mrblack | b9d1294e0dbaf0a397f18b28a09ade1e16e934d979fc0f0cabddb37fc25f219a

Analysis

max time kernel
149s
max time network
149s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240729-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20-09-2024 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edd3f0a68945ff1f8dd6df454d837e2b_JaffaCakes118
Size

1.2MB
MD5

edd3f0a68945ff1f8dd6df454d837e2b
SHA1

2b1f756d1f5b1723df6872d5727bf55f94c7aba9
SHA256

b9d1294e0dbaf0a397f18b28a09ade1e16e934d979fc0f0cabddb37fc25f219a
SHA512

f7d234d9494272e003cb986c30b2a96184a73c1f4c969738ddd635e1cc25d30b8ce39e6a465a9e23eeba82285f163f76eb68045780a646a3ae2112d074846bb6
SSDEEP

24576:e845rlHu6gVJKG75oFpA0VWfX4G2y1q2rJp0:745wRVJKGtSA0VWfoVu9p0

Score

10^/10

mrblack antivm botnet defense_evasion discovery persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 1 IoCs

resource	yara_rule
behavioral1/files/fstream-4.dat	family_mrblack

File and Directory Permissions Modification 1 TTPs 6 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1570	sh
1571	chmod
1580	sh
1581	chmod
1590	sh
1591	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/usr/bin/bsd-port/getty	1539	getty
/etc/.ssh	1563	.ssh

Modifies init.d 2 TTPs 2 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

description	ioc	Process
File opened for modification	/etc/init.d/DbSecuritySpt	edd3f0a68945ff1f8dd6df454d837e2b_JaffaCakes118
File opened for modification	/etc/init.d/selinux	getty

Reads system routing table 1 TTPs 2 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	edd3f0a68945ff1f8dd6df454d837e2b_JaffaCakes118
File opened for reading	/proc/net/route	getty

Write file to user bin folder 9 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/bin/bsd-port/getty.lock	getty
File opened for modification	/usr/bin/dpkgd/ss	cp
File opened for modification	/usr/bin/dpkgd/ps	cp
File opened for modification	/usr/bin/dpkgd/lsof	cp
File opened for modification	/usr/bin/lsof	cp
File opened for modification	/usr/bin/bsd-port/conf.n	getty
File opened for modification	/usr/bin/bsd-port/getty.lock	edd3f0a68945ff1f8dd6df454d837e2b_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/udevd.lock	edd3f0a68945ff1f8dd6df454d837e2b_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/getty	cp

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/bin/ps	cp
File opened for modification	/bin/ss	cp

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	getty
File opened for reading	/proc/cpuinfo	edd3f0a68945ff1f8dd6df454d837e2b_JaffaCakes118

Reads system network configuration 1 TTPs 6 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	getty
File opened for reading	/proc/net/arp	getty
File opened for reading	/proc/net/dev	getty
File opened for reading	/proc/net/dev	edd3f0a68945ff1f8dd6df454d837e2b_JaffaCakes118
File opened for reading	/proc/net/route	edd3f0a68945ff1f8dd6df454d837e2b_JaffaCakes118
File opened for reading	/proc/net/arp	edd3f0a68945ff1f8dd6df454d837e2b_JaffaCakes118

Reads runtime system information 25 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/meminfo	edd3f0a68945ff1f8dd6df454d837e2b_JaffaCakes118
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/stat	edd3f0a68945ff1f8dd6df454d837e2b_JaffaCakes118
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/stat	getty
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/meminfo	getty

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/conf.n	edd3f0a68945ff1f8dd6df454d837e2b_JaffaCakes118
File opened for modification	/tmp/gates.lod	.ssh
File opened for modification	/tmp/moni.lod	edd3f0a68945ff1f8dd6df454d837e2b_JaffaCakes118
File opened for modification	/tmp/bill.lock	edd3f0a68945ff1f8dd6df454d837e2b_JaffaCakes118
File opened for modification	/tmp/gates.lod	edd3f0a68945ff1f8dd6df454d837e2b_JaffaCakes118
File opened for modification	/tmp/notify.file	edd3f0a68945ff1f8dd6df454d837e2b_JaffaCakes118
File opened for modification	/tmp/moni.lod	.ssh
File opened for modification	/tmp/notify.file	.ssh

