

SHA512
68d86ff2eedfdf9496ce1247f36cdd932ef8fcd6809231abbe87b23da0a440d144e34efeb9e2daaa516b7d5927e8be9985d1f9019bf54db18bed21f8ebe4896b

Download Submit
/etc/init.d/selinux

Filesize
36B

MD5
993cc15058142d96c3daf7852c3d5ee8

SHA1
0950b8b391b04dd3895ea33cd3141543ebd2525d

SHA256
8171d077918611803d93088409f220c66fae1c670b297e1aa5d8cbd548ce9208

SHA512
0c4256c00a3710f97e92581b552682b36b62afc35fe72622c491323c618c19ea62611ac04ccafc3dfcde2254a2ebbd93b69b66795b16e36332293bed83adb928

Download Submit
/tmp/gates.lock

Filesize
4B

MD5
4edaa105d5f53590338791951e38c3ad

SHA1
84cbb8cb3aaa7a5a5f98ab30b5b0c948cca74f93

SHA256
e8026bda3ea2eedc7dc7bce9daa640f8cc0f33e335bd73d986a872b3ba789c71

SHA512
4ba97143cecd7c930f04399ee510c97ecb6db989aea923bac4d98deffe8310ed21f8928adc3438fe31206e6a0880ee3fccc9121d1fe8bb500c6bd874b37a7c41

Download Submit
/tmp/moni.lock

Filesize
4B

MD5
cec6f62cfb44b1be110b7bf70c8362d8

SHA1
742f0a1ef06d6bdc8c856b05b3ad8839e2a27ba7

SHA256
6b6803d3f23f64d048b7d5e5d1b828c90aac1b68bec5c590100122902a400876

SHA512
75b3a6744aacae46a8de3b5b609d21cd143e701f3c73ea257d121e8cb54d27a0d3d2ed17d25cc8329a5e2b8913a298747c40f555b0af3b32ebe3dc6d22099ab8

Download Submit
/tmp/notify.file

Filesize
51B

MD5
b47623e1654646086a4269457ef03811

SHA1
2f9d7227366dba95fe6b8a32aa3b650e0e80c853

SHA256
dd1f46ed83cbb9ab2f0afaf5da64c2828cc028ef6e3c18129d4e72211bfbbad1

SHA512
c877c302c8c65e5e930d5931c117ffb9cf6079246988397e864593b77193c778bcb00819c9a9a4a7ecfa54f1bc64aecc0a6a7d74aa09e85bfdceb16009aa0d6a

Download Submit
/usr/bin/bsd-port/getty

Filesize
1.1MB

MD5
ecd85f48177089d1e7672cf04d91b8ec

SHA1
1de79f6fd9322ce3a3716e24bda666a7b97ed293

SHA256
13b31c857ca874127126dc16929e7a281f97d2dc84650fb5898bd41572efc7a8

SHA512
5de0f0aebd0b9daaa06cc2cd1773bb6fe39f5dc1d7d58f423b77d73a966575cc70958275aee8ccbbadfcd07841e99b92d6d84c5fc4a7864a6af5c23e4750ca0c

Download Submit
/usr/bin/dpkgd/lsof

Filesize
171KB

MD5
061386937ec7acf924438a2643a32be0

SHA1
01a044b9e58839bea3e58c66cb32acc16241bf91

SHA256
8a26bbae9eb85aa98ef29cfe5b0a291234db6eb394c3e0c2841983dcf7dda959

SHA512
2de2e56ac4c32f47b4a1945ccfb0db378e6d59019ee8004e3e5d2ec8935efb5aa8ee14b8a0b21c61a267e195d42a3232a6dcade8720de06118fd579277f59db7

Download Submit
/usr/bin/dpkgd/ps

Filesize
134KB

MD5
d194576b899af45b1d2a448612ec21e5

SHA1
492f7d8f28cd4397ce22fcf0d8bf3304ea93465a

SHA256
a8cf81f3a1137c999c3cf336507ce120b3065e633ade01db6280d427b7d986ca

SHA512
b323babd9580b91772cde29c9f22ae75b27f5ce8ce0268a48ca41713c3545dd72409932a5c48f6af66ac6e43127eb5461d1f686bd667fa1b0e56a1564db3c539

Download Submit