/tmp/edd3f0a68945ff1f8dd6df454d837e2b_JaffaCakes118
/tmp/edd3f0a68945ff1f8dd6df454d837e2b_JaffaCakes118
1⤵
- Modifies init.d
- Reads system routing table
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1516
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt"
  2⤵
  PID:1521
- - /bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
    3⤵
    PID:1522
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt"
  2⤵
  PID:1523
- - /bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
    3⤵
    PID:1524
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt"
  2⤵
  PID:1525
- - /bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
    3⤵
    PID:1526
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt"
  2⤵
  PID:1527
- - /bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
    3⤵
    PID:1528
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt"
  2⤵
  PID:1529
- - /bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
    3⤵
    PID:1530
- /bin/sh
  sh -c "mkdir -p /usr/bin/bsd-port"
  2⤵
  PID:1531
- - /bin/mkdir
    mkdir -p /usr/bin/bsd-port
    3⤵
    - Reads runtime system information
    PID:1532
- /bin/sh
  sh -c "mkdir -p /usr/bin/bsd-port"
  2⤵
  PID:1533
- - /bin/mkdir
    mkdir -p /usr/bin/bsd-port
    3⤵
    - Reads runtime system information
    PID:1534
- /bin/sh
  sh -c "cp -f /tmp/edd3f0a68945ff1f8dd6df454d837e2b_JaffaCakes118 /usr/bin/bsd-port/getty"
  2⤵
  PID:1535
- - /bin/cp
    cp -f /tmp/edd3f0a68945ff1f8dd6df454d837e2b_JaffaCakes118 /usr/bin/bsd-port/getty
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1536
- /bin/sh
  sh -c /usr/bin/bsd-port/getty
  2⤵
  PID:1538
- - /usr/bin/bsd-port/getty
    /usr/bin/bsd-port/getty
    3⤵
    - Executes dropped EXE
    - Modifies init.d
    - Reads system routing table
    - Write file to user bin folder
    - Checks CPU configuration
    - Reads system network configuration
    - Reads runtime system information
    PID:1539
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"
      4⤵
      PID:1547
    - - /bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
        5⤵
        
        PID:1548
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"
      4⤵
      PID:1549
    - - /bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
        5⤵
        
        PID:1550
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"
      4⤵
      PID:1551
    - - /bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
        5⤵
        
        PID:1552
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"
      4⤵
      PID:1553
    - - /bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
        5⤵
        
        PID:1554
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"
      4⤵
      PID:1555
    - - /bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
        5⤵
        
        PID:1556
  - - /bin/sh
      sh -c "mkdir -p /usr/bin/dpkgd"
      4⤵
      PID:1557
    - - /bin/mkdir
        
        mkdir -p /usr/bin/dpkgd
        5⤵
        Reads runtime system information
        
        PID:1558
  - - /bin/sh
      sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"
      4⤵
      PID:1559
    - - /bin/cp
        
        cp -f /bin/ps /usr/bin/dpkgd/ps
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1560
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1564
    - - /bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1565
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1566
    - - /bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1567
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/getty /bin/ps"
      4⤵
      PID:1568
    - - /bin/cp
        
        cp -f /usr/bin/bsd-port/getty /bin/ps
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:1569
  - - /bin/sh
      sh -c "chmod 0755 /bin/ps"
      4⤵
      File and Directory Permissions Modification
      PID:1570
    - - /bin/chmod
        
        chmod 0755 /bin/ps
        5⤵
        File and Directory Permissions Modification
        
        PID:1571
  - - /bin/sh
      sh -c "cp -f /bin/ss /usr/bin/dpkgd/ss"
      4⤵
      PID:1572
    - - /bin/cp
        
        cp -f /bin/ss /usr/bin/dpkgd/ss
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1573
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1574
    - - /bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1575
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1576
    - - /bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1577
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/getty /bin/ss"
      4⤵
      PID:1578
    - - /bin/cp
        
        cp -f /usr/bin/bsd-port/getty /bin/ss
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:1579
  - - /bin/sh
      sh -c "chmod 0755 /bin/ss"
      4⤵
      File and Directory Permissions Modification
      PID:1580
    - - /bin/chmod
        
        chmod 0755 /bin/ss
        5⤵
        File and Directory Permissions Modification
        
        PID:1581
  - - /bin/sh
      sh -c "cp -f /usr/bin/lsof /usr/bin/dpkgd/lsof"
      4⤵
      PID:1582
    - - /bin/cp
        
        cp -f /usr/bin/lsof /usr/bin/dpkgd/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1583
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:1584
    - - /bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:1585
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:1586
    - - /bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:1587
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/lsof"
      4⤵
      PID:1588
    - - /bin/cp
        
        cp -f /usr/bin/bsd-port/getty /usr/bin/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1589
  - - /bin/sh
      sh -c "chmod 0755 /usr/bin/lsof"
      4⤵
      File and Directory Permissions Modification
      PID:1590
    - - /bin/chmod
        
        chmod 0755 /usr/bin/lsof
        5⤵
        File and Directory Permissions Modification
        
        PID:1591
  - - /bin/sh
      sh -c "insmod /usr/bin/bsd-port/xpacket.ko"
      4⤵
      PID:1594
    - - /sbin/insmod
        
        insmod /usr/bin/bsd-port/xpacket.ko
        5⤵
        Reads runtime system information
        
        PID:1595
- /bin/sh
  sh -c "mkdir -p /etc"
  2⤵
  PID:1541
- - /bin/mkdir
    mkdir -p /etc
    3⤵
    - Reads runtime system information
    PID:1542
- /bin/sh
  sh -c "mkdir -p /etc"
  2⤵
  PID:1543
- - /bin/mkdir
    mkdir -p /etc
    3⤵
    - Reads runtime system information
    PID:1544
- /bin/sh
  sh -c "cp -f /tmp/edd3f0a68945ff1f8dd6df454d837e2b_JaffaCakes118 /etc/.ssh"
  2⤵
  PID:1545
- - /bin/cp
    cp -f /tmp/edd3f0a68945ff1f8dd6df454d837e2b_JaffaCakes118 /etc/.ssh
    3⤵
    - Reads runtime system information
    PID:1546
- /bin/sh
  sh -c /etc/.ssh
  2⤵
  PID:1562
- - /etc/.ssh
    /etc/.ssh
    3⤵
    - Executes dropped EXE
    - Writes file to tmp directory
    PID:1563
- /bin/sh
  sh -c "insmod /tmp/xpacket.ko"
  2⤵
  PID:1601
- - /sbin/insmod
    insmod /tmp/xpacket.ko
    3⤵
    - Reads runtime system information
    PID:1602

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/DbSecuritySpt

Filesize
64B

MD5
0ec2812fe620bbfb5d21d05ae3fb539a

SHA1
3252f75d4870e47e4ba0c02eea1295c164a2165c

SHA256
3db68631c52cb79be326585b6a0cafd872cb4422c5c7ca3502891e4e5f9aa1f9

SHA512
df71877c47a43b212f8ea587b636b94267395d6a2dadd606f9d39c76dc64e742342bcec70573bec2c9a9b0e245f58bf2a92628a4f3812372e0d65033abdfe801

Download Submit
/etc/init.d/selinux

Filesize
36B

MD5
993cc15058142d96c3daf7852c3d5ee8

SHA1
0950b8b391b04dd3895ea33cd3141543ebd2525d

SHA256
8171d077918611803d93088409f220c66fae1c670b297e1aa5d8cbd548ce9208

SHA512
0c4256c00a3710f97e92581b552682b36b62afc35fe72622c491323c618c19ea62611ac04ccafc3dfcde2254a2ebbd93b69b66795b16e36332293bed83adb928

Download Submit
/tmp/gates.lod

Filesize
4B

MD5
81c8727c62e800be708dbf37c4695dff

SHA1
42e12cb7198394beb558db2dc1f1a862366e1045

SHA256
4091f2c5c45d0cb95c6b43919f9f07f62f7f6c6fb46ca207264b2aee4ee6e4f9

SHA512
a6bb8360a59413364b955cde894976b6f7401d2b07296bf964d224eef87032ac500dccc76b01c445d8e85692d555ae28d672929376e32fe9cf80bb721b9d1632

Download Submit
/tmp/moni.lod

Filesize
4B

MD5
d72fbbccd9fe64c3a14f85d225a046f4

SHA1
348e495881ef4526fe8e38dba4ceaa49b829b8b2

SHA256
8cca04ee02b8915f60a6b72c1faf19923aa12aafb5af89bc4bfd403dc60a836b

SHA512
02107aa7dc8942af948b790560f406445e172eff5c838b73d0eb8d86e3021ff4bcbb310a5f3290b3ff6e46170cd36e2df76fc373b47e3b8e9f219c6f6e22d85f

Download Submit
/tmp/notify.file

Filesize
51B

MD5
8f36cd8795829e11ec62ec3a4c2c16da

SHA1
63a5053e61ae8942c2ec89d99dca558c6bcece91

SHA256
e66d3aafb018deb321622cbb2fb7eb6f052ef242a5c1e7f7b9ee934a26ff31b6

SHA512
27f85324bc39c7f441a2001d291b63ced45494b80eaeb6286e51bc12ec6855d88947b209d3b0c273fb78be6a0d2c99c88e0bc151f21dca8f2319b58b43696e11

Download Submit
/usr/bin/bsd-port/conf.n

Filesize
73B

MD5
ecc1f3084a7e8b360f1ddb823df74325

SHA1
e8d7a4cefab4a96fb4647b75f623a3824ba3f024

SHA256
d4f0a1c39b9078aadeec884a519eea6d461db663d355556de527101bf48871f9

SHA512
4c1934dc5543975e57b1df1d9e39e4c5ffba775209be30bc66aad80b2231cce8f620c9e22192ea44fc610eabef248929cd3675de0391b68081630e6d750b6d60

Download Submit
/usr/bin/bsd-port/getty

Filesize
1.2MB

MD5
edd3f0a68945ff1f8dd6df454d837e2b

SHA1
2b1f756d1f5b1723df6872d5727bf55f94c7aba9

SHA256
b9d1294e0dbaf0a397f18b28a09ade1e16e934d979fc0f0cabddb37fc25f219a

SHA512
f7d234d9494272e003cb986c30b2a96184a73c1f4c969738ddd635e1cc25d30b8ce39e6a465a9e23eeba82285f163f76eb68045780a646a3ae2112d074846bb6

Download Submit
/usr/bin/dpkgd/lsof

Filesize
159KB

MD5
e093dc78225e2a0a25e3b137c1c1e442

SHA1
c29497cfaae729eb576875e4fdfa400640ab16be

SHA256
1190f4dbc7be174de8fd4096c9bf7a28eebfac937d308b7cc533be4a1240d26e

SHA512
fe1cc7a65327732eaaee89f427c10239ba822430e34177842f4681068d78d404b1830d808a2a71b1efcc5f126c6d8c053512237421173aaa150e215a672da6f0

Download Submit
/usr/bin/dpkgd/ps

Filesize
130KB

MD5
558edc26f8a38fa9788220b9af8a73e7

SHA1
3024d44e580e9c67f32f6c585d50e2a6cc9a7cac

SHA256
b76435c80333d2c1fd18e0e7682f1c9dfb5da8d507e93e3c416f54b481c428d5

SHA512
edaa425b441044f015e8f68fffa1664e42372d00dd0e7b0924d24ce947aa8e5f96b3bdc326fa2f8b978e3fcf638a1ceca45a223735db73f1607df66990feb56f

Download Submit
/usr/bin/dpkgd/ss

Filesize
136KB

MD5
1dc929b5f2cd12fe6a2fe71140d2a9e3

SHA1
f9995a92bb201b1b7738a39a38570ef0c40b52d2

SHA256
418aae1da62554afe9f260866267af328fd761b3fd6f90f0ea53d543e2fefc38

SHA512
fbed011c595084548db440dfbe485b7d27032a44a6ae9e141fe43f31c8c524ff9347135ab035deb441fca99e5a3794f7bb9194f148aa2f60f1547a7c67d47373

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads